OAuth 2.0 Grant Types | MuleSoft Documentation (2024)

Table of Contents
Authorization Code Grant Type HTTP request example against the provider to get a token Implicit HTTP request example against the provider to get a token Resource Owner Password Credentials HTTP request example against the provider to get a token Client Credentials HTTP request example against the provider to get a token See Also FAQs
  1. Homepage
  2. API Manager (2.x)
  3. Mule OAuth 2.0 Provider

  4. OAuth 2.0 Grant Types

OAuth 2.0 specifies the following grant type methods for requesting a token:

  • AUTHORIZATION_CODE

  • IMPLICIT

  • RESOURCE_OWNER_PASSWORD_CREDENTIALS

  • CLIENT_CREDENTIALS

For RAML-based APIs, you must update the RAML to match the OAuth 2.0 security schema. The following table maps the RAML grant types to grant type names in the OAuth 2.0 policy configuration:

Authorization Grant Types Defined in RAML DefinitionEquivalent Authorization Grant Type to Enable in the OAuth Provider PolicySupported in embedded APIkit Console?

[implicit]

Implicit

Yes

[client_credentials]

Client Credentials

No

[password]

Resource Owner Password Credentials

No

[authorization_code]

Authorization Code

Yes

Reviewing OAuth 2.0 Policy Prerequisites document has additional details about this.

Authorization Code Grant Type

The Authorization Code grant type is the most frequently used grant type and the most secure.

To get a token using this grant type, the following information needs to be specified in the HTTP request to the Provider:

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 and the redirect URL of your client application is "http://localhost:1234":

Request authorization:

curl “http://localhost:8081/authorize” \-d “response_type=code&client_id=<application Client ID> \&scope=&redirect_uri=http://localhost:1234” \-X POST

The login page appears in the browser. After the user logs in, the provider sends a redirect to the redirect_uri. This redirect includes additional properties, including an access code.

Response:

http://localhost:1234/?code=<authorization code>#/login

Send the access code to the token endpoint in a request that also includes the client ID, the client secret and some of the information in the previous call:

Request token:

curl “http://localhost:8081/access-token” \-d “grant_type=authorization_code&client_id=<application Client ID>&client_secret=<application Client Secret> \&code=<authorization code>&redirect_uri=<http://localhost:1234 as in the previous request>” \-X POST

JSon Response:

{ "expires_in":86400, "token_type":"bearer", "refresh_token":"<oauth refresh token>", "access_token":"<oauth token>"}

Implicit

The implicit grant type is not as secure as, but easier to use than the authorization code grant type. Javascript clients and mobile applications often use this grant type. The authorization server issues an access token directly and skips the step of issuing an intermediate access code.

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 and the redirect URL of your client application is "http://localhost:1234":

Invoke the authorization endpoint with a request that includes the client ID, the type of authorization you want to perform, the redirect URL, and the scopes you want to authorize. The structure of the request should look like the URI below:

Request token:

curl “http://localhost:8081/authorize” \-d “grant_type=implicit&client_id=<application Client ID> \&redirect_uri=http://localhost:1234&response_type=token” \-X POST

This displays the login page in the browser. After the user logs in, the provider sends a redirect to the redirect_uri. This redirect already includes the token, not just an access code:

Response:

http://localhost:1234/#access_token=<oauth token>&token_type=bearer&expires_in=86400

Resource Owner Password Credentials

The resource owner password credentials grant type is less secure than both the implicit and the authorization code grant types. The client needs to handle the user’s credentials. This requires that users have a high degree of trust in the client. This grant type is often used when the consumer of the protected resource is a widget of the same service.

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 :

Send a POST request to the token endpoint that includes the user name and password:

Request token:

curl "http://localhost:8081/access-token” \-d “grant_type=password&response_type=token&username=<username> \&password=<password>&client_id=<application client ID> \&client_secret=<application client secret>" \-X POST

JSon Response Example:

{ "expires_in":86400, "token_type":"bearer", "refresh_token":"<refresh oauth token>", "access_token":"<oauth token>"}

Client Credentials

The client credentials grant type is the least secure grant type. Use this grant type when the client is the resource owner or an authorization has previously been arranged with the authorization server. In this grant type, an access token is obtained if the client identifier and the client secret are valid.

