OAuth2 provides several grant types for different use cases.

Authorization Code Grant

Authorization Code Grant

Implicit Grant

Previously, it was recommended that browser-based apps use the “Implicit” flow, which returns an access token immediately in the redirect and does not have a token exchange step. The industry best practice has changed to recommend that the authorization code flow be used without the client secret.

  • https://tools.ietf.org/html/rfc8252#section-8.2
  • https://oauth.net/2/pkce/

Implicit Grant

Password Grant

Password Grant

Client Credentials Grant

This grant is suitable for machine-to-machine authentication where a specific user’s permission to access data is not required.

Client Credentials Grant

Refresh Token Grant

Refresh Token Grant