grant_type in Spring-Security-OAuth2

2.1k views Asked by At

I am new to OAuth2 concept.I ahve to implement this in my application. This application provides REST APIs. I follwed some tutorial ,done some research and kind of implemented it in working state in my application.

But while doing some search I read about different type of grant_type in OAuth2. I tried to learn about that but didn't get actual differences and which should I use for securing REST APIs. So I want to know that for grant_type types "password","client_credential"etc which should be used and in which scenario, or which should be used for securing REST APIs?

Also at some places I found that the request for /oauth/token is different. Some places the Authorization header is given as Basic 'some_encoded_string' . And at some place it is Bearer 'some_encoded_string'. Whats the difference in these request?

Summarizing this I have 2 question -

  1. For grant_type types "password","client_credential"etc which should be used and in which scenario, or which should be used for securing REST APIs?

  2. What is the difference in ways of requesting token from /oauth/token .

Enlight my knowledge in implementing spring-security-oauth2.

1

There are 1 answers

3
Shaun the Sheep On

The grant you need to use depends on your use case and the nature of the client application accessing your resources. There isn't a grant that applies a REST APIresource in general. You'd need to provide more information on what the APIs are and how you interact with them.

If a user has to give their permissions for a client to access an API, then you would normally use an "authorization code" grant. If the client accesses the resource directly without the intervention of an end user then it would normally use the "client credentials" grant.

You should avoid using the password grant in most cases, since it means the user has to provide their username and password to the client application. If the application can use another grant, such as authorization code, then that is preferable. A trusted application, such as a native application which the user installs on their computer, would be one situation where the password grant might be used.

A client would normally use "Basic" authentication to access the token endpoint. "Bearer" authentication is use to access a protected resource (such as your API), passing the access token it obtained from the authorization server.

Why do you think you need to use OAuth2 at all? I'm curious since you say you don't understand what the grant types are for. You really need to understand this before you can make a judgement about how you would use OAuth2 or why.