DEV Community

Edem Agbenyo
Edem Agbenyo

Posted on

Type of grants in OAuth

What is OAuth?

OAuth is a protocol that facilitates the exchange of information and resources among distinct parties in a secure and reliable manner. It is an authorization protocol that is used to perform two main functions: federated identity (allowing a user to log into an application using a social application account) and delegated authority (allowing a third-party application to access your resource on your behalf from a social application account).

The OAuth protocol performs these functions using two types of grants classified by the type of client communicating with the authorization and resource server: authorization code grant (server-side workflow) and implicit grant (client-side workflow).

Authorization Code Grant Type

The perfect candidate for this type of grant is a 3-tier client-server-database application that is able to securely store information because of the direct access to the database layer. Let's describe the flow for communication between the resource server and the authorization server:

  • The end user (resource owner) tries to grant a web application access to its resources (eg. list of friends) on Facebook.
  • The end user is redirected to Facebook and presented with the consent screen from Facebook stating the permission it seeks to grant the application on behalf of the user.
  • The user accepts the consent form, and the application is given an authorization code (tag), which can be used only once.
  • The web application sends the authorization code(tag) to the authorization server along with the client's ID and client secret to retrieve the access token.
  • The Authorization server responds to the web application with an access token, which can be used to make another request to access resources from the Resource server. The application uses the access token to access information about the user, in this case, the list of friends.

Implicit Grant Type

This grant type is suited for untrusted types of client applications, such as browser-based applications that are only written in HTML, CSS, and JavaScript without the need for a server to run them. These types of applications are not capable of storing or transmitting secure information.

Due to the nature of these applications, they have a simpler workflow when compared to the Authorization Code grant type. For this flow, we have the following steps:

  • The end user (resource owner) tries to grant a web application access to its list of friends on Facebook.
  • The end user is redirected to Facebook and presented with the consent screen from Facebook stating the permission it seeks to grant the application on behalf of the user.
  • The user accepts the consent form, and the application is given an access token, which can be used to retrieve the information needed by the application.
  • The application uses the access token received in the previous step to get the list of friends from the user's Facebook account.

Conclusion

OAuth 2.0 is a powerful protocol that enables the secure and reliable exchange of information and resources between different parties. By using either the Authorization code grant or implicit grant types, developers can build applications that allow users to securely log in or delegate authority to third-party applications. With the popularity of social media applications, OAuth 2.0 has become a crucial tool for developers who want to build secure and reliable applications that can interact with social media platforms.

Top comments (0)