Reputation: 1674
OAuth2 Clients and Grants
2. Client Registration says:
When registering a client, the client developer SHALL:
o specify the client type
but it is not specified how to define available grant types.
I can't understand how to define available grants for client. Can the client use all grants, several grants or only one.
2.1. Client Types spec section defines confidential (web application) and public (user-agent-based application & native application) client types. Public client can't secure any client authentication credentials, so for such clients must be available only implicit grant or may be password grant for resource owner trusted client? But i'm not found such restrictions.
Upvotes: 0
Views: 68
Answers (1)
Reputation: 53888
Which grants are made available to Clients is a deployment decision to be made by the Authorization Server. In principle (by spec) there's no restriction on which grant types the Client can use. A typical way of working is that the administrator of the Authorization Server registers a Client and then assigns the grant types that are available to it. As you suggested, that can be just one grant, several grants or all of them (well, depending on the availability of a client secret, see below).
The Implicit grant by definition can only be used by public Clients because there is no option to authenticate itself as part of the protocol flow. Yet other grants can be made available to both public Clients as well as confidential Clients because they may be used with or without a client secret and as pointed out above it would be a deployment decision to define which Client can use which grant.
As an example of the latter: the Authorization Code grant is perfectly usable for public Clients in addition to its availability for confidential Clients. The public Client would receive an authorization code in the regular way and would present it to the token endpoint without authenticating itself as a confidential Client would do. Because it wouldn't offer any clear security benefits over the Implicit grant yet does require an extra roundtrip to the Authorization Server it is not widely deployed but it is certainly not prohibited.
The Resource Owner Password Credentials grant is another example of a grant that can be used by both confidential Clients as well as public Clients. The Client would not authenticate itself to the token endpoint but merely pass the Resource Owner password to get an access token.
Upvotes: 2
Related Questions
- OAuth 2.0 public client impersonation
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Should non-confidential client applications be allowed to use the OAuth 2.0 Client Credentials flow?
- Client authentication on Public Client
- What are the limits of public clients in OAuth 2.0
- Azure AD B2C - Auth code flow vs implicit grant flow based on client types
- OAuth2: What exactly is the "client"
- Resource Owner grant type requiring client_id and client_secret in yii2-oauth2-server
- Client types in OAuth2 Spec
- How to keep the client credentials confidential, while using OAuth2's Resource Owner Password Credentials grant type