On OAuth and Open ID Connect

Terms

Grants: the mode/scenario/method a client acquires the access token, as per offical OAuthSpec
Resource owner: the entity that can grant access to the resource
Resource server: the server hosting the resource
Client: the entity that wants to access the resource. Client will need authorization from resource owner.
Authorization Server: the entity trusted by the resource server. AS will issue access token to client, once resource owner authenticates and authorizes client’s request. Often called identify provider
Scope: the permission/access client wants to resources

OAuth is an AUTHORIZATION protocol but NOT an authentication one. How authentication is undefined, but normally uses Open ID Connect, which builds on top of the OAUTH.
OAuth flow is actually very similar to Open ID (NO CONNECT)’s. The key difference being that the former returns the access token, while the latter just a signed claim that client got the the authorization from the user. Hence, Oauth workflow is often called pseudo-oauth-authentication
Which OAuth grant to use depends greatly on the context.

a. Client Credential: authorizing machine to access, no need of permission from user, i.e., machine to machine authorization = client is the resource owner. Example: a cron job that uses an API to import to DB, and the application can use the oauth access token to call the API on behalf of ITSELF

b. Otherwise, Authoerzation Code: need permission from user, and client is a web app and runs on a server. This is considered safest, because AT is to the web server hosting the client, without going through user’s web browser

c. Otherwise, Resource Owner Password Credential: Client is trusted with user credentials. Note that this flow is a legacy, and should be used ONLY WHEN ACG is not available

d. Otherwise, ACG if client is a native app

e. Otherwie, client is an SAP: implicit grant.
Authorization is mostly role-based instead of ACL-based. Note that there exists a standard DB model for RBAC.