Types are designed to the nature of different clients.
The typical choice for Server-side web app and mobile native app (both can store client credential: id and cecret properly):
Authorization Code
A detaied sequece diagram of what has happened:
For JavaScript SPA (single page application), they should use
PKCE - proof key of code exchange
To make sure the client is the true client, in the 2nd call (use client id and auth code to exchange to an access token) to auth server, client needs to generate code_verfifier value devrived from the code_chanllenge value.
And the auth server needs to validate this request by using S235 to decode code_verfifier into code_chanllenge value to see if it matches the code_chanllenge value received in the 1st call (getting the auth code).
To do machine to machine request (from a no-UI web server, like BFF), use:
Client Credential
Literally, there is no auth_code involved.
https://docs.google.com/presentation/d/1KEA3i0F0bhB4me1uHfXkbmuaaFeRyxo7rG0ih-MlP68/edit#slide=id.p
Top comments (0)