OAuth2.0 Concept

Question

I'm Confused with the OAuth2 password grant type-Concept

In here the token is implemented like using EndPoint/Claims
In this site or this blog the token is implemented by JSON object contains all the client credentilas detials

Can anyone Help to clear the concept much better?

Answer 1

There are four Oauth2 flows to get the access token (not ID token) depending on how client system will get the the access token on-behalf of end user. With OAuth2 password grant flow, client app present the login page, get the password and authenticate the user using REST API call from Authorization server. Authorization server returns the token to client app after successful authentication. For example mobile apps but it is less secure than other Oauth2 flows and should be used with trusted client app only. I have a written an article on this, you can check it for more details, link is here https://www.linkedin.com/pulse/microservices-security-openid-connect-manish-singh

Answer 2

If you mean the access token, then it can be of either type (a string with no special meaning or a JSON, XML or some other format). The OAuth2 specification says this:

An access token is a string representing an authorization issued to the client. The string is usually opaque to the client. Tokens represent specific scopes and durations of access, granted by the resource owner, and enforced by the resource server and authorization server.

The token may denote an identifier used to retrieve the authorization information or may self-contain the authorization information in a verifiable manner (i.e., a token string consisting of some data and a signature).

So it depends on the OAuth2 implementation.

If you mean the ID token (from OpenID Connect), then it must be in a JWT (signed JSON) format.