How Do I Use Authorization Grants?

In Oracle Cloud, an OAuth client makes a Representational State Transfer (REST) API call to access a protected service. As an administrator, when you secure cloud services, follow the guidelines to decide which type of authorization grant is suitable. An authorization grant is a credential representing the resource owner's authorization to access its protected resource. The authorization grant is used by the OAuth client to obtain an access token.

Oracle Cloud supports the following grant types:

• Resource owner password credentials grant

• Client credentials grant

• User assertion grant

Guidelines to Choose an OAuth Workflow

Use the following guidelines to determine which workflow or grant type to use:

Use the resource owner password credentials workflow when:

• The OAuth clients are confidential clients.

• The resource owner has a trust relationship with the client.

• The client application doesn’t need to store the credentials of the resource owner within the application or on the device.

Using the resource owner password credentials workflow, there are two ways to request an access token:

• By sending a simple client header in the token request in addition to the user’s credentials. If you don’t want to use a client assertion, but just the user’s credentials with a basic client header, then see Obtain an Access Token by Using the User Credentials Without a Client Assertion.

• By using a client assertion in addition to the user’s credentials. To use the client token and the user’s credentials to request an access token, see Obtain an Access Token by Using the User Credentials and a JWT Client Assertion.

Using the client credential workflow, there are two ways to request an access token:

• By using a simple client header. If you want to use a simple client header, then see Obtain an Access Token by Using the Client Authorization Header.

• By using a client assertion. After you’ve a self-assigned client assertion, see Obtain an Access Token by Using a Self-Signed Client Assertion to request an access token.

Use the user assertion workflow when:

• The OAuth clients are confidential clients.

• The user’s credentials should never be accessible to the client application.

• The OAuth clients are trusted to assert a user identity on behalf of the user.

Using the user assertion workflow, there are two ways to request an access token:

• By using a user assertion with a simple client header. If you want to use a simple client header with a self-signed user assertion, then see Obtain an Access Token by Using a Self-Signed User Assertion and the Client Credentials to request an access token.

• By using a user assertion with a client assertion. If you do not have a user token, you first need to build one. If you want to use a client assertion, but don’t have a client token yet, then build your own assertion. After you have a client token and a self-assigned user assertion, see Obtain an Access Token by Using a Self-Signed User Assertion and a Client Assertion to request an access token.