Clarification Of Oauth 2 Grant Types

Been doing some reading regarding OAUTH2. So... Authorisation Code Grant: Is for users who want to access MY application/API through a third party application. Example: A user thr

Solution 1:

OAuth2 is used when you want to authorize/delegate access on your resources to a client (third party application).

There are at least 4 actors:

• The authorization server
• The client
• The resource owner
• The resource server

The application/API is the resource server. It stores and manages all resources of the resource owner.

The client is the party who want to access on those resources. The authorization server is the server who authorize client to access on resources by issuing an access token.

• Authorization Code Grant is designed for confidential clients (able to keep their credentials secured).
• Implicit Grant is design for public client (not a confidential client) and especially for scripting language applications (JS...)
• Resource Owner Password Credentials Grant is designed for any type of client but supposed that the client knows the password credentials of the resource onwer. In general this grant type is dedicated to trusted clients only.
• Client Credentials Grant allows the client to access on its own resources (in this case the resource owner is the client).

The use of the Resource Owner Password Credentials Grant should be avoided, however it remains a good solution for legacy applications and if there is a trusted relationship between the client, the authorization server and the resource server.