Different types of Authorization Grants and when to use them

Token based Authentication is one of the most popular and widely used authentication and identity management systems used across the world.

It is simple, easy to integrate and makes user experience better.

Applications can decouple User Identity and Authentication layer to an externalized Authorization Server layer and delegate authentication to this server.

You will only enter credentials at a centralized Identity Provider site and the application accesses your profile or identity using a token that this Identity Provider issues to this application.

This token is application specific and one application cannot use this token from another application. This way you can ensure that your information is not being misused.

An Authorization Server or Secure Token Server is a component that is responsible for managing and issuing tokens to registered clients.

Identity Providers such as Google, Microsoft, Facebook etc. have their own Authorization servers that they have externalized for third-party app integrations.

You register your application as a client to the Authorization Server with details about what information your application expects after authentication (such as email, profile, etc.) what scopes it may ask for and the domain from which the request will be made.

On every request from this application, the Authorization Server validates these details and returns with the requested information.

Authorization Grant Types define the different ways in which a client application can request for tokens from an Authorization Server depending on the scenarios and use cases.

The following are the popular Authorization Grant Types -

Implicit: Used to retrieve tokens via browser. Client redirects the user to the authorization server where after consent the Server redirects back with the token without any back end call. This is not recommended. Authorization Code flow must be used instead.

Authorization Code: Used to retrieve tokens in the back channel instead of front-end via browser, now recommended for all client side applications. Client redirects the user to the Authorization Server, the user is authenticated and provides consent. The Authorization server redirects back to the client with an authorization code, followed by an API call to get the required token information.

Client Credentials: Used in App to App request scenarios, where an Application requests for Tokens from an Authorization Server with its Client Id and Client Secret. The Authorization Server returns back with Tokens. No consent or redirection is present and requests happen via back end API calls.

Resource Owner Password Credentials: Used in cases where an application impersonates a user and requests for tokens based on a username password combination.

Hybrid: Hybrid is an authentication flow where we combine two or more authentication flows to get multiple token results. possible examples are — authorization code with access token, authorization code with id token, access token and id token etc.

Refresh Token: This is used when clients need to request a new access token using a refresh token, which was obtained during the initial authentication.

You can find out more resources about Authorization and Implementing these Grant Types in ASP.NET Core here — https://referbruv.com/categories/identityserver4/