OAuth2 flows
OAuth2 defines several authorization flows (also called “grant types”) for different use cases. Each flow is optimized for a specific type of application and security requirement.
Choosing the right flow
Section titled “Choosing the right flow”| Application Type | Recommended Flow | Why |
|---|---|---|
| Web application (server-side) | Authorization Code with PKCE | Secure token exchange, supports refresh tokens |
| Single-page application (SPA) | Authorization Code with PKCE | PKCE protects against code interception in public clients |
| Mobile / Native application | Authorization Code with PKCE | PKCE is essential for apps that can’t securely store secrets |
| Backend service / API | Client Credentials | No user involved, service authenticates with its own credentials |
| Legacy browser application | Implicit Flow | Only for legacy apps that cannot be updated to use PKCE |
| Highly trusted first-party app | Resource Owner Password Credentials | Legacy flow for apps that need direct username/password authentication |
Available flows
Section titled “Available flows” Authorization Code Flow The recommended flow for all user-facing applications. Supports PKCE for enhanced security.
Client Credentials Flow For server-to-server authentication where no user is involved.
Implicit Flow Legacy flow for browser-based apps. Deprecated in OAuth 2.1.
Resource Owner Password Credentials Legacy flow for direct username/password authentication. Deprecated in OAuth 2.1.
Flow comparison
Section titled “Flow comparison”| Feature | Authorization Code | Client Credentials | Implicit | ROPC |
|---|---|---|---|---|
| User authentication | Yes | No | Yes | Yes |
| Refresh tokens | Yes | No | No | Yes (always offline type) |
| PKCE support | Yes (recommended) | N/A | No | N/A |
| Client secret required | Optional (confidential clients) | Yes | No | Optional (confidential clients) |
| Token endpoint used | Yes | Yes | No | Yes |
| Tokens in URL | No (code only) | N/A | Yes | No |
| 2FA support | Yes | N/A | Yes | No |
| OAuth 2.1 compliant | Yes | Yes | No (deprecated) | No (deprecated) |
Security recommendations
Section titled “Security recommendations”- Always use PKCE with the authorization code flow, even for confidential clients
- Use short token lifetimes for implicit flow if you must use it
- Rotate client secrets regularly for confidential clients
- Validate all tokens on the receiving end (signature, issuer, audience, expiration)
- Use HTTPS for all OAuth2 communications