Obtaining Tokens: Cheatsheet
| Grant Type | When | Other Specifications | Client Authentication Method | Scopes |
|---|---|---|---|---|
| Authorization Code Flow | When performing web-based operations related to administrative tasks | - Proof Key for Code Exchange RFC7636
- OAuth 2.0 Pushed Authorization Requests (PAR) RFC9126
If Message Signing is required: - JWT-Secured Authorization Request (JAR) RFC9101 and connected: - JSON Web Token RFC7519 - JSON Web Signature (JWS) RFC7515 - JSON Web Encryption (JWE) RFC7516 | - tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705
- private_key_jwt -- Assertion Framework for OAuth 2.0 Client Authentication RFC7521 | directory:website openid email profile |
| Client Credentials Flow | Managing an application, performing READ operations for all resources available within the platform, pulling a list of all registered clients, getting a list of all available authorisation servers to scan for Data Providers, obtaining information about the APIs published within the ecosystem or federation, and more | n/a | - tls_client_auth -- Mutual-TLS Client Authentication and Certificate-Bound Access Tokens RFC8705
- private_key_jwt -- Assertion Framework for OAuth 2.0 Client Authentication RFC7521 | directory:software |