Grants - Patroklo/yii2-oauth2-server GitHub Wiki

OAuth2 it's a flexible standard that can be used in many different possible situations. This also includes the granting system, which support many different types.

This library accepts the four main grants defined in the OAuth2 standard:

  • Authorization Code
  • Implicit
  • User Credentials
  • Client Credentials

Also includes an additional grant defined in the stantard:

  • Refresh token

Additionally there is also included another grant still not standarised:

  • JWT Bearer

Also it's possible to define new grants type manually implementing the interfaces provided by the module.

This page describes each of the defined grants and their use cases:

Authorization Code (section 4.1)

It's the grant that people think of when talking about OAuth (it can be said that is the "standard" grant).

It implements 3-Legged OAuth and involves the user granting the client an authorization code, which will be exchanged for an Access Token.

Probably you'll have seen this implementation in webs where you have the possibility of signing up using accounts of third party applications like Facebook, Twitter or Google.

In this grant the access token is kept private from the resource owner.

## Implicit (section 4.2)

This is similar to the Authorization Code grant type, but instead of passing an Authorization Code from the authorization request, a token is returned to the client.

This method is common for client-side devices (i.e. mobile) where the Client Credentials cannot be stored securely.

User Credentials (section 4.3)

A resource's username and password are submitted as part of the request alongside the client credentials, and a token is issued upon successful authentication.

This grant is appropriate for trusted clients such as service's mobile client (for example Facebook App).

Client Credentials (section 4.4)

The client uses their credentials to retrieve an access token directly, which will allow access to resources granted to the client profile.

This grant is adecuated for machine-to-machine authentication.

Refresh token (section 4.5)

The client can submit a refresh token and recieve a new access token if it has already expired.

JWT Bearer

The client can submit a JWT (JSON Web Token) in a request to the token endpoint. An access token (without refresh token) is then returned directly.

Extending Grants

It's possible to create your own grant type implementating the inteface OAuth2\GrantType\GrantTypeInterface and adding it into the granting array definition. The JWC Bearer it's an example of that.