OAuth 2.0 Grant Types | MuleSoft Documentation (2024)

Table of Contents
Authorization Code Grant Type HTTP request example against the provider to get a token Implicit HTTP request example against the provider to get a token Resource Owner Password Credentials HTTP request example against the provider to get a token Client Credentials HTTP request example against the provider to get a token See Also FAQs
  1. Homepage
  2. API Manager (2.x)
  3. Mule OAuth 2.0 Provider

  4. OAuth 2.0 Grant Types

OAuth 2.0 specifies the following grant type methods for requesting a token:

  • AUTHORIZATION_CODE

  • IMPLICIT

  • RESOURCE_OWNER_PASSWORD_CREDENTIALS

  • CLIENT_CREDENTIALS

For RAML-based APIs, you must update the RAML to match the OAuth 2.0 security schema. The following table maps the RAML grant types to grant type names in the OAuth 2.0 policy configuration:

Authorization Grant Types Defined in RAML DefinitionEquivalent Authorization Grant Type to Enable in the OAuth Provider PolicySupported in embedded APIkit Console?

[implicit]

Implicit

Yes

[client_credentials]

Client Credentials

No

[password]

Resource Owner Password Credentials

No

[authorization_code]

Authorization Code

Yes

Reviewing OAuth 2.0 Policy Prerequisites document has additional details about this.

Authorization Code Grant Type

The Authorization Code grant type is the most frequently used grant type and the most secure.

To get a token using this grant type, the following information needs to be specified in the HTTP request to the Provider:

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 and the redirect URL of your client application is "http://localhost:1234":

Request authorization:

curl “http://localhost:8081/authorize” \-d “response_type=code&client_id=<application Client ID> \&scope=&redirect_uri=http://localhost:1234” \-X POST

The login page appears in the browser. After the user logs in, the provider sends a redirect to the redirect_uri. This redirect includes additional properties, including an access code.

Response:

http://localhost:1234/?code=<authorization code>#/login

Send the access code to the token endpoint in a request that also includes the client ID, the client secret and some of the information in the previous call:

Request token:

curl “http://localhost:8081/access-token” \-d “grant_type=authorization_code&client_id=<application Client ID>&client_secret=<application Client Secret> \&code=<authorization code>&redirect_uri=<http://localhost:1234 as in the previous request>” \-X POST

JSon Response:

{ "expires_in":86400, "token_type":"bearer", "refresh_token":"<oauth refresh token>", "access_token":"<oauth token>"}

Implicit

The implicit grant type is not as secure as, but easier to use than the authorization code grant type. Javascript clients and mobile applications often use this grant type. The authorization server issues an access token directly and skips the step of issuing an intermediate access code.

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 and the redirect URL of your client application is "http://localhost:1234":

Invoke the authorization endpoint with a request that includes the client ID, the type of authorization you want to perform, the redirect URL, and the scopes you want to authorize. The structure of the request should look like the URI below:

Request token:

curl “http://localhost:8081/authorize” \-d “grant_type=implicit&client_id=<application Client ID> \&redirect_uri=http://localhost:1234&response_type=token” \-X POST

This displays the login page in the browser. After the user logs in, the provider sends a redirect to the redirect_uri. This redirect already includes the token, not just an access code:

Response:

http://localhost:1234/#access_token=<oauth token>&token_type=bearer&expires_in=86400

Resource Owner Password Credentials

The resource owner password credentials grant type is less secure than both the implicit and the authorization code grant types. The client needs to handle the user’s credentials. This requires that users have a high degree of trust in the client. This grant type is often used when the consumer of the protected resource is a widget of the same service.

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 :

Send a POST request to the token endpoint that includes the user name and password:

Request token:

curl "http://localhost:8081/access-token” \-d “grant_type=password&response_type=token&username=<username> \&password=<password>&client_id=<application client ID> \&client_secret=<application client secret>" \-X POST

JSon Response Example:

{ "expires_in":86400, "token_type":"bearer", "refresh_token":"<refresh oauth token>", "access_token":"<oauth token>"}

Client Credentials

The client credentials grant type is the least secure grant type. Use this grant type when the client is the resource owner or an authorization has previously been arranged with the authorization server. In this grant type, an access token is obtained if the client identifier and the client secret are valid.

