OAuth 2.0 Flows
Faable Auth implements the standard OAuth 2.0 / OpenID Connect grants. Which one you need depends on two questions: is a user logging in? and can your app keep a secret?
Choosing a flow
| Your situation | Use this flow |
|---|---|
| A user logs into your web, SPA, or mobile app | Authorization Code with PKCE |
| A backend service calls an API — no user involved | Client Credentials |
| A user logs into a CLI tool, Smart TV, or IoT device | Device Code |
| You already have a session and want to renew it without re-login | Refresh Token |
| A CI job or workload has a JWT from a trusted issuer (GitHub Actions) | Token Exchange |
At a glance
| Flow | User present | Needs client_secret | Returns | Typical client |
|---|---|---|---|---|
| Authorization Code + PKCE | Yes | No | Access + ID + Refresh token | SPA, mobile, server-side web |
| Client Credentials | No | Yes | Access token | Backend service, cron, CI |
| Device Code | Yes | No | Access + ID + Refresh token | CLI, Smart TV, IoT |
| Refresh Token | Already authenticated | No | New access + ID + rotated refresh token | Any client holding a refresh token |
| Token Exchange | No | No | Access token (30 min) | CI job, federated workload |
All of them exchange credentials at the same endpoint — POST /oauth/token on your tenant domain — and return the same standard token response. In the browser, the @faable/auth-js SDK picks and drives the right flow for you (PKCE + automatic refresh).
FAQ
Which OAuth flow should I use?
If a user logs into your web, SPA, or mobile app, use Authorization Code with PKCE. If a backend service calls an API with no user involved, use Client Credentials. If the user logs in on a CLI, Smart TV, or IoT device, use Device Code. To renew an existing session without re-login, use the Refresh Token flow.
Do I ever combine flows?
Yes, all the time: a SPA uses Authorization Code + PKCE to log the user in and Refresh Token to stay logged in, while its backend uses Client Credentials to call other services. Same tenant, same users, same tokens.
What about the Implicit flow or Resource Owner Password?
They’re legacy. OAuth 2.0 best practice (and the OAuth 2.1 draft) replaces the Implicit flow with Authorization Code + PKCE, and discourages sending user passwords through your app. Faable Auth steers you to the modern grants above.
Where do I get the credentials each flow needs?
Register a Client in the Faable Dashboard — it gives you the client_id (and a client_secret for confidential clients). If your tokens target your own backend, also register an API to get an audience and define permissions.
Related
- Clients — register the application that runs the flow.
- APIs — register the backend the tokens are for.
- Connections — the login methods your users see.
- OAuth 2.0 grant types overview — background reading.
Last updated on