DEV Community

JL
JL

Posted on

OAuth 2.0 - Grant Types

Types are designed to the nature of different clients.

Image description

The typical choice for Server-side web app and mobile native app (both can store client credential: id and cecret properly):

Authorization Code

Image description

A detaied sequece diagram of what has happened:

Image description

https://docs.google.com/presentation/d/1CiAiuay5rd1KDDnYwOyu6ud9xk5ZetSQDOMp9DYUKjs/edit#slide=id.g8bb7b0e120_0_0

For JavaScript SPA (single page application), they should use
PKCE - proof key of code exchange

Image description

To make sure the client is the true client, in the 2nd call (use client id and auth code to exchange to an access token) to auth server, client needs to generate code_verfifier value devrived from the code_chanllenge value.

And the auth server needs to validate this request by using S235 to decode code_verfifier into code_chanllenge value to see if it matches the code_chanllenge value received in the 1st call (getting the auth code).

Image description

https://docs.google.com/presentation/d/1yJeYPMoPY2050cZkkBcBu1SL5Z88StV7O7fH5f_6X3A/edit#slide=id.g8b2fa1d558_0_112

To do machine to machine request (from a no-UI web server, like BFF), use:

Client Credential

Literally, there is no auth_code involved.

Image description

https://docs.google.com/presentation/d/1KEA3i0F0bhB4me1uHfXkbmuaaFeRyxo7rG0ih-MlP68/edit#slide=id.p

Top comments (0)