Which authorization grant type should I use?

Question

In my application, I have many companies accounts. I'm using django-oauth-toolkit and I gonna to add access to my API by request from a specific company.

I have a few endpoints like:

GET /api/users/ - return all company users

GET /api/documents/ - return all documents owned by users from given company

I wonder which authorization grant type should I use:

Client type: Confidential

Authorization grant type options:

• client credentials
• authorization code
• resource owner password-based
• implicit

Can anyone tell me which one type is the best in my case and why?

Answer 1

You should use resource owner password-based grant:

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.

Flow:

The client will ask the user for their authorization credentials (ususally a username and password).

The client then sends a POST request with following body parameters to the authorization server:

• grant_type with the value password
• client_id with the the client’s ID
• client_secret with the client’s secret
• scope with a space-delimited list of requested scope permissions.
• username with the user’s username
• password with the user’s password

The authorization server will respond with a JSONobject containing the following properties:

• token_type with the value Bearer
• expires_in with an integer representing the TTL of the access token
• access_token a JWT signed with the authorization server’s private key
• refresh_token an encrypted payload that can be used to refresh the access token when it expires.