OAuth 2.0 is a protocol to allow applications limited access to remote resources, HTTP services like a REST WebAPI or WCF, on behalf of the resource owner or itself. The specification outline multiple workflows and understanding the differences and scenarios each apply is somewhat challenging. I hope to summarize the OAuth 2 flows and explain how to use each flow.
Authorization Code Flow
The Authorization Code flow is the first core workflow described in the specification. In the Authorization Code flow the client application initiates the workflow by directing the resource owner to a “user agent” which interacts with the authorization server to validate the user credentials. It’s important to understand the “user agent” is a vague term meant to describe a separation between the client application and the resource owner credentials. The “user agent” is an abstract concept that is one of many things; a common example is a browser but the Web Authentication Broker available Windows Store Applications serves the same purpose.
After the Authorization server validates the user credentials the “user agent” requests a “code” and gives this code to the client application. The client requests an access token from the authorization server by sending the “code”, its client ID, and client secret. The authorization server will validate the client and issue an access token to allow the client to make requests to the resource server on behalf of the user.
Implicit Grant Flow
Resource Owner Credentials Flow
In the Resource Owner Credentials flow the client application captures the user credentials and requests an access token from the authorization server. The client will pass along the user credentials and the authorization server will issue an access token after the validating the credentials. If the client needs to authenticate itself, it will include the client ID and secret in the request. The specification suggests this flow be used when “the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.”
Client Credentials Flow
The last of the core flows is the Client Credentials flow. Here the client can request an access token using only its client credentials when it is requesting access to protected resources under its control. In this case, the client is acting on its own behalf where as all other flows grant the client the ability to act on the behalf of a user.