An OAuth2 Grant Selection Decision Tree for Securing REST APIs
OAuth2 protocol, grants, and guidelines for selecting grants
Published in
9 min readFeb 18, 2018
One of the most widely used security protocols for securing REST APIs is OAuth2. The OAuth2 specification defines four different grant types for obtaining access tokens depending on the type of the access token owner, type of the application and the level of trust that you have with the application. It would be quite important understand the fundamentals of OAuth grants before securing REST APIs using OAuth as it would directly impact on application security and user experience if they are not properly used. In this article, I will explain the four types of grants and guidelines for selecting each grant based on a simple decision tree.
Abstract Protocol Workflow
Let’s first understand the roles used in the OAuth2 specification:
- Resource Server
The resource server can be considered as a web server which would host a collection of resources and protect them using OAuth2 protocol. - Resource Owner
The resource owner would be the user who owns the resources…
