Which OAuth2 flow/grant type I should use?

Question

I'm building a full stack application. The frontend will be a SPA and the backend part is going to be statelss restful API across several resource servers. Also, I'd like to separate the authentication & authorization as a micro service and is thinking to use OAuth2 as the protocol.

The target flow will be like the SPA user will submit ID/password to the auth service and the OAuth2 server will respond with access token. In subsequent resource requests the SPA will submit together with the access token to the resource server and resource server will then ask the auth server to validate the token.

My question is that does OAuth2 fit the above scenario and if it's the case, which OAuth2 grant type/flow I should use?

Answer 1

The Authorization Code grant type should work perfectly for you - this is how it would typically work:

1. Users loads the SPA through his browser
2. User presses log in and is redirected to the Auth Server login page
3. User inputs his username and password
4. Auth Server redirects back to the SPA with the authorization code
5. The backend of the SPA calls the Auth Server and provides it the authorization code. If valid, the Auth Server returns an access token.
6. The access token is tied with the user's session and the user is successfully logged in.
7. Each time a resource server is called, the access token is provided and checked with the Auth Server.