Summary of oauth2 Four Authorization Methods



This article mainly summarizes the characteristics and applicable scenarios of the four oauth2 modes.

Four authorization methods

OAuth 2.0 defines four authorization methods.

  • Resource owner password credentials
  • Authorization code
  • Simplified model
  • Client credentials

Password mode (resource owner password credentials)

  • This mode is the least recommended because the client may have saved the user password.
  • This mode is mainly used as an adaptation scheme for upgrading legacy projects to oauth2.
  • Of course, if the client is its own application, it is also possible.
  • Refresh token support

Authorization code mode (authorization code)

  • This mode is regarded as authentic oauth2 authorization mode.
  • Auth code is designed, through which token can be obtained again.
  • Refresh token support

Simplified mode (implicit)

  • This mode has fewer code links than the authorization code mode, and the callback url directly carries token
  • The usage scenario of this mode is a browser-based application.
  • This mode is based on security considerations, and it is recommended to set token time limit shorter.
  • Refresh token is not supported.

Client mode (client credentials)

  • This mode can obtain token directly according to client’s id and key without user’s participation.
  • This mode is more suitable for consuming back-end services of api, such as pulling a set of user information, etc.
  • Refresh token is not supported, mainly because it is unnecessary.

The original intention of refresh token is mainly for the user experience that the user does not want to input the account password repeatedly to excha nge for a new token, so Refresh token is designed to exchange for a new token.

This mode does not need to refresh token token because there is no user participation and the user account password is not required, and the new token can be exchanged only according to the id and key of the user.


  • Resource owner password credentials (Designed for legacy systems)(Refresh token support)
  • Authorization code (Authentic way)(Refresh token support)
  • Simplified model (Designed for web Browser Applications)(Refresh token is not supported.)
  • Client credentials (Designed for Back Office api Service Consumers)(Refresh token is not supported.)