OAuth2 – Client Credentials Grant

In this post, I’ll give a high-level overview of the Client Credentials Grant by example.

Client Credentials Grant:

The Client Credentials Grant is for obtaining  an access token based solely on a client’s credentials, without any user’s involvement. Simply put, the Client Credentials Grant is for machine to machine communication.

Continue reading

OAuth2 – Resource Owner Password Credentials Grant

In this post, I’ll discuss the Resource Owner Password Credentials (ROPC) grant and when you should use it.

Overview of the ROPC Grant:

In a ROPC flow, the user gives the credentials directly to the client application, usually by mean of a login form over which the client application has complete control. In this flow, the client application does not redirect the user to an authorization server for authentication. However, the client application submits a request to the authorization server, passing over the user’s credentials to obtain an access token on behalf of the user. If the client is a confidential client or has been provided a secret key, the client also needs to authenticate against the authorization server using its client id and secret when requesting a token.

Continue reading

OAuth 2 – Implicit Grant

This is part of a series post about OAuth2. In this post, I go over the implicit grant type and how it relates and differs to the authorization code grant type.

Let’s look at a high-level only flow of the implicit grant flow via an example in which an application recommends a user movies based on the movies the user’s friends like on Facebook.

1. The user submits a request to the Movie app to get movie recommendations.
2. The app redirects the user to Facebook to authenticate.
3. The user authenticates with Facebook and gives consent for the Movie app to access the user’s Facebook data
4. Facebook sends back an access token to the Movie app via a redirect url.
5. The Movie app uses the access token to request the user’s Facebook data on behalf of the user and provide recommendations to the user.

For comparison, here’s the flow using the authorization code grant.

1. The user submits a request to the Movie app to get movie recommendations.
2. The app redirects the user to Facebook to authenticate.
3. The user authenticates with Facebook and gives consent for the Movie app to access the user’s Facebook data.
4. Facebook sends back an authorization code to the Movie app via a redirect url.
5. The Movie app submits another request to Facebook to request an access token,  passing its client credentials ( client id and secret ) as well as the authorization code obtained from step 4.
6. Facebook validates the client’s credentials and authorization code, then issues an access token and optionally a refresh token back to the Movie app.

As you can see at the surface level, the implicit flow is more or less similar to the authorization code flow except it does not have the step of authenticating the client. As we discuss when to choose the implicit grant type vs the authorization grant type , we’ll explore other differences between the two flows and see they are meant for different types of applications.

Continue reading

OAuth2 – Authorization Code Grant

OAuth2 has become the de facto in modern web application security.  If you are a front end, back end or mobile developer, chances are you have had to consume or secure  protected resources with OAuth2. As such, having a good understanding of OAuth2 is invaluable. When implementing or using OAuth2 in your application, you typically face with four different grant types. Knowing the differences between the four grant types and which one to use can be quiet confusing. In this blog post series, I go over the different grant types by providing examples. This post is part of the series about OAuth2. In this post,  I’ll cover the Authorization Code Grant and when it is appropriate to use it.

If you are not familiar with the jargons, this post may help.

Continue reading