Choosing a grant type

OAuth2 supports different flows to securely consume APIs for different access patterns.

API Gateway supports these grants:

  • Authorization code grant - suitable for native mobile/desktop apps and web apps
  • Implicit grant - suitable for single page/user agent based applications
  • Resource owner grant - suitable for server to server access, for example, backend service client. In these cases user/resource owner is not present for authorization so service accounts are used for back channel authentication and authorization.
  • SAML bearer grant - suitable for applications plugged in with Infor Ming.le, for example, apps that have SSO with the Infor Ming.le federation hub.

Based on your client's access pattern, you must implement the appropriate OAuth2 Grant. Here is a decision flow to help you choose an OAuth2 grant:

Choosing OAuth2 Grant for ION API Client