Switch to embedded reader
OAuth: "grant" vs "flow" vs "grant type"
2024-03-29T08:15:24-07:00 Is it called an OAuth "grant" or a "flow"? What about "grant type"?These are common questions when writing documentation for OAuth-related things. While these terms are all used in RFC 6749 and many extensions, the differences between the terminology is never actually explained.
I wanted to finally write down a definition of the terms, along with examples of when each is appropriate.
-
flow - use "flow" when referring to the end-to-end process, for example:
- "the client initiates the flow by..."
- "the flow ends with the successful issuance of an access token"
- This can also be combined with the type of flow, for example:
- "The Authorization Code flow starts by..."
-
grant - use "grant" when referring to the specific POST request to the token endpoint, for example:
- "The authorization code grant includes the PKCE code verifier..."
- "The refresh token grant can be used with or without client authentication..."
- "Grant" also refers to the abstract concept of the user having granted authorization, which is expressed as the authorization code, or implicitly with the client credentials grant. This is a bit of an academic definition of the term, and is used much less frequently in normal conversation around OAuth.
-
grant type - use "grant type" when referring to the definition of the flow in the spec itself, for example:
- "there are several drawbacks to the Implicit grant type"
- "the Authorization Code grant type enables the use of..."
Let me know if you have any suggestions for clarifying any of this, or any other helpful examples to add! I'm planning on adding this summary to OAuth 2.1 so that we have a formal reference for it in the future!