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 and the redirect URL of your client application is "http://localhost:1234":

Send a POST request to the token endpoint that includes the user name and password:

Request token:

curl “http://localhost:8081/access-token” \-d “grant_type=client_credentials&client_id=<application client ID> \&client_secret=<application Client Secret>&response_type=token” \-X POST

JSon Response:

http://localhost:1234/#access_token=<oauth token>&token_type=bearer&expires_in=86400

See Also

  • Mule OAuth 2.0 Provider

OAuth 2.0 Grant Types | MuleSoft Documentation (2024)

FAQs

What are the grant types in OAuth 2.0 framework? ›

  • OAuth 2.0 Clients. OAuth 2.0 Grant Types. Authorization Code Grant. Implicit Grant. Client Credentials Grant. Refresh Token Grant. Kerberos Grant. Mutual TLS Client Authentication and Certificate-Bound Access Tokens. ...
  • OpenID Connect OpenID Connect. OpenID Connect.

Read On
What is the OAuth 2.0 implicit grant type? ›

The Implicit grant is designed for public clients that run inside the resource owner's user-agent, for example, JavaScript applications. Since applications running in the user-agent are considered less trusted than applications running in servers, the authorization server will never issue refresh tokens in this flow.

Discover More Details
What grant type is not supported by MuleSoft? ›

As the Mule HTTP Connector lacks support for the OAuth Password Credentials Grant type, you will need to redesign your integration flow to implement the entire process.

Continue Reading
What is the OAuth policy in MuleSoft? ›

Oauth 2.0 policy and Oauth provider implementation

One of the main policies introduced by Mulesoft is the Oauth 2.0 policy. This policy works only with the Mule OAuth provider application which validates the token provided in the http request. If the token is valid, the application provides access to the application.

See Details
Which OAuth grant type is appropriate? ›

Authorization Code Grant

Use Case: Best for web and mobile applications where the client can securely store the client secret. The Authorization Code Grant is the most common and secure OAuth grant type. It involves an intermediate authorization code, which the application exchanges for an access token.

Find Out More
What is the difference between response type and grant type? ›

response_type is used against authorization endpoint. This parameter defines what authorization response must contain in its response. For example, code when using authorization code grant (similarly authorization code flow in OpenID Connect). grant_type on the other hand is used against the token endpoint.

Tell Me More
What is the difference between implicit and Authorization Code grant? ›

Also, in the Implicit Grant, when an access token expires, the user must re-authenticate to continue accessing the resources. The Authorization Code Grant features refresh tokens that can be used to obtain a new access token without involving the user.

Show Me More
Is implicit grant deprecated? ›

Note: To follow best practices, Implicit Grant is no longer supported. All new security profiles must use Authorization Code grant. For more information, refer to the Deprecation Notice. An Implicit Grant allows a client (typically a website) to direct the user-agent (a user's browser) to a URI at Amazon.

Explore More
What is improper implementation of the implicit grant type? ›

Improper implementation of the Implicit Grant

The trouble is, if the application wants to maintain the session after the user closes the page, it needs to store the current user data (normally a user_id and the access_token ) somewhere.

Continue Reading
What are grant type client credentials? ›

With the client credentials grant type, an app sends its own credentials (the Client ID and Client Secret) to an endpoint on Apigee that is set up to generate an access token. If the credentials are valid, Apigee returns an access token to the client app.

Show Me More

What is grant types in identity server? ›

Grant types are a way to specify how a client wants to interact with IdentityServer. The OpenID Connect and OAuth 2 specs define the following grant types: Implicit. Authorization code.

Read The Full Story
What is the Authorization Code grant type? ›

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

See Details
What is OAuth 2.0 in Mule 4? ›

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

Get More Info Here
What are the types of authentication in OAUTH2? ›

The core OAuth 2.0 specification defines the "client password" (e.g. client secret) client authentication type, which defines the client_secret parameter as well as the method of including the client secret in the HTTP Authorization header. These are most common forms of client authentication.

