Why do we need to pass grant_type from client application in oauth protocol?

Question

Why do we need to pass grant type from client application when using oauth protocol?.

1. Sometimes, when I use wrong grant type, it says that incorrect grant type, so if I can pass only the supported value, then passing this value is redundant. The server can simply pick the supported one. The client application shouldn't have to pass it.

2. If more than one grant types are available for client application to pass, then can't the client simply pass the least restrictive grant type?. Why should the client care about what is the most appropriate grant type. Does the client have to comply with some standards or legal issues?.

Answer 1

Grant types are part of the Oauth2 specification rfc6749 it is intended for use in telling the authorization server which type of authorization you are intending to use. Each grant type is intended for a different use case.

• Authorization Code for apps running on a web server, browser-based and mobile apps
• Password for logging in with a username and password (only for first-party apps)
• Client credentials for application access without a user present
• Implicit was previously recommended for clients without a secret, but has been superseded by using the Authorization Code grant with PKCE.

Asking the authorization to guess which type of authorization you want to use would IMO be a big security risk. Its better for the developer in question to out right tell the authorization server which grant type they are trying to use. This way the authorization server can then validate that what you are doing is correct.