oauth 2.0 - What is the correct grant type for browserless connections like calling a REST API from a server?

Question

I am trying to understand OAuth2 and its grand types. I just want to know what is the propper grant type flow for authorize a browserless application (a job for example) with a REST API.

authorization_code and implicit flow require user interaction (writing the username and password in the browser), hence both are not suitable for browserless authorization.

client_credentials could work, but there is no user in the authorization process, so what happend if the REST API needs to know the user to check for permission/roles/scopes? Maybe creating a client for each user could work, but sound like a bad thing.

passwordgrant type will be deprecated in the OAuth2.1 specification, so this is not an option.

You may thing that OAuth2 is not the framework to use in this case, because you don't need authorization delegation, but what about if you have both (it is so common), a single page application where you could delegate authorization and also a REST API. What is the propper way to authorize a REST API using Oauth2?

question from:https://stackoverflow.com/questions/65868267/what-is-the-correct-grant-type-for-browserless-connections-like-calling-a-rest-a

Answer 1

Given that this is a background job, Client Credentials Grant is the best OAuth 2.0 related approach. And, it does not use any end user credential (End users and clients are two different entities with respect to OAuth 2.0). Hence you simply need a credential for the given client application.

Other approach is to enable API tokens. But this will require a manual step where you will insert the token to the background job. Again, this is independent from any end users.

p.s - Read about roles (i.e - client vs end-user/resource owner) - OAuth 2.0 roles