Reputation: 10067
oAuth2 server. Should I have single or different endpoints for different grant type
According the article oauth2 Simplified it could be 4 grant type for the oAuth server.
- Authorization Code for apps running on a web server
- Implicit for browser-based or mobile apps
- Password for logging in with a username and password
- Client credentials for application access
So the question is - should I have single endpoint for all of them and then choose which is used according the query string provided, or it will be better to implement single endpoint per each grant type?
Upvotes: 0
Views: 276
Answers (1)
Reputation: 27104
From the OAuth2 specs:
Protocol Endpoints
The authorization process utilizes two authorization server endpoints (HTTP resources):
o Authorization endpoint - used by the client to obtain authorization from the resource owner via user-agent redirection.
o Token endpoint - used by the client to exchange an authorization grant for an access token, typically with client authentication.
As well as one client endpoint:
o Redirection endpoint - used by the authorization server to return responses containing authorization credentials to the client via the resource owner user-agent.
Not every authorization grant type utilizes both endpoints.
Extension grant types MAY define additional endpoints as needed.
So the answer is: reuse the end points for multiple flows, but distinguish between the Authorization endpoint and the Token endpoint.
Upvotes: 1
Related Questions
- About OAuth2 grant types
- Authorize different API endpoints via oauth2
- What OAuth flow to use for Multiple APIs
- Best practice for using multiple bearer access tokens
- Should I implement OAuth2 endpoints and User Data endpoints in the same microservice?
- How to organize OAuth 2 Password grant with multiple user types?
- Which OAuth2 flow/grant type I should use?
- OAuth2: Which flow to use?
- OpenID Connect Signin Page separate endpoint or authorize endpoint
- Separating Auth server and Resource server in oAuth 2.0