OAuth 2.0 Grant Types:

As OAuth 2.0 includes several different grant types, you will need to decide which grant type is right for your application. BYU's API Manager supports four different grant types: Client Credentials, Authorization Code, Implicit, and Resource Owner Credentials. Figuring out which Grant Type you should use for an application can be a little overwhelming as there are a lot of things to think of with OAuth. To try to make things easier, here are the four supported grant types as well as a basic summary of when they should be used:


Client Credentials Grant Type: This grant type is used when an application needs to call an API on it's own without a "user" (Resource Owner) initiating the communication. This is particularly useful for microservices that need to call other APIs, or for batch jobs. Any code that does not have real life users sitting at the keyboard will need to use this grant type.

Authorization Code Grant Type: This grant type is used when an application has users (Resource Owners) sitting at the keyboard (such as a webapp). If you want to authenticate the user and identify the user to the back-end APIs then this is the grant type to use! Authorization Code grant type also allows the application to renew the user's token without them logging in again by using what is called a refresh token. This refresh token must be kept secure as it provides non-expiring access to the APIs. 

Implicit Grant Type: Implicit grant type works exactly the same way as Authorization Code, with the exception of the refresh token. With implicit grant type the application does not recieve a refresh token for the user. As such, once the user's token expires they will have to be redirected to BYU's login screen and potentially have to log in again in order to get a new token. Use this grant type if you have users but don't have a way to secure the refresh token (such as in a Single Page Application). 

Resource Owner Password Credentials Grant Type: This grant type should be used in cases where the application is capturing the user's (Resource Owner's) credentials. The user's credentials are used to recieve a token for the user much like in Authorization Code grant type, with the exception that the user will never see a BYU Login screen as you have already captured the user's credentials some other way. This is the least commonly used grant type as most situations allow for the use of Authorization Code or Implicit grant types which frees the application from worrying about storing user credentials.


If, after reading the above descriptions, you are not quite sure which grant type you should use, pick the one that sounds the most correct and go ahead and read the additional documentation for that section. If the corresponding section has not answered your question feel free to ask your question on ask! There, the developers and engineers who have experience with these issues will gladly help you find the answer to your question!