- Code flow:
- auth server sends auth authorization code then client uses the code to get the access token
- fit for web apps (where the work is done over a front-channel)
- has refresh token
- Implicit flow:
- auth server sending the access token directly
- fit where the client is a native app (mobile, desktop, etc)
- doesn't have a refresh token, but some people work around it.
- Resource owner credential flow:
- the client app gets a token by sending the username/password of the resource owner to the auth server
- fit for enterprise-trusted apps (like on-prem services, like on-prem JIRA server when user enter his LDAP credentials), or regular client apps that connect to the corresponding backend service. (like mobile front-end connects to the backend, so the resource owner enters his own username/password into the client app to get an access token and a refresh token)
- has refresh token.
- Client credential:
- service-to-service flow, no human interaction.
OpenID Connect (OIDC) builds on top of OAuth 2.0 by adding extra staff like id_token and userInfo endpoint and it reuses the first two flows (code & implicit for server and native clients respectively)
No comments:
Post a Comment