How to choose Client types and Grant types

The Telligent Evolution platform supports 2 client types: Public and Confidential, and 4 grant types: Implicit, Authorization Code, User Credentials and Client Credentials.

Client Types

Following are the definitions of public and confidential client types as defined by the IETF OAuth v2 draft recommendation.

Public: clients incapable of maintaining the confidentiality of their credentials (e.g. clients executing on the device used by the resource owner such as an installed native application or a web browser-based application), and incapable of secure client authentication via any other means.

Confidential: clients capable of maintaining the confidentiality of their credentials (e.g. client implemented on a secure server with restricted access to the client credentials), or capable of secure client authentication using other means.

Grant Types

Implicit Grant: The client will request authorization from the user and get back an access token from the Telligent Evolution site. Both public and confidential clients can use implicit grant. 

1. Client application prompts user to authenticate and sends the user to the Telligent Evolution site: ~/api.ashx/v2/oauth/authorize?client_id={ClientId}&response_type=token&redirect_url={RedirectUrl}
2. User confirms that they want to allow the client application to act on their behalf
3. User is redirected back to the client's defined redirect url with an access_token value appended to the querystring
4. Client application uses the access token to access the Telligent Evolution site's REST endpoints as the user by including an Authorization header with a value of "OAuth {AccessToken}"

Authorization Code: The client will request authorization from the user and get back an authorization code. Client then uses that authorization code to request an access token and refresh token. Only confidential clients can use the authorization code grant.

1. Client application prompts user to authenticate and sends the user to the Telligent Evolution site: ~/api.ashx/v2/oauth/authorize?client_id={ClientId}&response_type=code&redirect_uri={RedirectUrl}
2. User confirms that they want to allow the client application to act on their behalf
3. User is redirected back to the client's defined redirect url with a code value appended to the querystring
4. Client application posts to the Telligent Evolution site: ~/api.ashx/v2/oauth/token with data of client_id={ClientId}&client_secret={ClientSecret}&grant_type=authorization_code&code={Code}&redirect_uri={RedirectUrl}
5. Response is sent back to the client application with values for access_token, expires_in, and refresh_token
6. Client application then uses the access token to access the Telligent Evolution site's REST endpoints as the user by including an Authorization header with a value of "OAuth {AccessToken}"

User Credentials: The client will send the user's credentials to get back an access token. Both public and confidential clients can use the user credentials grant. 

1. User provides client application with their username and password.
2. Client application posts to the Telligent Evolution site: ~/api.ashx/v2/oauth/token with data of client_id={ClientId}&grant_type=password&username={Username}&password={Password}
3. Response is sent back to the client application with values for access_token, expires_in, and refresh_token
4. Client application then uses the access token to access the Telligent Evolution site's REST endpoints as the user by including an Authorization header with a value of "OAuth {AccessToken}"

Client Credentials: The client will use its credentials to get an access token for any user. Only use this type of grant for fully trusted client applications since it allows them to authenticate as and impersonte any user. Only confidential clients can use the client credentials grant. 

1. User provides the client application with their username
2. Client application posts to the Telligent Evolution site: ~/api.ashx/v2/oath/token with data of client_id={ClientId}&client_secret={ClientSecretKey}&grant_type=client_credentials&username={Username}
3. Response is sent back to the client aplication with values for access_token, expires_in, and refresh_token
4. Client application then uses the access token to access the Telligent Evolution site's REST endpoints as the user by including an Authorization header with a value of "OAuth {AccessToken}"