Some thoughts on OAuth terminology, feedback is welcome! https://lnkd.in/gpevV_cs
I have a counterview on the proposed terminology. Section 1.3 of RFC 6749 precisely defines "authorization grant" along with the descriptions of the four grant types. As I see it, the term grant is something like "I grant you permission to open the lock of my almirah" and "grant type" is "how I handover the keys of the lock to you". Equating "grant" solely to a POST request to the token endpoint does not do justice to the concept of "grant". The RFC 6749 defines it as "the resource owner's authorization used by the client to obtain an access token," emphasizing the fundamental role of the resource owner's authorization in the OAuth process. The confusion arises when considering the draft OAuth 2.1, wherein Section 4 introduces "Grant Types" without adequately addressing what constitutes a "grant." Additionally, the inclusion of a separate subsection for the "Refresh Token Grant" further convolutes the original intention of "grant" by distancing itself from the resource owner's actions (authorization). "Flow" is already used in the context of an end-to-end process such as "implicit grant flow" in RFC 6749. Rifaat Shekh-Yusef Atul Tulshibagwale
flow and grant type appear very similar. please highlight the difference between the two
Those terms have caused a lot of confusion for quite some time. Thanks for the clarification!
I think that's great. I use the terminology the same way.
> grant - use "grant" when referring to the specific POST request If it's referring to the request, maybe call it a "grant request" to be more descriptive. > grant type - use "grant type" when referring to the definition of the flow in the spec Hmm. Seems like the term grant type refers to the principal, not to its definition. > "there are several drawbacks to the Implicit grant type" Are the drawbacks to how the definition was expressed, or to the grant type itself? For example. "The flow for Implicit grant includes an Implicit grant request from the client. The response to that request may include an OAuth token."