Logo Logo
GitHub Designed by Logto

What is an OAuth 2.0 grant?

An OAuth 2.0 grant is an authorization process that allows a Client to request an Access token from an Authorization server . You may also hear other terms around this concept, so let’s clarify them before diving in:

  • OAuth 2.0 grant: Also known as an “OAuth 2.0 grant type”, “OAuth 2.0 flow”, or “OAuth 2.0 authorization grant”. In most contexts, these terms refer to the same concept.
  • Authorization server : The server that issues access tokens to the client. In OpenID Connect (OIDC), the authorization server is the same as the OpenID Provider (OP) .
  • Authorization request : The request made by the client to the authorization server to obtain an access token. In OpenID Connect (OIDC), it is also referred to as an Authentication request .

For the sake of clarity, we will use the initial terms listed above consistently throughout this article.

The high-level process of an OAuth 2.0 grant is quite simple:

After the client receives the access token, it can use it to access protected resources (e.g., APIs) on behalf of a user or itself.

Note that according to the specific grant, the client and the authorization server may exchange additional information and involve more steps in the process. For example, the authorization code grant involves user authentication and authorization, code generation, and token exchange.

Different OAuth 2.0 grants

The basic OAuth 2.0 specification defines four grants that clients can use to obtain access tokens:

  1. Authorization code grant : The most secure and recommended grant for majorities of applications. It’s enforced to use Proof Key for Code Exchange (PKCE) for all clients in OAuth 2.1 .
  2. Implicit grant : A simplified grant that is deprecated in OAuth 2.1 due to security concerns.
  3. Resource owner password credentials (ROPC) grant : A grant where the user’s credentials are directly exchanged for an access token. It is not recommended for most applications due to security risks.
  4. Client credentials grant : A grant used by Confidential clients to obtain an access token without user involvement.

As the industry evolves, implicit and ROPC grants are being deprecated in favor of more secure and standardized flows. For new applications, the choices are straightforward:

  • For user authentication and authorization, use the authorization code grant with PKCE.
  • For Machine-to-machine communication, use the client credentials grant.

Other OAuth 2.0 grants

In addition to the four basic grants, there are other extensions that define new grants for specific use cases. For example:

  • Device authorization grant is a grant designed for devices with limited input capabilities, such as smart TVs and IoT devices.
  • Hybrid flow is an OpenID Connect grant that combines the authorization code grant with the implicit grant.

Grants in OpenID Connect (OIDC)

In OpenID Connect (OIDC) , the concept of grants is extended to include ID tokens that represent user identity information in addition to access tokens. OIDC extends two OAuth 2.0 grants (authorization code and implicit) to include ID tokens, and introduces a new grant called the hybrid flow that combines both.

Like OAuth 2.0, it’s only recommended to use the authorization code grant with PKCE in OIDC for user authentication and authorization.

Meanwhile, since OIDC is built on top of OAuth 2.0, other grants like the client credentials grant can still be used on the same authorization server, as long as the server supports them.

See also