Understanding OAuth Authorization Flow and Grant Types

OAuth is a standard protocol that enables third‑party applications to access user resources without requiring the user's password, providing a secure and open way to delegate permissions.

The overall architecture introduces an authorization layer between the client (ISV application) and the service provider, where the user consents to grant limited access, and the service provider issues tokens based on defined scopes and lifetimes.

The key roles are the ordinary user (consumer), the client application (ISV), and the platform provider that offers authentication services.

The authorization process follows these steps: the user initiates a request to the client, the client obtains a request token from the platform, redirects the user to the platform’s authorization page, the user logs in and authorizes the request, the platform returns an access token (and optionally a refresh token) to the client, and the client uses the access token to access the user’s data.

OAuth defines four grant types:

Authorization Code Grant – the client’s backend exchanges an authorization code for an access token.

Implicit Grant – the token is returned directly to the client in the browser, skipping the code step.

Resource Owner Password Credentials Grant – the user provides credentials directly to the client, which then requests a token.

Client Credentials Grant – the client authenticates itself to obtain a token without user involvement.

When an access token expires, the client can use a refresh token to request a new access token by sending a request that includes the grant_type "refresh_token", the refresh token itself, and optionally the scope.