• Authorization code grant—OAuth uses an authorization server as an intermediary to obtain an authorization code. The authorization server authenticates the resource owner and obtains authorization. The resource owner's credentials are not shared with the client.

• Implicit grant—This simplified flow is optimized for browser clients using a scripting language. The client is issued an access token directly; the authorization server does not authenticate the client. However, the access token may be exposed to the resource owner or other applications with access to the resource server.

• Resource owner password credentials grant—The resource owner credentials (username and password) can be used directly as an authorization-code grant to obtain an access token. The credentials should only be used when there is a high degree of trust between the resource owner and the client, and when other authorization grant types are not available. With this grant type, the client can use a long-lived access token or refresh token instead of storing the resource owner credentials for future use.

• Client credentials grant—The client credentials (or other forms of client authentication) can be used as an authorization grant when the authorization scope is limited to protected resources either under the control of the client or previously arranged with the authorization server.

• Custom Grant—You specify the JavaScript or other process to use to obtain the access token to connect to the resource. For example, the client can request an access token using a Security Assertion Markup Language (SAML) 2.0 bearer assertion grant type.