Subscribe to the Non-Human & AI Identity Journal
Home FAQ Authentication, Authorisation & Trust How should security teams choose between OAuth flows…
Authentication, Authorisation & Trust

How should security teams choose between OAuth flows for different client types?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 6, 2026 Domain: Authentication, Authorisation & Trust

Choose the flow by trust boundary and client capability. Use authorization code flow for interactive applications, client credentials flow for server-to-server access, and device authorization when the device cannot support direct user input. The decision should also account for token lifetime, revocation, and whether the client can safely hold secrets.

Why This Matters for Security Teams

OAuth is often treated like a single choice between “secure” and “less secure,” but client type determines the actual risk. An interactive web app can safely redirect a user, while a backend service or unattended script cannot. The wrong flow creates avoidable token exposure, brittle revocation, and unclear trust boundaries. That matters because OAuth apps are now a major route into third-party data access, and visibility into those connections remains poor across many environments, as highlighted in the State of Non-Human Identity Security.

Security teams also need to align flow choice with identity governance, not just developer convenience. The NIST Cybersecurity Framework 2.0 emphasises access control, monitoring, and recovery, all of which become harder when a client receives more privilege or longer-lived tokens than its design can justify. In practice, many security teams encounter OAuth misuse only after a connected app is abused to move laterally or exfiltrate data, rather than through intentional architecture review.

How It Works in Practice

Start with two questions: can the client safely hold a secret, and can it involve the user directly? If both answers are yes, authorization code flow is usually the right default for interactive applications because the client never sees the user’s password and the exchange can be hardened with PKCE. If the client is a trusted backend service, client credentials flow is appropriate because the system authenticates as itself rather than on behalf of a user. If the device cannot provide a browser or keyboard, device authorization is the practical option because the user completes login on a separate trusted device.

Operationally, good flow selection is only part of the control set. Teams should pair it with short-lived tokens, scoped consent, logging, and revocation paths that actually work. NHI guidance from Ultimate Guide to NHIs is clear that weak rotation and poor visibility are recurring failure points. For OAuth-specific exposure, the Salesloft OAuth token breach shows how token abuse can turn a legitimate integration into a data access path.

  • Use authorization code flow for user-facing apps, with PKCE and strict redirect URI validation.
  • Use client credentials flow only for server-to-server workloads that can protect secrets in a vault or equivalent control.
  • Use device authorization when the client cannot support direct user interaction, but still needs delegated access.
  • Keep access tokens short-lived and refresh tokens tightly protected, especially when the client is not fully trusted.
  • Review scopes as if they were standing privileges, because overbroad consent becomes persistent access.

Current guidance suggests that the safest OAuth design is the one that minimises what the client can retain after issuance, not the one that merely authenticates successfully. These controls tend to break down when legacy apps, shared service accounts, or long-lived refresh tokens are embedded in CI/CD pipelines because revocation and attribution become unreliable.

Common Variations and Edge Cases

Tighter OAuth controls often increase integration overhead, requiring organisations to balance developer speed against containment. That tradeoff is most visible when a client cannot support PKCE, cannot store secrets safely, or must operate across many tenants. In those cases, best practice is evolving, but the general direction is clear: reduce reliance on static secrets, narrow scopes, and shorten token lifetimes wherever possible.

Edge cases also arise in machine-to-machine automation and vendor-connected apps. A service that behaves like a client application may still be an NHI in practice, so its token handling deserves the same discipline as other non-human access paths. The Dropbox Sign breach underscores how third-party integrations can amplify exposure when consented access is broader than the business need. There is no universal standard for every edge case yet, but teams should treat shared credentials, delegated admin tools, and multi-tenant SaaS connectors as higher-risk patterns requiring extra review.

Where organisations get this wrong is assuming “service” automatically means client credentials and “user app” automatically means authorization code. In reality, the trust boundary and the ability to protect secrets matter more than the label. In practice, OAuth failures often appear first in unexpected places such as support tooling, automation scripts, or partner integrations, after access has already been granted too broadly.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01OAuth tokens and secrets are NHI assets that need scoped, short-lived handling.
CSA MAESTROGOV-2OAuth flow choice depends on governance over machine and agent identities.
NIST AI RMFOAuth design for autonomous or AI-driven clients needs risk-based runtime decisions.

Treat OAuth-issued credentials as NHIs and enforce least privilege, rotation, and revocation controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org