Client credentials for application access Implicit was previously recommended for clients without a secret, but has been superseded by using the Authorization Code grant with no secret.
Each use case is described in detail below. Web Server Apps Web server apps are the most common type of application you encounter when dealing with OAuth servers. Web apps are written in a server-side language and run on a server where the source code of the application is not available to the public.
This means the application is able to use its client secret when communicating with the authorization server, which can help avoid some attack vectors. Authorization Create a "Log In" link sending the user to: You can typically store the state value in a cookie or session, and compare it when the user comes back. This ensures your redirection endpoint isn't able to be tricked into attempting to exchange arbitrary authorization codes. Token Exchange Your server exchanges the auth code for an access token: Note that the service must require apps to pre-register their redirect URIs.
Single-Page Apps Single-page apps or browser-based apps run entirely in the browser after loading the source code from a web page. Since the entire source code is available to the browser, they cannot maintain the confidentiality of their client secret, so the secret is not used in this case. The flow is exactly the same as the authorization code flow above, but at the last step, the authorization code is exchanged for an access token without using the client secret.
Previously, it was recommended that browser-based apps use the "Implicit" flow, which returns an access token immediately and does not have a token exchange step. In the time since the spec was originally written, the industry best practice has changed to recommend that the authorization code flow be used without the client secret. This provides more opportunities to create a secure flow, such as using the state parameter.
You can typically store the state value in a cookie, and compare it when the user comes back. Because of this, mobile apps must also use an OAuth flow that does not require a client secret. There are some additional concerns that mobile apps should keep in mind to ensure the security of the OAuth flow.
Previously, it was recommended that mobile and native apps use the Implicit grant. In the time since the spec was originally written, the industry best practice has changed to recommend using the authorization code flow with no secret for native apps. There are some additional recommendations for native apps that are worth reading as well. Authorization Create a "Log in" button sending the user to either the native app of the service on the phone, or a mobile web page for the service.
On iPhone, apps can register a custom URI scheme such as "facebook: First, create a "code verifier" which is a random string that the app stores locally. Note that your redirect URI will probably look like fb Using a Web Browser If the service does not have a native application, you can launch a mobile browser to the standard web authorization URL. Note that you should never use an embedded web view in your own application, as this provides the user no guarantee that they are actually are entering their password in the service's website rather than a phishing site.
You should either launch the native mobile browser, or use the new iOS "SafariViewController" to launch an embedded browser in your application.
This API was added in iOS 9, and provides a mechanism to launch a browser inside the application that both shows the address bar so the user can confirm they're on the correct website, and also shares cookies with the real Safari browser. It also prevents the application from inspecting and modifying the contents of the browser, so can be considered secure. The token exchange will look the same as exchanging the code in the web server app case, except that the secret is not sent.
If the server supports PKCE, then you will need to include an additional parameter as described below. If the server supports PKCE, then the authorization server will recognize that this code was generated with a code challenge, and will hash the provided plaintext and confirm that the hashed version corresponds with the hashed string that was sent in the initial authorization request. This ensures the security of using the authorization code flow with clients that don't support a secret.
Other Grant Types Password OAuth 2 also provides a "password" grant type which can be used to exchange a username and password for an access token directly.
Since this obviously requires the application to collect the user's password, it must only be used by apps created by the service itself. For example, the native Twitter app could use this grant type to log in on mobile or desktop apps.
To use the password grant type, simply make a POST request like the following: Note, the client secret is not included here under the assumption that most of the use cases for password grants will be mobile or desktop apps, where the secret cannot be protected. Application access In some cases, applications may need an access token to act on behalf of themselves rather than a user.
For example, the service may provide a way for the application to update their own information such as their website URL or icon, or they may wish to get statistics about the users of the app. In this case, applications need a way to get an access token for their own account, outside the context of any specific user.
To use the client credentials grant type, make a POST request like the following: Making Authenticated Requests The end result of all the grant types is obtaining an access token. Now that you have an access token, you can make requests to the API.
HTTPS is the only thing protecting requests from being intercepted or modified. Differences from OAuth 1. The result represented the best solution based on actual implementation experience. However, after several years of working with the protocol, the community learned enough to rethink and improve the protocol in three main areas where OAuth 1. Authentication and Signatures The majority of developers' confusion and annoyance with OAuth 1. Losing the ability to easily copy and paste cURL examples made it much more difficult to get started quickly.
User Experience and Alternative Authorization Flows OAuth includes two main parts, obtaining an access token, and using the access token to make requests. OAuth 2 supports a better user experience for native applications, and supports extending the protocol to provide compatibility with future device requirements.
Performance at Scale As larger providers started to use OAuth 1. Many steps require state management and temporary credentials, which require shared storage and are difficult to synchronize across data centers.
OAuth 2 supports the separation of the roles of obtaining user authorization and handling API calls. Larger providers needing this scalability are free to implement it as such, and smaller providers can use the same server for both roles if they wish.