Which OAuth 2.0 Flow Should I Use?fleeting
- External reference: https://auth0.com/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use
Which OAuth 2.0 Flow Should I Use?
Is the Client the Resource Owner?
The first decision point is about whether the party that requires access to resources is a machine. In the case of machine-to-machine authorization, the Client is also the Resource Owner, so no end-user authorization is needed
If the Client is a regular web app executing on a server, then the Authorization Code Flow is the flow you should use. Using this the Client can retrieve an Access Token and, optionally, a Refresh Token
Is the Client absolutely trusted with user credentials?
This decision point may result in the Resource Owner Password Credentials Grant
If the Client is a Single-Page App (SPA),
If the Application is a native app, then use the Authorization Code Flow with Proof Key for Code Exchange (PKCE).