Introduction to OAuth2 Grant Types in 2-Minutes With Pictures
OAuth2 is complicated. We want to make it simple to understand and remember. After hours of cracking our heads, we carefully crafted 4 images, one for each OAuth2 grant type, and place them side-by-side, to simulate a ‘spot-the-difference’ puzzle, which makes it easy to compare them at a glance.
The key to understanding each OAuth2 grant type is by observing their ratings in each of the following 3 categories, which ranges from a score of 1 (low) to 3 (high):
- Implementation difficulty
- Use cases
Let us go spot the difference category by category!
OAuth2 Grant Type: Implementation Difficulty
Authorization Code grant type (top-right) has the highest implementation difficulty (blue bar), and it is obvious since it has the most parties involved; notice the Guard entity which other grant types do not have.
OAuth2 Grant Type: Security
Client Credential (top-left) and Authorization Code (top-right) grant types have the highest security (purple bar).
For Client Credential grant type, the User and App is a unified entity so there is the least number of parties involved with the least amount of flow, i.e., lines with arrows, reducing the possibility of any data leak.
For Authorization Code grant type, the User authorization Key is passed to the Guard (backend), which is well-guarded. The App (frontend), which is more exposed to attacks can access User data only through the Guard. This reduces the surface of attack of the system, making this grant type rather secure. Moreover, in this grant type, the User can control what type of data to grant to the App by giving the App a Key with restricted access.
Resource Owner Password Credential grant type (bottom-left) is the most insecure since it is the only grant where the User hands over his username/password to the App in order for the App to use the username/password to exchange for a Key to the User data. This unnecessarily bestows the App all the same privileges as the User.
OAuth2 Grant Type: Use Cases
Given that Client Credential (top-left) grant type has the lowest implementation difficulty, and the highest security, it seems like a no-brainer to always use it. However, it also has lowest use cases rating. This grant type is applicable only when the User and the App is the same entity, and in such a scenario, the App has limited usage, i.e., it serves only that single User.
Security is deemed important thus for other use cases, we should consider using Authorization Code (top-right) grant type if the App has a backend, and Implicit (bottom-right) if the App is a single-page app or a native mobile app.
Only as a last resort, or if the App and the OAuth Server belongs to the same entity, which makes sharing the username/password with the App a non-security risk, then should we use Resource Owner Password Credential grant type.
By looking at the 3 categories of classification – implementation difficulty, security, and uses cases, it will help you to remember the 4 OAuth2 grant types. Bookmark our picture-only version of this post here for quick reference.