interview

home / developersection / interviews / what are the different oauth 2.0 grant types?

Ask Question
ICSM Computer

IT-Hardware & Networking

Ravi Vishwakarma is a dedicated Software Developer with a passion for crafting efficient and innovative solutions. With a keen eye for detail and years of experience, he excels in developing robust software systems that meet client needs. His expertise spans across multiple programming languages and technologies, making him a valuable asset in any software development project.

Follow
Can you answer this question?
Answer

1 Answers

ICSM Computer

ICSM Computer

08-Jun-2025

OAuth 2.0 defines grant types as different ways a client app can obtain an access token from the authorization server.

Each grant type is suited for different use cases — based on the type of client (web app, SPA, mobile, etc.) and level of trust.

The 4 Main OAuth 2.0 Grant Types

Grant Type Use Case Secure?
Authorization Code Web/mobile apps with a backend Yes
Client Credentials Server-to-server (no user involved) Yes
Password Grant Trusted apps asking for username/password No (deprecated)
Implicit Grant SPAs (JavaScript apps) — now discouraged No (deprecated)

Authorization Code Grant (with PKCE)

Most secure and commonly used for web & mobile apps.

Flow:

  • User logs in and authorizes app.
  • App receives a short-lived authorization code.
  • App exchanges code (securely) for access token (and optionally refresh token).

PKCE (Proof Key for Code Exchange) adds extra security for mobile/SPAs.

Returns:

  • access_token, refresh_token, id_token (if using OpenID Connect)

Client Credentials Grant

Used for machine-to-machine (M2M) communication, like a cron job or microservice.

Flow:

  • App authenticates using its client ID + secret (no user).
  • Gets an access token to call protected APIs.

Example:

POST /token
client_id=abc&client_secret=xyz&grant_type=client_credentials

Password Grant (Resource Owner Password Credentials)

The app collects the username and password of the user.

  • Works only for trusted first-party apps.
  • Deprecated due to security risk — user credentials are exposed to the app.

Flow:

  • App sends username, password, and client credentials.
  • Gets access token.

Use With Caution.

Implicit Grant (Deprecated)

Designed for public clients (e.g. JS apps in the browser) that can't securely store secrets.

  • Tokens are returned directly in the URL (less secure).
  • Doesn't support refresh tokens.
  • Now replaced by Authorization Code + PKCE.

Bonus: Other Specialized Grant Types

Grant Type Description
Device Code Flow Used for devices without browser (e.g., Smart TVs, IoT devices).
Refresh Token Not a grant type, but allows getting a new access token silently.
JWT Bearer Grant Lets apps exchange a JWT for an access token.

Summary Chart

Grant Type User Involved Secure Storage Required Suitable For
Authorization Code Yes Yes Web apps, mobile apps (via PKCE)
Client Credentials No Yes Backend services, daemons
Password Grant Yes No Trusted apps only (deprecated)
Implicit Grant Yes No Deprecated — use PKCE instead
Device Code Yes No Smart TVs, IoT, CLI

Let me know if you’d like:

  • A real C# implementation of any grant type
  • Help picking the right flow for your app type
  • Integration with IdentityServer, Auth0, or Google/Facebook auth
advertising
advertising

Liked By

We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy