Which OAuth 2.0 grant works best for me?
A grant is a method to acquire an access token. To decide the implementation of a grant, you need to consider the type of client end-user will be using and the end-user experience.
OpenID Connect supports the following authentication flows:
|Use Case||Trustworthiness||Suggested OAuth 2.0 Authorization Grant_type|
|Publicly available apps (apaleo store apps)||- Most secure grant type.
- If the client is a web app that has a server-side component, then you should implement the authorization code grant.
- If you can use server-side scripting, then use this grant.
|Authorization code grant|
|Private apps (custom project for one hotel)||- Highly trusted applications, written by internal developers or developers with a trusted business relationship with the user.
- All parties trust each other and no external resources are involved.
- Usually used for machine-to-machine authorization.
- Applications that need to access resources on their own behalf.
|Client credentials grant|
Implementing OAuth in your applications
The following topics describe how to generate OAuth access tokens using each of the two grant flows: