Reputation: 4026
oauth 2.0 Which flow is most suitable for user and no user interaction?
I've read now alot about oauth 2.0 and its use cases (flows).
Now i got these two scenarios:
User logs into our client and with his id and pw, the client is then doing the api calls.
Foreign system with no user data wants to access servers web api.
If i am not wrong i would suggest using for 2. the "Client Credentials flow" and for 1. I would use "Implicit authorization grant flow".
I have the information about the chosen flows, from http://tutorials.jenkov.com/oauth2/authorization.html
So am i right about this decision or is there a better alternative i have not seen?
Upvotes: 0
Views: 51
Answers (1)
Reputation: 2488
Yes you are,
In general when a client (be it your own web client or third party client) wants to access user's data, then they must pass access token which they have obtained during authorization by using any one of the flow (authorization_code or implicit)
And when third party system wants to access data which is not user related or least not sensitive , then you just need some way to identify which client is making the request, its useful for validation, rate limiting etc.
So Client Credentials flow works in your case.
Upvotes: 1
Related Questions
- AWS - how on AWS to best to implement OAuth 2.0 web-app flow to access a custom API?
- Which OAuth 2.0 / OpenID Connect flow should I choose?
- Which OAuth2 authentication flow shoud I use for PWA + server side application
- OAuth2 flow for securing a REST API
- Which OAuth 2.0 flow for secure REST API used by SPA.
- What Oauth2 flow to choose for this particular situation?
- Which OAuth2 flow/grant type I should use?
- OAuth2: Which flow to use?
- Which OAUTH2 flow for mobile access and SSO
- OAuth recommended for async data transfer in own webapp?