The authentication flows, dictate the process on how a client application can receive an access token from the authorization server. Each flow is appropriate for different scenarios, not all flows are appropriate for all kinds of applications. There are two types of redirect flows and two types of credential exchange type of flows.
- Implicit grant flow. This is one of the most popular approaches, the resource owner is redirected to the authorization server and logins there. After a successful login, user is redirected back to the client application, where they get their access token.
- Authorization code flow. This is similar approach to the above, with one twist. Instead of getting an access token when redirected back to the website, we simply get an authorization code, which can be used to trade for an access token. This mechanism adds an extra layer of security, mitigating MIM attacks.
- Resource owner password credentials flow. In this case, the client application trades the username and password for access to the API. Password and username are included in the request. It is recommended to use this kind of flow over HTTPS, as in HTTP the credentials are transferred in plain text, so someone eavesdropping the network could easily steal them. This flow is more recommended in internal applications, mitigating the risk for attacks/exposure of credentials.
- Client credentials flow. In this flow, we trade our client Id and secret for an access token. More for this flow in the next section.