RFC 6749 stipulates the four grant type. We do recommend to use them as follows: {1}Authorization Code (RFC 6749, Section 4.1.1): This grant type is particularly useful when you want to protect an Internet exposed service from the Clients. In these cases the Resource Owner is separated from the Resource Server and it is essential the authorization to be commenced via dedicated code exchanged between the Broker and the Owner, and then provided by the Owner to the Client. The Client has no access to any access tokens until the authorization code is not validated second time by the Broker. This is a redirection-based flow.
Pros: Good security; Scope verification; Redirection is required. Cons: More complex implementation with dual-stage authorization. {2}Implicit Grant (RFC 6749, Section 4.2.1): This grant type is a simplified method to authorize the Client directly with an access token without intermediary verification. The approach is applicable when the Client is trusted and/or operates in controlled environment such as internal enterprise infrastructure, core-banking solutions, or by a mobile device where the client credentials may be exposed but remain protected by the environment itself. The overall authorization is based only on the fact that the Broker knows the Client by its Application Key. The implicit grant type does not support refresh tokens. This is a redirection-based flow.
Pros: Scope verification; Redirection is required. Cons: Weak security. {3}Resource Owner Credentials (RFC 6749, Section 4.3.2): This grant type is designed mostly for desktop applications and services with SSO integration in enterprise infrastructure where the Client is delegated to use directly the Resource Owner's (The User) credentials such as user name and password. The authorization is commenced only on ground of the Application Key, the User's name, and the User's password.
Pros: Regular security; Simple implementation. Cons: User credentials require additional integration and/or configuration. {4}Client Credentials (RFC 6749, Section 4.4.2): This grant type provides a way the Client to access the protected resources with their own credentials provided and managed by the Broker. In this case the Resource Owner delegates full rights to the Broker (Authorization Server) to control the Protected Resource on the Owner's behalf. Consequently, the Broker will authorize the access only on ground of Client's user name and Client's secret.
Pros: Simple implementation. Cons: Weak security. |