OAuth2 is one of the most widely used authorization frameworks in modern applications.
However, many developers struggle to understand when to use each grant type and how the flows actually work.
In this guide we break down the most common OAuth2 grant types with diagrams and practical explanations.
Table of Contents
Overview of OAuth2
OAuth2 is designed to provide a secure way for applications to obtain access to user data without requiring the user to share their credentials. Instead, it uses access tokens issued by an Authorization Server to allow applications to request data from a Resource Server.
What is a Grant Type?
A grant type in OAuth2 is a method by which a client application obtains an access token. It defines the flow that an application follows to request and receive authorization from an authorization server. Different grant types exist to accommodate various security needs and application types.
Grant Types
Authorization Code Grant
sequenceDiagram
actor User
participant Browser
participant App Server
participant Authorization Server
participant Resource Server
User ->> Browser:
Browser ->> App Server: GET/index.html
App Server -->> Authorization Server: Redirect to Authorization Server
Authorization Server ->> Browser: Display Login Page
Browser ->> Authorization Server: Enters Credentials(username,password)
Authorization Server ->> Authorization Server: User Authentication
Authorization Server -->> App Server: Redirect back to app wihth grant code(auth code)
App Server ->> Authorization Server: get tokens by sending the grant code(auth code)
Authorization Server ->> App Server: return access token
App Server ->> Resource Server: get data sending the token
Resource Server->>App Server:return data
App Server->>Browser:display data/index.html
The Authorization Code Grant is used by web applications and follows a redirection-based flow to obtain an access token securely.
Steps:
- The user accesses a web application and is redirected to an Authorization Server for authentication.
- The user logs in, and if successful, the Authorization Server redirects back to the application with an authorization code.
- The application exchanges this authorization code for an access token.
- The access token is then used to request protected resources from the Resource Server.
Implicit Grant
sequenceDiagram
actor User
participant Browser
participant App Server
participant Authorization Server
participant Resource Server
User ->> Browser:
Browser ->> App Server: GET/index.html
App Server -->> Authorization Server: Redirect or popup to Authorization Server
Authorization Server ->> Browser: Display Login Page
Browser ->> Authorization Server: Enters Credentials(username,password)
Authorization Server ->> Authorization Server: User Authentication/Credentials validated
Authorization Server -->> App Server: Redirect back to app with access token in the URL
App Server-->>Browser:Token
Browser ->> Resource Server: get data sending the token
Resource Server->>Browser:return data
The Implicit Grant is used for single-page applications (SPAs) where storing client secrets securely is not possible. It directly provides an access token.
Steps
- The user is redirected to the Authorization Server, logs in, and approves access.
- Instead of returning an authorization code, the Authorization Server directly returns an access token in the URL.
- The client application uses this token to access the Resource Server.
⚠️ Note: The Implicit Grant is now considered deprecated in OAuth 2.1 and modern applications should use the Authorization Code flow with PKCE instead.
Resource Owner Password Credentials Grant
sequenceDiagram
actor User
participant Browser
participant App Server
participant Authorization Server
participant Resource Server
User ->> Browser:
Browser ->> App Server: GET/index.html
App Server ->> Browser: Display Login page
Browser ->> App Server: User Credentials
App Server ->> Authorization Server: Get tokens sending User Credentials
Authorization Server ->> App Server: Access Token
App Server ->> Resource Server: Get data sending the token
Resource Server->>App Server:Return data
App Server->>Browser: index.html
Used when the application is trusted, and the user directly provides their credentials to the client application.
Steps
- The user enters their credentials directly into the application.
- The application sends these credentials to the Authorization Server.
- If valid, the Authorization Server responds with an access token.
- The application uses the access token to request data from the Resource Server.
Client Credentials Grant
sequenceDiagram
participant App Server
participant Authorization Server
participant Resource Server
App Server ->> Authorization Server: Get tokens sending Client Credentials(client_id,client secret)
Authorization Server ->> App Server: Access Token
App Server ->> Resource Server: Get data sending the token
Resource Server->>App Server:Return data
Used when a client application needs to access its own resources without user intervention.
Explanation
- The application sends its client ID and secret to the Authorization Server.
- If valid, the Authorization Server responds with an access token.
- The application uses the token to access the Resource Server.
Refresh Token Grant
sequenceDiagram
actor User
participant ClientApplication
participant AuthorizationServer
participant ResourceServer
User->>ClientApplication: Initiates login
ClientApplication->>AuthorizationServer: Redirects to authorization endpoint
AuthorizationServer->>User: Prompts for authentication
User->>AuthorizationServer: Provides credentials
AuthorizationServer-->>ClientApplication: Returns authorization code
ClientApplication->>AuthorizationServer: Exchanges authorization code for tokens (access token + refresh token)
AuthorizationServer-->>ClientApplication: Returns access token and refresh token
ClientApplication->>ResourceServer: Uses access token to access resources
ResourceServer-->>ClientApplication: Returns requested resources
Note over ClientApplication,AuthorizationServer: Access token expires
ClientApplication->>AuthorizationServer: Requests new access token using refresh token
AuthorizationServer-->>ClientApplication: Returns new access token (and optionally a new refresh token)
ClientApplication->>ResourceServer: Uses new access token to access resources
ResourceServer-->>ClientApplication: Returns requested resources
Allows clients to obtain a new access token using a refresh token without requiring user intervention.
Steps
- The client application initially receives both an access token and a refresh token after a successful authentication process using a grant type(e.g. Authorization Code grant).
- The client uses the access token to request protected resources.
- When the access token expires, the client sends the refresh token to the Authorization Server.
- If the refresh token is valid, the Authorization Server returns a new access token (and optionally a new refresh token).
- The client continues using the new access token to access resources.
Device Authorization Grant
sequenceDiagram
actor User
participant Device
participant AuthorizationServer
participant ClientApplication
User->>Device: Initiates device authorization
Device->>AuthorizationServer: Request device authorization
AuthorizationServer-->>Device: Returns device code and user code
Device-->>User: Displays user code and verification URI
User->>AuthorizationServer: Navigates to verification URI and enters user code
AuthorizationServer->>User: Prompts user to authorize the device
User->>AuthorizationServer: Authorizes the device
AuthorizationServer->>Device: Polling for authorization status
Device->>AuthorizationServer: Polling request with device code
AuthorizationServer-->>Device: Returns access token (if authorized)
Device->>ClientApplication: Uses access token to access resources
ClientApplication-->>Device: Returns requested resources
Used for devices with limited input capabilities, such as smart TVs and IoT devices.
Steps:
- The user initiates the device authorization.
- The device requests authorization from the Authorization Server.
- The Authorization Server returns a device code and a user code.
- The device displays the user code and verification URI.
- The user navigates to the verification URI and enters the user code.
- The Authorization Server prompts the user to authorize the device.
- Once approved, the device polls the Authorization Server for the access token.
- The Authorization Server issues an access token.
Conclusion
OAuth2 provides multiple grant types to support different application architectures.
Choosing the correct flow depends on:
- Security requirements
- Client type (web, mobile, server-to-server)
- User interaction needs
In modern architectures the most commonly used flows are:
- Authorization Code + PKCE
- Client Credentials
- Refresh Token
Understanding these flows helps developers design secure authentication and authorization systems.
Note: The Mermaid code for the diagrams is included in this article, but Dev.to does not render the diagrams correctly.
For readability, the diagrams are shown as images.
If you want to view or reuse the original Mermaid source, you can find it in the repository:
https://github.com/dkforge31/Understanding-OAuth2-Grant-Types
Top comments (0)