OAuth 2.0

Complete reference for OAuth 2.0 grant types supported by Authority.

Grant Type Overview

Available Grant Types

Grant Type Comparison

Grant Type	Use Case	Client Type	Security
Authorization Code	Web apps with backend	Confidential	High
Authorization Code + PKCE	Mobile apps, SPAs	Public	High
Client Credentials	Server-to-server	Confidential	High
Device Code	IoT, CLI, Smart TVs	Public	Medium
Refresh Token	Token renewal	Both	High
Implicit	Legacy SPAs	Public	Low
Password	Trusted first-party	Confidential	Medium

Endpoints

Endpoint	Method	Description
/authorize	GET	Start authorization flow
/token	POST	Exchange code for tokens
/token/introspect	POST	Validate a token
/token/revoke	POST	Revoke a token
/device	POST	Start device flow

Recommended Flows

For Web Applications

Use Authorization Code with a backend:

User → Your App → Authority → Your App Backend → Token

For Mobile Apps / SPAs

Use Authorization Code + PKCE:

User → Your App → Authority → Your App → Token (with PKCE)

For Backend Services

Use Client Credentials:

Your Service → Authority → Token

For CLI / IoT Devices

Use Device Code:

Device → Authority → User on Browser → Device polls → Token

Security Recommendations

Do:

• Always use HTTPS

• Validate state parameter

• Use PKCE for public clients

• Store tokens securely

• Validate tokens server-side

Avoid:

• Implicit grant (deprecated)

• Password grant for third-party apps

• Long-lived access tokens

• Storing tokens in localStorage

Standards

Authority implements these RFCs:

• RFC 6749 - OAuth 2.0 Framework

• RFC 6750 - Bearer Token Usage

• RFC 7636 - PKCE

• RFC 7662 - Token Introspection

• RFC 7009 - Token Revocation

• RFC 8628 - Device Authorization

Next Steps

• Authorization Code - Standard web app flow

• Authorization Code + PKCE - Mobile/SPA flow

• Client Credentials - Machine-to-machine

• Device Flow - IoT and CLI devices