Red Hat

OAuth Theory

OAuth Grant Types

OAuth2 supports the following 4 grant types.

  1. Authorization Code

  2. Implicit

  3. Resource Owner Password Credentials

  4. Client Credentials

Authorization Code Grant Type

This grant type is primarily used for confidential clients. This grant type is used to obtain both access tokens and refresh tokens.

The flow is based on redirection. The client must support redirection from the server. So usually the client uses a browser.


  1. Client uses a browser to access the authorization server and provides at the minimum the Client Identifier and Redirection URL.

  2. The Authorization Server asks the user (who owns the protected resource) to authenticate and approve the access of the resource.

  3. Authorization Server provides an authorization code to the client.

  4. Client now uses the authorization code and a redirection uri to request an access token.

  5. Authorization Server validates the authorization code and the redirection uri and uses the redirection uri to redirect the client, and provides access token (with optional Refresh Token).

Implicit Code Grant Type

This process is used when the application has a fixed redirection URI. The clients are typically browser based Javascript applications.

The flow is based on redirection. The client must support redirection from the server. So usually the client uses a browser.

There is no client authentication and no request for an authorization code.

Also refresh tokens are not provided in this grant.

Resource Owner Password Credentials Grant Type

This case is used where the client (such as, New York Times Mobile App) has a trust relationship with a resource owner (such as, Twitter). This grant type should be used only when authorization code grant type or implicit grant types cannot be used.


  • Client (such as News Mobile App) obtains the resource owner (such as Twitter User)'s credentials.

  • Client sends username and credentials to authorization Server (such as Twitter).

  • Authorization server validates credential and issues an access token to the client.

  • Client takes the access token and discards the resource owner’s credentials. (IMPORTANT)

  • Client can access resource (make posts on twitter, read twitter posts etc) using the access token.

Client Credentials Grant Type

This case is when the client uses its credentials with the OAuth Authorization Server to obtain an access token. This grant type MUST be used with by confidential clients.

OAuth Message Exchanges

The following changes to what is shown in the diagram may happen in an OAuth exchange:

  • The OAuth Application Registration may be performed in an OAuth Provider web application to yield a client id and secret. There is no explicit requirement for OAuth Client to do the registration.

  • The Authorization Server and Token Server can be one. There is no major need to separate them out.

The Exchanges happening between an OAuth Client and Server is represented by the following diagram.

OAuth Exchanges


Go Back

Go back to OAuth dashboard OAuth Dashboard

back to top