The OAuth 2.0 Authorization Framework (OAuth) facilitates the sharing of private resources (data or services) with a third-party client application (client). In an OAuth session, private resources are stored on a resource server and the owner of the resources, or resource owner, grants the client application permission to access them. In this case the resource owner is typically an application. When a resource owner grants permission, the OAuth authorization server issues an access token to the client application. When the client application passes the access token to the resource server, the resource server communicates with the authorization server to validate the token and, if valid, provides access to the resources.

The flow of authorization requests and responses between the resource owner, client application, authorization server, and resource server depends on the authorization grant type defined by the OAuth session. API Portal supports the following authorization grant types:

The authorization code grant type is used to authenticate and provide access to clients that have credentials on the authorization server. This grant type requires the client to authenticate to the authorization server before obtaining an access token. The user is prompted to log on to the authorization serve and to authorize or deny the client (application) access to their account. Once authorized, the Authorization provides an authorization code. This authorization code is provided to the Access token URL, which in turn provides the required access token to access the resource.

The implicit grant flow is similar to the authorization code grant flow with a distinct difference that the Authorization server provides the access token instead of authorization code. The Client ID and Client secret is passed on to the Authorization URL, for validation. The user is prompted to log on to the authorization server and approve the client. On approval, the required access token is provided to access the resource.

The simplest of all of the OAuth 2.0 grants, this grant is suitable for machine-to-machine authentication where a specific user's permission to access data is not required. The Client ID and Client secret is passed on to the Access token URL, which in turn provides the required access token to access the resource.