By Justin Richer and Antonio Sanso This article was excerpted from the book OAuth 2 in Action . The OAuth core specification specifies four different grant types: Authorization Code , Implicit , Resource Owner Password Credentials and Client Credentials . Each grant type is designed with different security and deployment aspects in mind and should be used accordingly. For example, the Implicit grant flow is to be used by OAuth clients where the client code executes within the user agent environment. Such clients are generally JavaScript-only applications, which have, of course, limited capability of hiding the client_secret in client-side code running in the browser. At the other side of the spectrum there are classic server-side applications that can use the authorization code grant type and can safely store the client_secret somewhere in the server. What about native applications then? Native applications are those that run directly on the end user’s device, be it