Skip to main content
This page is for Authlete 2.x. For current (3.0) documentation, see this page.

Preface

As a general recommendation, prioritize using the authorization code flow (with PKCE). If the authorization code flow is not an option, carefully evaluate and consider alternative methods only after thoroughly understanding the characteristics and implications of each flow.

Grant Flow Details

The grant types defined in RFC6749 are as follows: There are five types. For each grant type, the elements issued from the authorization endpoint or token endpoint to the client application differ.
FlowAuthorization EndpointToken Endpoint
Authorization CodeAuthorization CodeAccess token, Refresh token
ImplicitAccess Token-
Resource Owner Passwords Credentials-Access token, Refresh token
Client Credentials-Access token
Refresh Token-Access token, Refresh token

Authorization Code Flow

This is the most popular grant flow. This flow begins by issuing a short-lived authorization code from the authorization endpoint. The authorization code is then exchanged for an access token at the token endpoint. This is the standard OAuth 2.0 flow. When a token is requested directly from a client (e.g., a public client) that cannot securely store confidential information like a client secret—such as a mobile app—it is essential to use PKCE (Proof Key for Code Exchange) in addition to the authorization code flow.

Implicit

This flow issues an access token directly from the authorization endpoint. Unlike the authorization code flow, no refresh token is issued. While this flow was originally designed for scenarios such as token requests from single-page applications (SPAs), the authorization code flow with PKCE is now the recommended approach for SPAs.

Resource Owner Passwords Credentials

This flow involves receiving the resource owner’s (end user’s) ID and password to issue an access token. However, it is generally avoided because the resource owner’s credentials are exposed to the client application. This flow is typically used only during transitional phases when implementing OAuth 2.0.

Client Credentials

This grant flow is defined for clients with no users involved. A client obtains an access token from an authorization server using its own credentials (e.g. a pair of client ID and client secret, a client certificate, a SAML assertion). This flow issues an access token based solely on client authentication. It is typically used when the client and the resource owner are the same entity.

Refresh Token

This is the flow to present the refresh token and have the access token reissued. The grant flow is defined to refresh previously issued access tokens (and refresh tokens). A client obtains an access token (and a new refresh token) from an authorization server using a refresh token previously obtained using other grant flows.