What is an OAuth 2.0 Grant Type?Link to heading

Password Grant TypeLink to heading

The is the most insecure grant type of OAuth 2.0 and is now seen as legacy. During this flow the client takes the user’s password and carries the password over to the authorization server. This means that the user’s password is used by the client in exchange for an access token. This flow is quite limiting and insecure. It does not allow for multi-factor authentication, for example. Another downside is that the authorization server can’t differentiate between the user and client since both are using the same password to login. Also there is no real way to get user consent since there is no guarantee that the user is actually at the computer and is willing to authorize the client.

This is an example of the authorization server notifying the user to consent. This is not possible to do with the password grant. TODO: Show a picture of a user consent screen

This flow is no different than a third party application asking for your Gmail password. Instead the client is just asking for your password to the authorization server.

Authorization Code Flow Grant TypeLink to heading

For this flow, the user only enters their password in the authorization server and nowhere else. With this way, the authorization server is certain that the user is present and can confidently show the consent screen.