We have a client which wants to call our web services from their system. We are not authenticating the client system user, but only the client company. (Yes - OAuth2 is for authorization, but we would use Open ID Connect) The client wants to access our services using Javascript (JQuery).
My analysis of the grant types (below) doesn't give me a clear answer.
Authorization Code: This required a delegated client login (i.e. - user logs in at page) Implicit - This also requires a delegated client login, but is the recommended model for browser based calls. Password - log in via username and password. possible candidate. least secure. Client Credentials - This seems to be the one recommended for the app client, but sending the client secret over jquery does not seem secure.
This seems like it would be a common case in B2B web services, but the spec did not give me a clear answer.
Which is the appropriate grant type to use in this case? Thanks
