OAuth 2 and OpenID Connect define several grant types, request flows by which a client application obtains an authorization grant in the form of an access token.
- Authorization code grant type
- Implicit grant type
- Password grant type
- Client credentials grant type
- Refresh token grant type
The first two grant types, the authorization code grant type and the implicit grant type, involve the authorization endpoint, which is responsible for presenting a login and approval interface to the end user. The authorization endpoint also creates a persisted session for the user and records consent records, which represent the user’s consent to grant access to client applications. Either the authorization code grant type or the implicit grant type must be used if advanced authentication features such as a multi-factor authentication or account recovery are desired.
The remaining grant types solely use the token endpoint, an API endpoint not intended for direct end user interaction. These grant types are generally used in special cases to satisfy particular requirements.
In all cases, HTTPS must be used to ensure the confidentiality and integrity of requests and responses.