Oauth - Authorization Grant (Resource Owner Authorization|Authorization Credentials)

> Software Security > (Authentication|Access control|Identification) - AuthN > Oauth 2.0 - Authorization framework

1 - About

An Authorization Grant is a credential representing the resource owner's authorization to access its protected resources.

The flow for each type of grant is expressed using grant type:

  • one of four grant types
  • or an extension grant type.

The authorization grant is used by the client to obtain an access token (except for the implicit one because there is no intermediate grant, the access token is issued directly).


3 - Type

The Oauth specification defines four grant types:

  • authorization code - preferable - (indirect flow, intermediate credentials, authentication of the client),
  • implicit (indirect flow, no intermediate credentials, no authentication of the client, flow optimized for clients implemented in a browser using a scripting language such as JavaScript)
  • resource owner password credentials (direct flow, the client has access to the resource owner credentials during a single request to get an long-lived access token - therefore a high trust between client and resource owner is needed)
  • client credentials (the client is also the resource owner or an authorization was previously arranged with the authorization server).
  • as well as an extensibility mechanism for defining additional types.

The authorization grant type depends on:

4 - Management

4.1 - Get

A grant is issued by the authorization endpoint

security/auth/oauth/grant.txt · Last modified: 2019/04/30 09:23 by gerardnico