Why there are many authentication flows in OpenIddict?

Question

I am a newbie to .Net Core WebAPI authentication. I've figured out OpenIddict is one of the authentication service easy-to-use but before I start using it I noticed there are samples with different authentication flows in GitHub. I could not find any documentation around these authentication flows so the below questions come to mind.. Appreciate if someone can provide insights on the area. GitHub url : https://github.com/openiddict/openiddict-core

1. Why there are different flows.. which one to use? I am guessing each flow fits to different nature of application if so,

   a. what are the pros and cons of each flow?

   b. Is there any best practice or guidelines that helps to determine the right option (authentication flow) that fits in for that particular application?

Thanks in advance.

Answer 1

Why there are different flows.. which one to use?

OpenIddict is an OAuth2/OpenID Connect server. As such, it implements all the classical core flows defined by these two specifications.

As you figured out, each flow has a different use case:

• The client credentials grant is used when a headless client application needs to access its own resources. No user is involved in this flow, which is basically a server-to-server scenario.

• The resource owner password credentials grant is the simplest OAuth2 flow: the client application sends a token request with the username and the password of the user and it gets back an access token. This flow is sometimes considered as a "legacy" flow and must not be used by third-party apps you don't manage yourself (because it's the only flow where the client knows the user credentials).

• The code flow is the most complex OAuth2/OpenID Connect flow that uses redirections and allows creating consent pages where the user can decide whether he wants to grant an access to the client application without ever sharing his credentials with the app.

• The implicit flow is a simplified code flow, made for browsers-based apps.

For more information, you can read this blog post: http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-choosing-the-right-flows/.