This post summarizes the four kinds of authorization grants supported by OAuth 2.0 specification:
-
Authorization code
Usage: For accessing user specific data.
Stack: Requires a server. The app interface could be pretty much anything.
Flow: OAuth2 dance between you app, your server and their server.
Security: High. The access token is protected at the server side. -
Implicit
Usage: For accessing user specific data.
Stack: Does not require a server. The app interface is typically a browser but could also be a native app.
Flow: OAuth2 dance between you app and their server.
Security: Medium. The access token is exposed. -
Resource owner password credentials
Usage: For accessing user specific data.
Stack: Anything.
Flow: Simply exchange username/password for an access token.
Security: Low. -
Client credentials
Usage: For accessing non-user specific data. For example, aggregated data or anything which does not need user identity. Typically used to secure REST APIs or other service to service communication where there is no explicit user involvement. Here is your friend Microsoft using it. Or your other friend, Google.
Stack: Anything.
Flow: Simply exchange clientId/clientSecret for an access token.
Security: Extent of security depends on how clientId/clientSecret is passed and storage/renewal of retrieved access token.
For more comprehensive reading see OAuth 2 Simplified and An Introduction to OAuth 2