Which authorization grant type should I use?
Question
In my application, I have many companies accounts. I'm using django-oauth-toolkit and I gonna to add access to my API by request from a specific company.
I have a few endpoints like:
GET /api/users/- return all company users
GET /api/documents/- return all documents owned by users from given company
I wonder which authorization grant type should I use:
Client type: Confidential
Authorization grant type options:
- client credentials
- authorization code
- resource owner password-based
- implicit
Can anyone tell me which one type is the best in my case and why?
1 answers
solution1
2 2018-10-18 12:14:44
You should use resource owner password-based grant:
The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application.
Flow :
The client will ask the user for their authorization credentials (ususally a username and password).
The client then sends a POST request with following body parameters to the authorization server:
-
grant_typewith the value password -
client_idwith the the client's ID -
client_secretwith the client's secret -
scopewith a space-delimited list of requested scope permissions. -
usernamewith the user's username -
passwordwith the user's password
The authorization server will respond with a JSON object containing the following properties:
-
token_typewith the value Bearer -
expires_inwith an integer representing the TTL of the access token -
access_tokena JWT signed with the authorization server's private key -
refresh_tokenan encrypted payload that can be used to refresh the access token when it expires.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.