14. Grant Types
Grants access token and does not use a secret.
Used by some mobile apps and web applications.
Replaced by Authorization Code without a secret.
User accesses application
Application sends user link to access Authorization Server
User sees a browser showing link to Auth Server
Authorization Server sends web page to user (login – allow/deny)
User logs in and allows access
Auth server sends a one time code and redirects user to Application
User, redirected back, sends Application the one time use code
The application sends the code to the Authorization Server
The application receives access token, refresh token, expiration time