You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Users connecting services to eduTEAMS using OIDC will need to choose which Grants they need. This page and the following table present guidance for the recommended and supported configurations.

References to the specifications:

A service will typically act as a confidential client and will authenticate with its client-id and client-secret using client_secret_basic or client_secret_post.

Non-confidential clients are marked as "public". These services are usually web-based applications without a backend. According to best practices these clients should support PKCE.

Notice that multiple grants can be selected. However, requesting all Grants is not a valid request (it cannot work).

It is common to request the authorization_code grant alone, or along with the refresh_token grant. This is normal and this is what most clients should look like.
Some clients will request the authorization_code grant and they will be public clients (ie, web-applications). We encourage those clients to support PKCE.

The device-code grant is not common. Only public clients will request this grant.

The token-exchange grant should only be used by advanced clients. This is expected to be requested rarely.
This grant will be requested along with the
authorization_code grant and maybe the refresh_token grant.
These clients
will not be public clients.

Requesting the implicit grant should be very-very-very rare. If implicit is used then no other grant type should be used.

Grantsoffline_accessClient authentication methodsPKCE
authorization_codefalseclient_secret_basic and client_secret_postfalse
authorization_codefalseclient_secret_basic and client_secret_posttrue
authorization_codefalsepublicfalse
authorization_codefalsepublictrue
authorization_code and refresh_tokentrueclient_secret_basic and client_secret_postfalse
authorization_code and refresh_tokentrueclient_secret_basic and client_secret_posttrue
authorization_code and refresh_tokentruepublictrue
authorization_code and token-exchangefalseclient_secret_basic and client_secret_postfalse
authorization_code and token-exchangefalseclient_secret_basic and client_secret_posttrue
authorization_code and token-exchangefalsepublictrue
authorization_code and refresh_token and token-exchangetrueclient_secret_basic and client_secret_postfalse
authorization_code and refresh_token and token-exchangetruepublictrue
device_codefalsepublicfalse
device_code and refresh_tokentruepublicfalse
implicitfalsepublicfalse
  • No labels