61°F

Aaron Parecki

  • Articles
  • Notes
  • Photos
  • OAuth: "grant" vs "flow" vs "grant type"

    March 29, 2024
    Is it called an OAuth "grant" or a "flow"? What about "grant type"?

    These are common questions when writing documentation for OAuth-related things. While these terms are all used in RFC 6749 and many extensions, the differences between the terminology is never actually explained.

    I wanted to finally write down a definition of the terms, along with examples of when each is appropriate.

    • flow - use "flow" when referring to the end-to-end process, for example:
      • "the client initiates the flow by..."
      • "the flow ends with the successful issuance of an access token"
      • This can also be combined with the type of flow, for example:
      • "The Authorization Code flow starts by..."
    • grant - use "grant" when referring to the specific POST request to the token endpoint, for example:
      • "The authorization code grant includes the PKCE code verifier..."
      • "The refresh token grant can be used with or without client authentication..."
      • "Grant" also refers to the abstract concept of the user having granted authorization, which is expressed as the authorization code, or implicitly with the client credentials grant. This is a bit of an academic definition of the term, and is used much less frequently in normal conversation around OAuth.
    • grant type - use "grant type" when referring to the definition of the flow in the spec itself, for example:
      • "there are several drawbacks to the Implicit grant type"
      • "the Authorization Code grant type enables the use of..."

    Let me know if you have any suggestions for clarifying any of this, or any other helpful examples to add! I'm planning on adding this summary to OAuth 2.1 so that we have a formal reference for it in the future!

    Portland, Oregon • 42°F
    Fri, Mar 29, 2024 8:15am -07:00 #oauth #terminology
    1 like 5 reposts
    • graste
    • dibi58
    • Paul_IPv6
    • DevOops :flan_whmage:
    • Tony Finch
    • graste
Posted in /articles using quill.p3k.io

Hi, I'm Aaron Parecki, Director of Identity Standards at Okta, and co-founder of IndieWebCamp. I maintain oauth.net, write and consult about OAuth, and participate in the OAuth Working Group at the IETF. I also help people learn about video production and livestreaming. (detailed bio)

I've been tracking my location since 2008 and I wrote 100 songs in 100 days. I've spoken at conferences around the world about owning your data, OAuth, quantified self, and explained why R is a vowel. Read more.

  • Director of Identity Standards at Okta
  • IndieWebCamp Founder
  • OAuth WG Editor
  • OpenID Board Member

  • 🎥 YouTube Tutorials and Reviews
  • 🏠 We're building a triplex!
  • ⭐️ Life Stack
  • ⚙️ Home Automation
  • All
  • Articles
  • Bookmarks
  • Notes
  • Photos
  • Replies
  • Reviews
  • Trips
  • Videos
  • Contact
© 1999-2025 by Aaron Parecki. Powered by p3k. This site supports Webmention.
Except where otherwise noted, text content on this site is licensed under a Creative Commons Attribution 3.0 License.
IndieWebCamp Microformats Webmention W3C HTML5 Creative Commons
WeChat ID
aaronpk_tv