OAuth 2.0 Grant Flows


Animated diagrams of grant flows which are defined in OAuth 2.0 (RFC 6749). They describe how each flow works in sequence.

The Three Major Grant Flows

Authorization Code Grant Flow

Watch on YouTube

This is the most popular grant flow.

A client obtains an access token from an authorization server using an “authorization code” issued by the authorization server with a resource owner (end user)’s consent.

Refresh Token Grant Flow

Watch on YouTube

The grant flow is defined to refresh previously issued access tokens (and refresh tokens).

A client obtains an access token (and a new refresh token) from an authorization server using a refresh token previously obtained using other grant flows.

Client Credentials Grant Flow

Watch on YouTube

This grant flow is defined for clients with no users involved.

A client obtains an access token from an authorization server using its own credentials (e.g. a pair of client ID and client secret, a client certificate, a SAML assetion).

Standardized but Obsolete Grant Flows

Implict Grant Flow

Watch on YouTube

This grant flow is defined (but not recommended for use today) for clients running on Web browsers.

An authorization server issues an access token to a client on a Web browser that a resource owner (end user) is using, with the resource owner’s consent.

Resource Owner Password Credentials Grant Flow

Watch on YouTube

This grant flow is defined (but not recommended for use today) for existing services, that control API access based on ID and password pairs of end users, to be migrated to OAuth 2.0.

A client obtains an access token from an authorizaiton server using a pair of ID and password that are shared by a resource owner (end user).