Menu
In both cases the users credentials are being exchanged for an access token. Can someone explain the difference?
Here is a description of the flows from http://hueniverse.com
• User-Agent Flow – for clients running inside a user-agent (typically a web browser).
• Web Server Flow – for clients that are part of a web server application, accessible via HTTP requests. This is a simpler version of the flow provided by OAuth 1.0.
• Device Flow – suitable for clients executing on limited devices, but where the end-user has separate access to a browser on another computer or device.
• Username and Password Flow – used in cases where the user trusts the client to handle its credentials but it is still undesirable for the client to store the user’s username and password. This flow is only suitable when there is a high degree of trust between the user and the client.
• Client Credentials Flow – the client uses its credentials to obtain an access token. This flow supports what is known as the 2-legged scenario.
• Assertion Flow – the client presents an assertion such as a SAML assertion to the authorization server in exchange for an access token.
348
You're mixing up client and user credentials here.
Client in the context of OAuth always refers to the application that gets authorized. Thus in the Client Credentials Flow an application directly authorizes itself with the provider without any input from a user (also called 2-legged flow as only two parties are involved).
The Username and Password Flow is a 3-legged-flow. A user provides his username and password to an application, the application then requests data from the provider using these credentials.
176
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
