What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?

by

The access_token is what you need to call a protected resource (an API). In the Authorization Code flow there are 2 steps to get it:

  1. User must authenticate and returns a code to the API consumer (called the “Client”).
  2. The “client” of the API (usually your web server) exchanges the code obtained in #1 for an access_token, authenticating itself with a client_id and client_secret
  3. It then can call the API with the access_token.

So, there’s a double check: the user that owns the resources surfaced through an API and the client using the API (e.g. a web app). Both are validated for access to be granted. Notice the “authorization” nature of OAuth here: user grants access to his resource (through the code returned after authentication) to an app, the app get’s an access_token, and calls on the user’s behalf.

In the implicit flow, step 2 is omitted. So after user authentication, an access_token is returned directly, that you can use to access the resource. The API doesn’t know who is calling that API. Anyone with the access_token can, whereas in the previous example only the web app would (it’s internals not normally accessible to anyone).

The implicit flow is usually used in scenarios where storing client id and client secret is not recommended (a device for example, although many do it anyway). That’s what the the disclaimer means. People have access to the client code and therefore could get the credentials and pretend to become resource clients. In the implicit flow all data is volatile and there’s nothing stored in the app.

More Related Contents:

  1. How is OAuth 2 different from OAuth 1?
  2. How to validate an OAuth 2.0 access token for a resource server?
  3. Why do access tokens expire?
  4. OAuth 2.0: Benefits and use cases — why?
  5. What is the purpose of the implicit grant authorization type in OAuth 2?
  6. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  7. JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?
  8. OAuth 2.0 with Google Analytics API v3
  9. gapi.auth.signOut(); not working I’m lost
  10. LinkedIn OAuth2: “Unable to verify access token”
  11. OAuth Authorization vs Authentication
  12. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  13. Can I really not ship open source with Client ID? [closed]
  14. CORS issue while making an Ajax request for oauth2 access token
  15. How to validate Azure AD security token?
  16. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  17. What are the main differences between JWT and OAuth authentication?
  18. What is the OAuth 2.0 Bearer Token exactly?
  19. Is there any JSON Web Token (JWT) example in C#?
  20. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  21. Spring OAuth redirect_uri not using https
  22. Sign in with Google temporarily disabled for this app
  23. Disable checkboxes on Google consent screen
  24. What exactly is OAuth (Open Authorization)?
  25. How to change Google consent screen email?
  26. Twitter API – Logout
  27. Refresh token using Omniauth-oauth2 in Rails application
  28. Google API OAuth2, Service Account, “error” : “invalid_grant”
  29. Netsuite OAuth Not Working
  30. Securing my REST API with OAuth while still allowing authentication via third party OAuth providers (using DotNetOpenAuth)

Leave a Comment