oauth2-server/auth-server-which-grant.md

39 lines
2.4 KiB
Markdown
Raw Normal View History

2014-09-30 22:44:18 +01:00
---
layout: default
title: Which OAuth 2.0 grant should I use?
permalink: /authorization-server/which-grant/
---
# Which OAuth 2.0 grant should I use?
2016-03-23 12:45:29 +00:00
A grant is a method of acquiring an access token. Deciding which grants to implement requires implementing the right grant depending on the type of client and the best experience for your users.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
<figure>
<img src="/images/grants.svg" style="width:100%">
</figure>
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
## First party or third party client?
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
A first party client is a client that you trust enough to handle the end user's authorization credentials. For example Spotify's iPhone app is owned and developed by Spotify so therefore they implicitly trust it.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
A third party client is a client that you don't trust.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
## Access Token Owner?
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
An access token represents a permission granted to a client to access some protected resources.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
If you are authorizing a machine to access resources and you don't require the permission of a user to access said resources you should implement the [client credentials grant](/authorization-server/client-credentials-grant/).
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
If you require the permission of a user to access resources you need to determine the client type.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
## Client Type?
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
Depending on whether or not the client is capable of keeping of keeping a secret will depend on which grant the client should use.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
If the client is a web application that has a server side component then you should implement the [authorization code grant](/authorization-server/auth-code-grant/).
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
If the client is a web application that has runs entirely on the front end (e.g. a single page web application) you should implement the [password grant](/authorization-server/resource-owner-password-credentials-grant/) for a first party clients and the [implicit grant](/authorization-server/auth-code-grant/) for a third party clients.
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
If the client is a native application such as a mobile app you should implement the [password grant](/authorization-server/resource-owner-password-credentials-grant/).
2014-09-30 22:44:18 +01:00
2016-03-23 12:45:29 +00:00
Third party native applications should use the [authorization code grant](/authorization-server/auth-code-grant/) (via the native browser, not an embedded browser - e.g. for iOS push the user to Safari or use [SFSafariViewController](https://developer.apple.com/library/ios/documentation/SafariServices/Reference/SFSafariViewController_Ref/), <u>don't</u> use an embedded [WKWebView](https://developer.apple.com/library/ios/documentation/WebKit/Reference/WKWebView_Ref/)).