HTTP request example against the provider to get a token

Assuming that the provider is accessible on http://localhost:8081 and the redirect URL of your client application is "http://localhost:1234":

Send a POST request to the token endpoint that includes the user name and password:

Request token:

curl “http://localhost:8081/access-token” \-d “grant_type=client_credentials&client_id=<application client ID> \&client_secret=<application Client Secret>&response_type=token” \-X POST

JSon Response:

http://localhost:1234/#access_token=<oauth token>&token_type=bearer&expires_in=86400

See Also

  • Mule OAuth 2.0 Provider

OAuth 2.0 Grant Types | MuleSoft Documentation (2024)

FAQs

What are the grant types in OAuth 2.0 framework? ›

  • OAuth 2.0 Clients. OAuth 2.0 Grant Types. Authorization Code Grant. Implicit Grant. Client Credentials Grant. Refresh Token Grant. Kerberos Grant. Mutual TLS Client Authentication and Certificate-Bound Access Tokens. ...
  • OpenID Connect OpenID Connect. OpenID Connect.

Read On
What is the OAuth 2.0 implicit grant type? ›

The Implicit grant is designed for public clients that run inside the resource owner's user-agent, for example, JavaScript applications. Since applications running in the user-agent are considered less trusted than applications running in servers, the authorization server will never issue refresh tokens in this flow.

Discover More Details
What grant type is not supported by MuleSoft? ›

As the Mule HTTP Connector lacks support for the OAuth Password Credentials Grant type, you will need to redesign your integration flow to implement the entire process.

Continue Reading
What is the OAuth policy in MuleSoft? ›

Oauth 2.0 policy and Oauth provider implementation

One of the main policies introduced by Mulesoft is the Oauth 2.0 policy. This policy works only with the Mule OAuth provider application which validates the token provided in the http request. If the token is valid, the application provides access to the application.

See Details
Which OAuth grant type is appropriate? ›

Authorization Code Grant

Use Case: Best for web and mobile applications where the client can securely store the client secret. The Authorization Code Grant is the most common and secure OAuth grant type. It involves an intermediate authorization code, which the application exchanges for an access token.

Find Out More
What is the difference between response type and grant type? ›

response_type is used against authorization endpoint. This parameter defines what authorization response must contain in its response. For example, code when using authorization code grant (similarly authorization code flow in OpenID Connect). grant_type on the other hand is used against the token endpoint.

Tell Me More
What is the difference between implicit and Authorization Code grant? ›

Also, in the Implicit Grant, when an access token expires, the user must re-authenticate to continue accessing the resources. The Authorization Code Grant features refresh tokens that can be used to obtain a new access token without involving the user.

Show Me More
Is implicit grant deprecated? ›

Note: To follow best practices, Implicit Grant is no longer supported. All new security profiles must use Authorization Code grant. For more information, refer to the Deprecation Notice. An Implicit Grant allows a client (typically a website) to direct the user-agent (a user's browser) to a URI at Amazon.

Explore More
What is improper implementation of the implicit grant type? ›

Improper implementation of the Implicit Grant

The trouble is, if the application wants to maintain the session after the user closes the page, it needs to store the current user data (normally a user_id and the access_token ) somewhere.

Continue Reading
What are grant type client credentials? ›

With the client credentials grant type, an app sends its own credentials (the Client ID and Client Secret) to an endpoint on Apigee that is set up to generate an access token. If the credentials are valid, Apigee returns an access token to the client app.

Show Me More

What is grant types in identity server? ›

Grant types are a way to specify how a client wants to interact with IdentityServer. The OpenID Connect and OAuth 2 specs define the following grant types: Implicit. Authorization code.

Read The Full Story
What is the Authorization Code grant type? ›

The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token. After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.

See Details
What is OAuth 2.0 in Mule 4? ›

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.

Get More Info Here
What are the types of authentication in OAUTH2? ›

The core OAuth 2.0 specification defines the "client password" (e.g. client secret) client authentication type, which defines the client_secret parameter as well as the method of including the client secret in the HTTP Authorization header. These are most common forms of client authentication.

