Which OAuth 2.0 grant works best for me?
A grant is a method to acquire an access token. To decide the implementation of a grant, you need to consider the type of client end-user will be using and the end-user experience.
OpenID Connect supports the following authentication flows:
| Use Case | Trustworthiness | Suggested OAuth 2.0 Authorization Grant_type |
|---|---|---|
| Publicly available apps (apaleo store apps) | - Most secure grant type. - If the client is a web app that has a server-side component, then you should implement the authorization code grant. - If you can use server-side scripting, then use this grant. |
Authorization code grant |
| Private apps (custom project for one hotel) | - Highly trusted applications, written by internal developers or developers with a trusted business relationship with the user. - All parties trust each other and no external resources are involved. - Usually used for machine-to-machine authorization. - Applications that need to access resources on their own behalf. |
Client credentials grant |
Implementing OAuth in your applications
The following topics describe how to generate OAuth access tokens using each of the two grant flows: