Which OAuth Grant Type should we Choose
The OAuth 2.0 is an industry standard protocol for access delegation. This well known authorization framework is widely used over variety of applications. The OAuth grant types play a major role to accomplish that by adhering to the required security aspects with respect to the variety of applications. The proper understanding of OAuth grant types is a must for the developers to choose the right grant type depending on the application to maintain the level of security and usability.
The grant types refers to the way an application gets an access token. Each grant types are optimised for particular use case whether it’s a web app, standalone app or server-to-server communication etc. The following grant types were introduced from the beginning of the OAuth framework.
- Password
- Client Credentials
- Authorization Code
- Implicit
Later few additional grant types were introduced to provide improved functionalities such as refresh tokens, SAML2 bearer and JWT bearer. In this study the 4 basic grant types were explored with sample use cases to understand the prominent usage.
The above mentioned grant types can be model in a decision tree for the developers to pick the right grant type at the right place.
Let’s start the developer’s journey. There are variety of software solutions in form of mobile applications, desktop applications and browser based web applications which can be either single page javascript driven apps or sever page apps which render the pages after processing the user interaction at the server side. Also not only the users interact but also the machines would interact to provide services to each other which is common in the modern microservices architecture.
All the grant types mentioned in the above decision tree are evaluated in accordance to the best fit use cases on this onwards. For each scenario, we can assume there is a service provider which handles the client requests on behalf of users and Asgardeo as the identity provider in each scenarios. A client id and client secret is generated for the service provider upon registering the application in Asgardeo.
Client Credentials
With the development API driven communication, the machine to machine communication becomes more popular as the services are split into microservices. Normally the APIs are invoked by service provider apps on behalf of the users requests and the service provider should have proper access to invoke the APIs. According the OAuth grant type decision tree, client credentials grant type is best suited for these type of use cases as no direct user interaction is needed. The following figure illustrates how the client credentials grant type works behind the scene.
Password
There are server side apps in contrast to modern SPA where the business logic is executed on a server and the content is rendered according to the response. In order to access the resources, the users have to be authenticated via prompting a login screen. There can be situation where users are highly trusted on the application they are consuming. Only in that cases we can use password grant type where we are providing the full control for the 3rd party application. The following figure illustrate how the password grant type works behind the scene.
This grant type must be used if the application which access the user’s credentials are highly trusted. The modern security standards do not encourage this grant type as the application can assumed the full access of the user.
