Access Grant Types

The most important step for an application in the OAuth flow is how the application receives an access token (and optionally a refresh token). A grant type is the mechanism used to retrieve the token. OAuth defines several different access grant types that represent different authorization mechanisms.

Applications can request an access token to access protected endpoints in different ways, depending on the type of grant type specified in the client application. A grant is a credential representing the resource owner's authorization to access a protected resource. Trusted applications (such as backend services) may request access tokens directly on behalf of users. This is an OAuth two-legged authorization flow. OAuth web applications typically need to first validate the user's identity and optionally obtain the user's consent. This is an OAuth three-legged authorization flow.

For example, when using the Resource Owner grant type, the resource owner's password credentials (username and password) can be used directly as an authorization grant to obtain an access token. When using the Client Credentials grant type, the client authenticates with the OAuth service, and then requests an access token. When using the Assertion grant, a user assertion is sent along with the client information when requesting access.