Continue Reading
How to implement OAuth 2.0 protocol? ›

How To Implement OAUTH2 Protocol Into Your Application? Frontend
  1. Obtain credentials. To begin with OAuth 2.0 implementation, you would need to get some data from your authentication provider. ...
  2. Set up the project for the authentication server. ...
  3. Install dependencies (Passport. ...
  4. Configure Express. ...
  5. Initialize Passport.
Jan 17, 2024

View More
What are the four grant models? ›

In the United States, there are four primary types of grants: competitive, continuation, pass-through, and formula grants.

View Details
What are grant types in Auth0? ›

Specification-conforming grants
Grant TypeDescription
authorization_codeAuthorization Code Grant
client_credentialsClient Credentials Grant
passwordResource Owner Password Grant
refresh_tokenUse Refresh Tokens
2 more rows

See More
What are the different types of grant accounting? ›

Types of Grants. There are two main categories of grants in accounting: conditional and unconditional. Conditional grants have designated usage requirements or other special implementation rules that must be met before the funds can be recognized as revenue.

Learn More
What is the most common grant type? ›

The most popular type of grant is for Program support. Program grants provide funding for specific projects or programs. Generally, these are restricted grants, where recipients must only use funds for the exact purpose outlined in the grant proposal.

Discover More Details
Top Articles
Key differences Between TLS 1.2 and TLS 1.3 | Glossary | A10 Networks
How to enable Transport Layer Security (TLS) 1.2 on clients - Configuration Manager
Funny Roblox Id Codes 2023
It's Official: Sabrina Carpenter's Bangs Are Taking Over TikTok
Obor Guide Osrs
Jonathon Kinchen Net Worth
Body Rubs Austin Texas
DENVER Überwachungskamera IOC-221, IP, WLAN, außen | 580950
Apply A Mudpack Crossword
4156303136
Washington, D.C. - Capital, Founding, Monumental
Morocco Forum Tripadvisor
Mens Standard 7 Inch Printed Chappy Swim Trunks, Sardines Peachy
Bestellung Ahrefs
Oro probablemente a duna Playa e nomber Oranjestad un 200 aña pasa, pero Playa su historia ta bay hopi mas aña atras
Craigslist Free Stuff Greensboro Nc
Puretalkusa.com/Amac
Craigslist Red Wing Mn
Aspen Mobile Login Help
H12 Weidian
Curry Ford Accident Today
Robert Deshawn Swonger Net Worth
Beverage Lyons Funeral Home Obituaries
Theater X Orange Heights Florida
Gazette Obituary Colorado Springs
11 Ways to Sell a Car on Craigslist - wikiHow
Reviews over Supersaver - Opiness - Spreekt uit ervaring
Horn Rank
Foodsmart Jonesboro Ar Weekly Ad
Leben in Japan &#8211; das muss man wissen - Lernen Sie Sprachen online bei italki
Login.castlebranch.com
Elijah Streams Videos
Amici Pizza Los Alamitos
Express Employment Sign In
Flipper Zero Delivery Time
Seminary.churchofjesuschrist.org
Conan Exiles Armor Flexibility Kit
Sdn Fertitta 2024
Kb Home The Overlook At Medio Creek
Powerboat P1 Unveils 2024 P1 Offshore And Class 1 Race Calendar
Shell Gas Stations Prices
Patricia And Aaron Toro
Avatar: The Way Of Water Showtimes Near Jasper 8 Theatres
Senior Houses For Sale Near Me
Muni Metro Schedule
Used Auto Parts in Houston 77013 | LKQ Pick Your Part
Gear Bicycle Sales Butler Pa
Publix Store 840
Dmv Kiosk Bakersfield
Ingersoll Greenwood Funeral Home Obituaries
Provincial Freeman (Toronto and Chatham, ON: Mary Ann Shadd Cary (October 9, 1823 – June 5, 1893)), November 3, 1855, p. 1
Latest Posts
Wordle Statistics, Facts, & Strategies (2023) - Photutorial
What Are Store Credit Cards? | Capital One
Article information

Author: Fredrick Kertzmann

Last Updated:

Views: 6514

Rating: 4.6 / 5 (66 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.