Authorization flows (improperly called grants by various authors) represent cycles that are not directly managed by the framework but are a result of the use of the authorization endpoint and token endpoint. These flows are derived by 2 main factors: the response_type and the grant_type.
The response_type targets the authorization endpoint, meaning that that specific endpoint will search the headers for a response_type and will return a code according to its value.
The response type tells the authorization server which grant flow will be executed and which grant will the client demand. The authorization server needs to know which grant wants to use since it affects the kind of credential it will use. For Authorization Code grant it will issue an authorization code, for implicit grant it will issue an Access token.
- response_type = code
- the endpoint returns an authorization token. This determines the flow to be an authorization_code flow (similar name with the grant_type but it does not limit the token end point to release multiple other grant types like refresh_token)
- the application will use this code and call the token end point with grant_type=authorization_code to get the access token
- response_type = token
- the endpoint returns an access token.
- response_type = token id_token
- by adding id_token the authorization endpoint will return the user identification (claimtype sub). Here you must include in the scope the openid scope
Example : Target the authorization endpoint, demand an authorization code (code), this will trigger the authorization code grant/flow
The grant_type targets the token endpoint, meaning that the specific endpoint will search headers for a grant_type and will return a type of information based on its value. A grant type means the request of a specific information (by exchange sometimes). In this way the client is “granted” that specific information.
- grant_type=authorization_code uses the authorization_code received from the authorization endpoint to exchange it at the token endpoint with an access token
- grant_type=refresh_token uses the received refresh token to get a new access token
- grant_type=client_credentials the token endpoint gives an access token to access a protected resource
Common types: Authorization code, Client Credentials, Device Code, Refresh Token
Flows matching response types
|Hybrid||code id_token token|
Example: Get the access token using an authorization code. Get a new access token using a refresh token.
GrantTypes as defined in IdentityServer
Looking a bit under the hood (you can look for IdentityServer4 git source project) there are 6 types of grants defined:
In IdentityServer source the predefined grant types are :