Infinite | Squares

Art of code and more

OAuth2 Flows

During my work to refactor one of my Node.js based app, I tried to dug deeper into OAuth2 authorization flows. There are 4 authorization flows. See here

  • Authorization Code Flow, aka Server-Side Flow or the ‘typical’ Oauth2 flow: this flow includes sending the client user via redirect to the provider’s login and authorization page, then will redirect back to your web application and pass a authorization code in the URL parameters.
  • Implicit Flow, aka as Client-Side Flow: this flow is pretty simple and is suited for browser-based client-side web applications. This means: JavaScript. You send the user via redirect to the provider’s web site, she logs in and authorizes your app, then the provider redirects back to your web application.
  • Resource Owner Password Flow: this flow is great for native mobile applications that you can trust. This flow includes sending the user’s username and password to the token endpoint in exchange for an access token.
  • Client Credentials Flow: this flow identifies the client and give the client itself access to resources it owns and does not give the client access to users’ data.

Since my app is written with Node.js, first move is to see if there is Node.js modules that support all flows. Fortunately, passport support all of it. Here are some links for each flow (with the exception of the last, since it just about client data):

For your application, if you start with mobile app developed internally, start with Resource Owner Password Flow. If you start allowing third party applications to integrate with your API, implement Authorization Code Flow. Finally, when you develop a javascript client library for your API, deploy Implicit Flow.