Continue Reading
How to implement OAuth 2.0 protocol? ›

How To Implement OAUTH2 Protocol Into Your Application? Frontend
  1. Obtain credentials. To begin with OAuth 2.0 implementation, you would need to get some data from your authentication provider. ...
  2. Set up the project for the authentication server. ...
  3. Install dependencies (Passport. ...
  4. Configure Express. ...
  5. Initialize Passport.
Jan 17, 2024

View More
What are the four grant models? ›

In the United States, there are four primary types of grants: competitive, continuation, pass-through, and formula grants.

View Details
What are grant types in Auth0? ›

Specification-conforming grants
Grant TypeDescription
authorization_codeAuthorization Code Grant
client_credentialsClient Credentials Grant
passwordResource Owner Password Grant
refresh_tokenUse Refresh Tokens
2 more rows

See More
What are the different types of grant accounting? ›

Types of Grants. There are two main categories of grants in accounting: conditional and unconditional. Conditional grants have designated usage requirements or other special implementation rules that must be met before the funds can be recognized as revenue.

Learn More
What is the most common grant type? ›

The most popular type of grant is for Program support. Program grants provide funding for specific projects or programs. Generally, these are restricted grants, where recipients must only use funds for the exact purpose outlined in the grant proposal.

Discover More Details
Top Articles
Best NFT Wallets for 2024 | The Motley Fool
How to Use DeFi — A Beginner’s Guide | Crypto.com
Ffxiv Act Plugin
Aberration Surface Entrances
Windcrest Little League Baseball
Wannaseemypixels
Mama's Kitchen Waynesboro Tennessee
Ecers-3 Cheat Sheet Free
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
South Ms Farm Trader
David Turner Evangelist Net Worth
No Hard Feelings Showtimes Near Cinemark At Harlingen
[Birthday Column] Celebrating Sarada's Birthday on 3/31! Looking Back on the Successor to the Uchiha Legacy Who Dreams of Becoming Hokage! | NARUTO OFFICIAL SITE (NARUTO & BORUTO)
Bj Alex Mangabuddy
List of all the Castle's Secret Stars - Super Mario 64 Guide - IGN
Vanessawest.tripod.com Bundy
TBM 910 | Turboprop Aircraft - DAHER TBM 960, TBM 910
Libinick
Persona 5 Royal Fusion Calculator (Fusion list with guide)
Amazing deals for Abercrombie & Fitch Co. on Goodshop!
Doublelist Paducah Ky
Reviews over Supersaver - Opiness - Spreekt uit ervaring
2487872771
Margaret Shelton Jeopardy Age
Doctors of Optometry - Westchester Mall | Trusted Eye Doctors in White Plains, NY
Usa Massage Reviews
Gunsmoke Tv Series Wiki
Busch Gardens Wait Times
Missing 2023 Showtimes Near Grand Theatres - Bismarck
Pch Sunken Treasures
Nicole Wallace Mother Of Pearl Necklace
Ni Hao Kai Lan Rule 34
Atlantic Broadband Email Login Pronto
Unity Webgl Player Drift Hunters
Louisville Volleyball Team Leaks
Temu Y2K
Metro Pcs Forest City Iowa
Ross Dress For Less Hiring Near Me
All Obituaries | Sneath Strilchuk Funeral Services | Funeral Home Roblin Dauphin Ste Rose McCreary MB
Emily Tosta Butt
Nina Flowers
Bustednewspaper.com Rockbridge County Va
Squalicum Family Medicine
Gas Buddy Il
Lorton Transfer Station
Conan Exiles Colored Crystal
303-615-0055
9294027542
4Chan Zelda Totk
Sleep Outfitters Springhurst
Pilot Travel Center Portersville Photos
Latest Posts
F&C Investment Trust plc (FCIT) Ordinary 25p share price | FCIT
MetaMask Security Alerts by Blockaid: the new normal for a safer transaction experience | MetaMask News
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 6514

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.