Overview#

The Authorization Grant requires a grant_type parameters which represents the various Grant Types.

OAuth 2.0 focuses on client developer simplicity while providing specific Grant Types which have associated OAuth 2.0 Protocol Flows.

OAuth 2.0 is a very flexible standard and can be adapted to work in many different scenarios. The core specification describes four Grant Types:[2]

• Abstract Protocol Flow - Is ABSTRACT
• Authorization Code Grant - Authorization Code Grant MUST use PKCE
• Implicit Grant - Deprecated use AppAuth for Mobile Device apps or Authorization Code Grant
• Resource Owner Password Credentials Grant- Deprecated use Authorization Code Grant
• Client Credentials Grant - typically for application access

The OAuth 2.0 specification details a fifth grant, the Refresh Token Grant, which can be used to "refresh" (i.e. get an "new" Access Token which has the same Authorization as the original.

There are other Grant Types that are NOT defined in The OAuth 2.0 Authorization Framework, that have gone through, or are currently in, the IETF ratification process:

• OAuth 2.0 Message Authentication Code (MAC) Tokens
• OAuth 2.0 Device Authorization Grant - Created to enable OAuth 2.0 to be used on devices with no WEB browser such as game consoles and TVs.
• Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants - Enables exchange of SAML V2.0 Assertion for an Access Token (Not in the Core SPec)
• JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants

OpenID Connect#

The OpenID Connect spec provides a nice comparison of the three flows supported, reproduced here in a simplified form.

The flow used is determined by the response_type value contained in the Authorization Request. These response_type values select the following flows