An Overview of OAuth Grant Types and Flows

Introduction

OAuth is an industry-standard framework for delegated authorization. “Delegated” is the keyword here because access is delegated and scoped to provide finer access control. In this post, I will explore different OAuth grant types, also known as OAuth flows, used to obtain access tokens. The goal of these grant types is to facilitate secure and efficient access token acquisition.

Common OAuth Grant Types:

  • Authorization Code
  • Authorization Code with PKCE
  • Client Credentials
  • Device Grants
  • Refresh Token Flow

Legacy Flows:

  • Implicit Flow
  • Password Flow

Authorization Code

Use Case:
Web applications and browser-based applications where users can give consent to allow or deny access to the resource.

Flow:

  1. The end user uses a browser (front-end channel) to access the resource.
  2. The end user calls the authorization server, requesting an authorization code (temporary code) by providing a redirect URL.
  3. The authorization server validates the user’s credentials (optionally asks the user to give consent for the requested scope) and sends the authorization code to the redirect URL.
  4. The front end sends the authorization code to the backend application.
  5. The backend application interacts with the authorization server to obtain an access token by sending the valid authorization code and client credentials (Client ID and Client Secret).
  6. The authorization server sends back the access token to the backend application if all the details provided are valid.

Authorization Code with PKCE

Use Case:
Mobile applications and single-page applications, such as ReactJS, where applications cannot protect their client secret. These types of clients are called public clients.

Flow:

  1. The end user uses a browser (front-end channel) to access the resource.
  2. The end user calls the authorization server, requesting an authorization code (temporary code) by providing a redirection URL. Additionally, the client app creates a secret known as the code verifier, hashes it using SHA-256, and sends it to the authorization server as a code challenge in the same request.
  3. The authorization server validates the user’s credentials (optionally asks the user to give consent for the requested scope) and stores the code challenge internally.
  4. The client app, with no backend channel, sends the authorization code and the code verifier to the authorization server, requesting an access token.
  5. The authorization server sends back the access token if the code verifier and code challenge match along with the authorization code.

Client Credentials Flow

Use Case:
This flow is used for machine-to-machine access with no human involvement. In this flow, the machine can protect the client credentials.

Flow:

  1. The machine requests access to the protected resource.
  2. The machine calls the authorization server with client credentials (Client ID and Client Secret) requesting an access token.
  3. The authorization server sends the access token back to the caller if all the details provided by the requester are valid.

Device Flow

Use Case:
CLI, IoT devices (e.g., TV) with no browser and where the client secret cannot be protected.

Flow:

  1. The device requests access to the protected resource.
  2. The client calls the authorization server requesting an access token with the device code flow as one of the query parameters in the URL.
  3. The authorization server sends the verification URL and user code to validate the credentials.
  4. The user (human) opens the verification URL and validates the credentials in the browser.
  5. The authorization server provides the access token if the user validates the credentials.

Refresh Token Flow

Use Case:
The refresh token flow is used to exchange a refresh token for a new access token.

Conclusion

Understanding the different OAuth grant types is crucial for implementing secure authorization in various application scenarios. Each grant type has specific use cases, and selecting the appropriate one ensures both security and efficiency in obtaining access tokens. By following the outlined steps, developers can effectively implement OAuth flows in their applications.


Posted

in

by

Tags: