2.1 Selecting the Authorization Grant Type

The tokens (access, refresh, and ID) are the key to use OAuth 2.0 and OpenID Connect.

The OAuth protocol provides different ways to obtain these tokens. You can use the appropriate authorization grant type based on the business requirements. For more information about security requirements, see OAuth 2.0 Security Best Current Practice.

Authorization Grant	Type of Application
Authorization Code	Server-side Applications
Authorization Code with PKCE	Native Applications (Mobile applications, Desktop applications) Web Applications
Implicit	Single-page applications, where navigation between different screens of the website can be performed without loading different web page in the browser. For example, Gmail. Applications that run on the user's device, such as mobile apps. Web applications that do not require high security. Applications that require high-security use the authorization code flow.
Resource Owner Password Credentials	Highly trusted applications or the applications that are owned by the service itself, such as a mobile application. Legacy application migrating to OAuth.
Client Credentials	Headless clients Batch processing scripts
SAML 2.0 Bearer Grant	Applications that already have the SAML assertions and require to access the OAuth-protected resources.