OAuth - Which Grant Type To Choose?

Report Inappropriate Content · 07-18-2017 05:07 PM

Hi,

I am working on a set of API Proxies which are going to be invoked by the consumer applications which could be websites running on web servers or mobile apps running on end-users' devices.

Please note that these consumer applications (websites / mobile apps) will be developed by the developers of the organisations with which my company offering these APIs will have a trusted relationship with before their developers can start coding their application against our APIs (B2B2C type scenario).

In the light of the above scenario, can you please suggest which OAuth2 Grant type I should adopt?

Thanks.

karthikprabhu77

Hello @Sapan Desai,

There are 4 types of grant types that any of it you could make use.The type of grant type to use depends upon whether client is truly confidential (trusted) or public client(un-trusted) . As you mentioned, in your case the api's who is going to leverage by trusted desktop/ mobile apps , hence i recommend either client_credential( in case app running on server) or Authorization code(in case app on web browser).

Thanks,

Karthik

Report Inappropriate Content

Thanks @Karthik Prabhu, @snehal chakraborty.

Can I have these 2 grant types (client_credential - for web sites running on server & Authorization code - for apps running on end users' devices) applied conditionally on the same set of API Proxies?

If yes, how can I make Apigee recognise whether the incoming API request is from a web site or a mobile app and apply the grant type accordingly?

snehal_chakrabo

Agree with @Sujith Mathew's answer, use different api keys. In case the apps connect to a backend which in turn call your api, then client_credentials is an option too. If the apps are calling the api natively, then i would recommend implicit instead of auth code, as it will save an API call and no need to extract auth code as well (Note: implicit almost works the same way as authorisation code)

sjm2000

Yes you can.

Use different API key(product and app in apigee ) for website and apps .

Use the API key to differentiate the flow .

Hope the answer suffices .

Regards

Sujith Mathew

snehal_chakrabo

Hi @Sapan Desai,

It will depend on your design and type of resource data offered by the API. I can see the following options based on your design

1. authorisation_code: In case of the API offering sensitive information, where the end user of the app/website needs to provide his/her consent to allow the API to fetch resource data, an example is an API offering banking transaction data.

2. implicit: Same case as above, but the API is called in a native manner

3. client_credentials: In case only the consuming app/website needs to be authenticated. This is also the easiest to implement. Based on the description you have given, i feel this suits your requirement, but i will recommend to vet all options before finalizing as authentication is of utmost importance

Note: Ruling out password_grant because you mentioned that the consumers are outside your organisation