IdentityServer4 — Part 2 — GrantTypes, ResponseTypes — Digitteck
IdentityServer4 — Part 2 — GrantTypes, ResponseTypes
dotnet·20 September 2019·3 min read

IdentityServer4 — Part 2 — GrantTypes, ResponseTypes

Authorization flows are the result of two parameters operating at two different endpoints:response_type at the authorization endpoint and grant_type at the token endpoint. Understanding the distinction between them is key to reasoning about which flow is executing.

response_type

Sent to the authorization endpoint. Tells the server which grant flow the client wants and what it expects in return:

  • code — Authorization Code flow; server returns an authorization code
  • token — Implicit flow; server returns an access token directly
  • id_token token — adds OpenID user identity; must include openid scope
javascript
// Authorization endpoint — client specifies response_type to determine the flow
// response_type=code → Authorization Code flow; server returns an authorization code
GET /connect/authorize
  ?response_type=code
  &client_id=my_client
  &redirect_uri=https://myapp.com/callback
  &scope=openid profile api1
  &state=abc123

grant_type

Sent to the token endpoint. Tells the server what the client is exchanging for an access token:

  • authorization_code — exchange the code received from the authorization endpoint
  • refresh_token — exchange a refresh token for a new access token
  • client_credentials — machine-to-machine; exchange client secret for access token
javascript
// Token endpoint — client exchanges the authorization code for an access token
// grant_type=authorization_code → exchange code for token
POST /connect/token
Content-Type: application/x-www-form-urlencoded

  grant_type=authorization_code
  &code=SplxlOBeZQQYbYS6WxSbIA
  &redirect_uri=https://myapp.com/callback
  &client_id=my_client
  &client_secret=my_secret

// grant_type=refresh_token → exchange refresh token for a new access token
POST /connect/token
Content-Type: application/x-www-form-urlencoded

  grant_type=refresh_token
  &refresh_token=tGzv3JOkF0XG5Qx2TlKWIA
  &client_id=my_client
  &client_secret=my_secret

// grant_type=client_credentials → machine-to-machine; no user context
POST /connect/token
Content-Type: application/x-www-form-urlencoded

  grant_type=client_credentials
  &client_id=my_client
  &client_secret=my_secret
  &scope=api1

Flow ↔ response_type Mapping

Flowresponse_type
AuthorizationCodecode
Implicittoken
Implicitid_token
Hybridid_token token
Hybridcode id_token
Hybridcode token
Hybridcode id_token token

GrantTypes in IdentityServer4

IdentityServer4 defines 6 grant types in its source and exposes them through the GrantTypes static class. A client's AllowedGrantTypes determines which flows it can participate in:

csharp
// IdentityServer4 — GrantTypes.Code maps to authorization_code + optional refresh_token
new Client
{
    ClientId     = "my_client",
    ClientSecrets = { new Secret("my_secret".Sha256()) },
    AllowedGrantTypes = GrantTypes.Code,        // authorization_code
    // GrantTypes.ClientCredentials              // client_credentials
    // GrantTypes.Implicit                       // implicit (front-channel only)
    // GrantTypes.ResourceOwnerPassword          // resource owner password
    // GrantTypes.Hybrid                         // code + id_token combinations
    // GrantTypes.DeviceFlow                     // device authorization

    RedirectUris          = { "https://myapp.com/callback" },
    AllowOfflineAccess    = true,               // enables refresh_token grant
    AllowedScopes         = { "openid", "profile", "api1" },
};

Tags

.NETIdentityServer4OAuth2OpenID Connect
digitteck

© 2026 Digitteck