Differences between OAuth Web Server Flow, User-Agent Flow, Username-Password Flow?

The steps for Web Server flow, Username-Password Flow, and User-Agent Flow are different, so which occasions are these three used in and how do I select any particular method for different applications. My guess is standalone applications suit Web Server Flow, browser or mobile applications suit for User-Agent Flow and Username-Password flow is used for testing purposes. Is that correct? Any different views?

Answer

  • Web server flow (In OAuth spec terms, Authorization Code Grant) tends to be used for web applications where server-side code needs to interact with Force.com APIs on the user’s behalf, for example DocuSign:

DocuSign Authorization

Tokens are sent directly from the Authorization Server to the OAuth Client app, providing a high level of security.

Mobile SDK Authorization

Tokens are returned to the Client app via a ‘hash fragment’ on a URL.

  • Username-Password flow (Resource Owner Password Credentials Grant) can be used for testing, or for apps that operate non-interactively, such as legacy integrations, without a user to actively give authorization:

     $ curl -d 'grant_type=password&client_id=3MV_CLIENT_ID&client_secret=1234&username=user@example.com&password=password' \
     https://login.salesforce.com/services/oauth2/token
    
     {
       "id":"https://login.salesforce.com/id/ORG_ID/USER_ID",
       "issued_at":"1385271368428",
       "instance_url":"https://na15.salesforce.com",
       "signature":"Vcz4TlGBQJCwJzNtH3AHT/kUFLM4N/sFrJODX2ZNuyE=",
       "access_token":"00D_ACCESS_TOKEN"
     }
    

Username-password is generally discouraged and should be used only where no other alternative is available, due to the inherent problems with passwords.

Attribution
Source : Link , Question Author : Shebin Mathew , Answer Author : Community

Leave a Comment