Supported OAuth 2.0 flows
The Authorization Server supports three authorization grant flows in relation
to client apps requesting a token: an implicit grant flow, an authorization code grant flow, and
a client credentials flow. You can associate a client app with each of these flows in the
Client apps section of
Implicit grant flow In the implicit grant flow, the Authorization Server provides an access token directly to a client app. The flow does not involve an authorization code and refresh token, which differentiates it from the authorization code grant flow. In this way, it is considered a lightweight version of the authorization code grant flow. Authorization code grant flow In the authorization code grant flow, Authorization Server provides an authorization code to a client app. The client app exchanges the authorization code for a set of access and refresh tokens by using a client ID and client secret. Client credentials flow In the client credentials flow, the Authorization Server provides an access token directly to the client app after verifying the client app’s client ID and client secret. It is recommended for internal client apps highly trusted by the resource server (for example, when the client app and the resource server are part of the same organization).