As you already must be knowing, OAuth 2.0 is an industry-standard authorization protocol. OAuth flows are essentially processes supported by OAuth for authorization and resource owners for authentication. There are OAuth flows enabling users to enter credentials via an OAuth login prompt directly into the app, or even supporting authentication without user involvement for back-end systems. Let’s learn more.
OAuth flows are processes that can vary. There are OAuth flows that allow users to enter credentials via an OAuth login prompt, directly into the app. Some even support authentication without user involvement for back-end systems. Before we learn about the main kinds of OAuth Flows, let’s cover the basics.
The OAuth protocol uses the following roles:
This is part of an extensive series of guides about Front-End Development.
Related: OAuth Grant Types
Without further ado, let’s dive into the OAuth Flow types you need to know before getting started and working on your specific use case/s.
Authorization Code Flow exchanges an authorization code for a token. For this exchange to take place, you have to also pass along your app’s Client Secret. The secret must be securely stored on the client side.
Use Cases: Server side web applications where the source code is not exposed publicly.
How this OAuth flow works:
The Client Credentials Flow allows applications to pass their Client Secret and Client ID to an authorization server, which authenticates the user, and returns a token. This happens without any user intervention.
Relevant for: M2M apps (daemons, back-end services, and CLIs). In these types of apps, the system authenticates and grants permission behind the scenes without involving the user, because the “user” is often a machine or service role. It doesn’t make sense to show a login prompt or use social logins.
How this OAuth flow works:
The Resource Owner Password Flow asks users to submit their credentials via a form. Credentials are transferred to the backend and may be retained for future use, before an Access Token is granted. It’s essential that the app is completely trusted. Therefore, this flow is generally not recommended.
Use Cases: Highly-trusted applications, where other flows based on redirects cannot be used.
How this OAuth flow works:
The following flows are less commonly used, so we’ll only cover them briefly.
This flow uses OIDC to implement a web sign-in that functions like WS-Federation and SAML. The web app requests and receives tokens via the front channel, without requiring extra backend calls or secrets. With this process, you don’t have to use, maintain, obtain or safeguard secrets in your app.
Use Cases: Apps that don’t want to maintain secrets locally.
Related: OAuth2 vs SAML
This flow can benefit apps that can securely retain Client Secrets. It lets your app obtain immediate access to an ID token, while enabling ongoing retrieval of additional access and refresh tokens. This is useful for apps that need to immediately gain access to data about the user, but must perform some processing prior to gaining access to protected resources for a long time.
Use Cases: Apps that need immediate access to data about the user, but also need to use this data on an ongoing basis.
This flow makes it possible to authenticate users without asking for their credentials. This provides a better user experience for mobile devices, where it may be more difficult to type credentials. Applications on these devices can transfer their Client ID to the Device Authorization Flow to start the authorization process and obtain a token.
Use Cases: Apps running on input-constrained devices that are online, enabling seamless authentication via credentials stored on the device.
This flow uses a proof key for code exchange (PKCE). A secret known as a Code Verifier is provided by the calling application, which may be verified by the authorization server using a Proof Key.
Use Cases: Apps that need to serve unknown public clients who may introduce additional security issues that are not addressed by the Auth Code Flow.
The OAuth 2.0 Authorization Framework powers various authorization flows and grants. Flows are means of obtaining Access Tokens. Selecting the right flow for your use case depends on your app type, but you should also consider other parameters like the client’s level of trust and the user experience.
When choosing an OAuth Flow, take into account the following:
The type of authorization flow is determined by the type of client, and whether it is a human or machine. In purely machine authorization, the Client is the same as the Resource Owner, so the end-user doesn’t need to provide any additional authorization. In this case, use Client Credentials Flow.
When the Client is a typical web app executive via a server, you should apply the Authorization Code Flow. It provides an Access Token (and an optional Refresh Token) directly to the Client. This is a safer approach than having the Access Token pass through the user’s web browser, which may lead to exposure.
If the Client is trusted, the system may generate a Resource Owner Password Credential Grant. In this scenario, the end-user must provide credentials (passwords and usernames), generally via a digital form. The data is then passed on to the backend. It is essential that the Client is completely trusted.
This grant must only be employed when a redirect-based flow (Auth Code Flow) is not viable. For such cases, use the Resource Owner Password Flow.
A Single-Page Application (SPA) is a browser-based one that employs scripting languages like JavaScript. When the Client is a Single-Page Application, you can use one of two grant options—the Implicit Flow with Form Post and the Authorization Code Flow with PKCE.
The preferred option is usually the Authorization Code Flow with PKCE as the client-side Access Token. It is not exposed and can deliver Refresh Tokens.
When using native applications, you should probably opt for the PKCE (Proof Code for Code Exchange) Authorization Code Flow. Learn more here.
As you must have already realized by now, the OAuth Flow needs to be picked wisely to optimize your use case and address specific challenges. For example, you may have a single app that requires access tokens for various resource servers. Multiple calls to /authorize will be needed. Learn more here. Making the wrong choice can have serious security and compliance implications today.
Before getting started, you may also want to check out RFC 6749 and RFC 7636 to better understand the steps involved in implementing these flows.
Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of Front-End Development.
Want more information on token exchange machine? Click the link below to contact us.