OAuth 2.0 Client Types¶
Based on the client’s ability to authenticate with the authorization server, two types of OAuth 2.0 clients are specified in the OAuth2 specification.
Confidential clients can maintain the confidentiality of their credentials without being exposed. An example for a confidential client would be a web application. Once the authorization server provides the tokens or the credentials to the web application, those credentials will not be exposed to the outside.
Confidential clients should associate with the grant types which require
authentication. For the web based confidential clients,
it is recommended to use the Authorization Code grant type and for the machine-to-machine communication, it is recommended to use
the Client Credentials grant type.
The implicit grant type is optimized for such types of clients, as this grant type does not include client authentication, and relies on the presence of the resource owner and the registration of the redirection URI. Since the access token is encoded into the redirection URI, it may be exposed to the resource owner and other applications residing on the same device. To avoid attacks done by manipulating the redirection URI, it is mandatory for public clients to pre-register the redirection URI.
The following table summarizes the sample clients and the grant types that are recommended for different client types.
|Client type||Sample clients||Recommended grant type|
|Confidential clients||Web based||Authorization Code grant type, Password grant type|
|Machine to machine||Client Credentials grant type|