2.1 Selecting the Authorization Grant Type

The tokens (access, refresh, and ID tokens) are the key to use OAuth 2.0 and OpenID Connect.

The OAuth protocol provides different ways to obtain these tokens. You can use the appropriate authorization grant type based on the business requirements.

Authorization Grant

Type of Application

Authorization Code

Server-side Applications

Authorization Code with PKCE

Native applications


  • Single page applications, where navigation between different screens of the website can be performed without loading different webpage in the browser. For example, Gmail.

  • Applications that run on the user's device such as, mobile apps

  • Web applications that do not require high security

Resource Owner Password Credentials

  • Highly trusted applications or the applications that are owned by the service itself, such as a mobile application

  • Legacy application migrating to OAuth

Client Credentials

  • Headless clients

  • Batch processing scripts

SAML 2.0 Bearer Grant

Applications that already have the SAML assertions and require to access the OAuth protected resources.