0

I am planning to deploy a separate resource server and an authorisation server, both running on django oauth toolkit. Assuming that the clients or the applications using our API services are in the same organization, and will host their frontend to use our APIs, and the users will be logged in on their side and we just have to authorize those clients (that are running the application).

Which Grant Type Should I use?

Sanx
  • 3
  • 2

1 Answers1

0

RFC 7636: Proof Key for Code Exchange

PKCE (RFC 7636) is an extension to the Authorization Code flow to prevent CSRF and authorization code injection attacks.

PKCE is not a replacement for a client secret, and PKCE is recommended even if a client is using a client secret.

Note: Because PKCE is not a replacement for client authentication, it does not allow treating a public client as a confidential client.

PKCE was originally designed to protect the authorization code flow in mobile apps, but its ability to prevent authorization code injection makes it useful for every type of OAuth client, even web apps that use a client secret.

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Lets say PKCE is out of the question due to any reason. What would be our next probable/preferred grant type in this scenario. Client credentials? – Sanx Jul 25 '22 at 12:35
  • The Client Credentials is a server to server flow. This is often used for with machine-to-machine applications, such as CLIs, daemons, or services running on your back-end, the system authenticates and authorizes the app rather than a user. There is no user authentication involved. https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/ – jwilleke Jul 26 '22 at 13:31