Model Overview

OAuth2Server requires a model object through which some aspects of storage, retrieval and custom validation are abstracted.

Grant Types

RFC 6749 describes a number of grants for a client application to acquire an access token.

The following grant types are supported by oauth2-server:

Client Credentials Grant

See Section 4.4 of RFC 6749.

The client can request an access token using only its client credentials (or other supported means of authentication) when requesting access to the protected resources under its control.


The client credentials grant type must only be used by confidential clients.

Model functions used by the client credentials grant:

Implicit Grant

See Section 4.2 of RFC 6749.

An implicit grant is used to obtain access tokens optimised for public clients known to operate a particular redirection URI. Usually used for browser-based clients implemented in JavaScript.

Model functions used by the implicit grant:

Refresh Token Grant

See Section 6 of RFC 6749.

If the authorization server issued a refresh token to the client, the client can request a refresh of their authorization token.

Model functions used by the refresh token grant:

Password Grant

See Section 4.3 of RFC 6749.

The password grant is suitable for clients capable of obtaining the resource owner’s credentials (username and password, typically using an interactive form).

Model functions used by the password grant:

Extension Grants

See Section 4.5 of RFC 6749.

The authorization server may also implement custom grant types to issue access (and optionally refresh) tokens.

See Extension Grants.

Request Authentication

See Section 2 of RFC 6750.

The authorization server authenticates requests sent to the resource server by verifying the included bearer token.

Model functions used during request authentication: