Which grant type to use in client-server authentication?

0
votes

I have a webservice and several client apps (android and ios apps and a webapp) that consume the information in that webservice.

I want to authenticate the clients in the webservice using oAuth2.0, but I don`t know which of the four grant types is the recommended for this case.

According to RFC6749 (https://www.rfc-editor.org/rfc/rfc6749#section-1.3) there are four grant types

  1. Authorization Code (appears to be the worse, because it has two phases)
  2. Implicit
  3. Resource Owner Password Credentials
  4. Client Credentials

Which type is the recommended in this case?

1
web-servicesoauthoauth-2.0client-server

1 Answers

3
votes
  • If your client app is implemented in a browser using a scripting language (JS, AngularJS...), I recommend you to use the Implicit Grant type.
  • If your client is able to support redirections (PHP web site for example), I recommend you to use the Authorization Code Grant type: the client directs the resource owner to an authorization server, which in turn directs the resource owner back to the client with the authorization code
  • If your app can not support redirection, you can use the Resource Owner Password Credentials. But it requires direct access to the credentials of the user. Many resource servers do not allow that grant type to protect these credentials.

Note that Client Credentials Grant Type is used when the client is the resource owner.