OAuth 2.0 Protocol Overview and Grant Types

OAuth 2.0 is an authorization framework that enables third‑party applications to obtain limited access to HTTP resources on behalf of a resource owner without sharing credentials.

The specification defines four roles—Resource Owner, Client, Authorization Server, and Resource Server—and introduces key concepts such as access tokens, refresh tokens, scopes, and redirect URIs.

The standard authorization flow consists of the client directing the user to the authorization server, the user granting consent, the server issuing an authorization code, and the client exchanging that code for an access token (and optionally a refresh token). The token response includes access_token , token_type , expires_in , and scope fields.

OAuth 2.0 defines four grant types:

Authorization Code Grant – the most common flow for server‑side applications.

Implicit Grant – issues the access token directly in the redirect URI fragment for pure client‑side apps.

Resource Owner Password Credentials Grant – allows trusted clients to exchange a username and password for a token.

Client Credentials Grant – enables a client to obtain a token using only its own credentials, suitable for machine‑to‑machine communication.

Each grant type has specific request parameters (e.g., response_type , client_id , redirect_uri , scope , state ) and response formats. Example request lines are shown below:

GET /authorize?response_type=code&client_id=s6BhdRkqt3&state=xyz&redirect_uri=https://client.example.com/cb HTTP/1.1

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=https://client.example.com/cb

Tokens can be refreshed using the refresh token grant, and error handling follows the standard error , error_description , and error_uri parameters.

The article also lists reference RFCs and additional reading links for deeper study.