I have an ASP.NET Core application and also a REST API as a resource which I want to protect.
I use IdentityServer4 for getting an access token and use that token for requests from the API.
But my problem is, which type of grant types I should use for this scenario?
I am new to this topic and I got confused :(
The Client Credentials grant type is used by clients to obtain an access token outside of the context of a user.
This is most often used by clients to access internal data which is not considered to be private user data.
The Password grant is a legacy grant type type which was a way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.
This flow provides no mechanism for things like multifactor authentication or delegated accounts, so is quite limiting in practice.
The latest OAuth 2.0 Security Best Current Practice disallows the password grant entirely.
Assuming that the data you accessing user data you should consider using Authorization code.
The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.
After the user returns to the client via the redirect URL, the application will get the authorization code from the URL and use it to request an access token.
It is recommended that all clients use the PKCE extension with this flow as well to provide better security.
I recommend reviewing Grant types Most of the information above comes directly from the SPECS.