Differences between OAuth Web Server Flow, User-Agent Flow, Username-Password Flow?

The steps for Web Server flow, Username-Password Flow, and User-Agent Flow are different, so which occasions are these three used in and how do I select any particular method for different applications. My guess is standalone applications suit Web Server Flow, browser or mobile applications suit for User-Agent Flow and Username-Password flow is used for testing purposes. Is that correct? Any different views?


  • Web server flow (In OAuth spec terms, Authorization Code Grant) tends to be used for web applications where server-side code needs to interact with Force.com APIs on the user’s behalf, for example DocuSign:

DocuSign Authorization

Tokens are sent directly from the Authorization Server to the OAuth Client app, providing a high level of security.

Mobile SDK Authorization

Tokens are returned to the Client app via a ‘hash fragment’ on a URL.

  • Username-Password flow (Resource Owner Password Credentials Grant) can be used for testing, or for apps that operate non-interactively, such as legacy integrations, without a user to actively give authorization:

     $ curl -d 'grant_type=password&client_id=3MV_CLIENT_ID&client_secret=1234&username=user@example.com&password=password' \

Username-password is generally discouraged and should be used only where no other alternative is available, due to the inherent problems with passwords.

Source : Link , Question Author : Shebin Mathew , Answer Author : Community

Leave a Comment