OAuth Grant Types: Explained - Support and Troubleshooting

OAuth Grant Types: Explained Summary A grant type is the method by which the client obtains the access token. Below are the most widely used grant types in OAuth. 1. Authorization Code Grant Type 2. Resource Owner Password Credentials Grant Type 3. Client Credentials Grant Type 4. Refresh Token Grant Type Authorization Code Grant Type: The Authorization Code Grant Type is the most widely used grant type in OAuth.

It essentially has two stages. In the first stage, the client application requests an authorization code from the authorization server or endpoint. In the second stage, the client application uses the authorization code obtained in the first stage to make a POST call to the token server or endpoint to receive a token. Stage 1 : It is a GET call to the authorization server/endpoint. During this GET call, the user will be redirected to the authorization endpoint. Upon entering the credentials, the authorization server will post the authorization code back to the redirect URL that was mentioned/configured.

Request: GET (Authorization Endpoint)?response_type=code&client_id={CLIENT ID}&redirect_uri={REDIRECT URI}&scope={SCOPES}&state={STATE} Response: {REDIRECT URI}?code={AUTHORIZATION CODE}&state={STATE} Stage 2 : In this stage, the call to the token server/endpoint will be made using a POST request. This server-to-server call occurs in the background during the token fetching process and is not visible at the UI level. Request: POST (Token Endpoint) Header Authorization : Basic Body grant_type:authorization_code code:{AUTHORIZATION CODE} redirect_uri:{REDIRECT URI} client_id:{CLIENT ID} client_secret:{CLIENT SECRET} Note: The client ID and client secret can be sent either in the request body or in the request headers, depending on the configuration. Response: {"access_token":"{ACCESS TOKEN}","refresh_token":"{REFRESH TOKEN}","scope":"scope","token_type":"Bearer","expires_in":"Lifetime in seconds"} Resource owner password credentials Grant Type: The Resource Owner Password Credentials grant type is designed for obtaining access tokens directly in exchange for a username and password. In this grant type, the client application makes a POST call to the token endpoint/server to obtain the access token and refresh token. During this process, the client application needs to pass the username and password. Upon reviewing the credentials and client ID/secret, the token provider responds with both an access token and a refresh token. Request: POST (Token Endpoint) Body grant_type:password username:{USERNAME} password:{PASSWORD} client_id:{CLIENT ID} client_secret:{CLIENT SECRET}

Note: The client ID and client secret can be sent either in the request body or in the request headers, depending on the configuration. Response: {"access_token":"{ACCESS TOKEN}","refresh_token":"{REFRESH TOKEN}","scope":"scope","token_type":"Bearer","expires_in":"Lifetime in seconds"} Client credentials Grant Type: In the Client Credentials Flow, the client application exchanges its client ID and client secret to obtain an access token from the token provider. This grant type operates based on application-level access. In this process, the client application makes a POST call to the token endpoint/server, passing the client ID and client secret to obtain the access token. User credentials are not involved. Upon reviewing the client ID and secret, the token provider responds with an access token. The client credentials grant type only deals with access tokens; there is no concept of a refresh token involved. Request: POST (Token Endpoint) Body grant_type:client_credentials client_id:{CLIENT ID} client_secret:{CLIENT SECRET} Note: The client ID and client secret can be sent either in the request body or in the request headers, depending on the configuration. Response: {"access_token":"{ACCESS TOKEN}","scope":"scope","token_type":"Bearer","expires_in":"Lifetime in seconds"} Refresh Token Grant Type: The refresh token grant type is designed for obtaining a new access token by providing the existing refresh token. In this process, the client application makes a POST call to the token endpoint/server, passing the existing refresh token to obtain a new access token. Upon reviewing the refresh token, the token provider responds with an access token. Request: POST (Token Endpoint) Body grant_type:refresh_token client_id:{CLIENT ID} client_secret:{CLIENT SECRET} refresh_token:{REFRESH TOKEN} Note: The client ID and client secret can be sent either in the request body or in the request headers, depending on the configuration. Response: {"access_token":"{ACCESS TOKEN}","refresh_token":"{REFRESH TOKEN}","scope":"scope","token_type":"Bearer","expires_in":"Lifetime in seconds"}