OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop …

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web …

This flow provides no mechanism for things like multifactor authentication or delegated accounts, so is quite limiting in practice. The latest OAuth 2.0 Security Best Current Practice disallows …

OAuth 2.0 Authorization Code Grant tools.ietf.org/html/rfc6749#section-1.3.1 The Authorization Code grant type is used by confidential and public clients to exchange an authorization code …

The OAuth 2.0 Device Authorization Grant (formerly known as the Device Flow) is an OAuth 2.0 extension that enables devices with no browser or limited input capability to obtain an access …

The OAuth 2.0 Security Best Current Practice document recommends against using the Implicit flow entirely, and OAuth 2.0 for Browser-Based Apps describes the technique of using the …

The OAuth framework specifies several grant types for different use cases, as well as a framework for creating new grant types. The most common OAuth grant types are listed below.

A resource server exchanging a client's tokens for its own tokens Related Specs: OAuth 2.0 Bearer Token Usage (RFC 6750) JWT Profile for Access Tokens More resources Native SSO: …

OAuth 2.0 for Browser-Based Apps describes security requirements and other recommendations for SPAs and browser-based applications using OAuth 2.0. Among other things, it …

OAuth 2.0 Client Credentials Grant tools.ietf.org/html/rfc6749#section-4.4 The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user. This is …