Context
I'm trying to build an hybrid multi-tenant API using OAuth2.0 using Laravel 8 Passport, so my system has 2 parts: one process the request from the tenant application, and the other part process the request from my front-end which allows to enable/disable features on the tenant application
Research
I'm confused with OAuth2 flows, I found multiple articles about OAuth2 flows but these 2 are the best from my point of view:
DigitalOcean Article
https://www.digitalocean.com/community/tutorials/an-introduction-to-oauth-2
OAuth2 flows
OAuth 2 defines three primary grant types, each of which is useful in different cases:
Authorization Code: used with server-side Applications
Client Credentials: used with Applications that have API access
Device Code: used for devices that lack browsers or have input limitations
In my case I didn't find useful device code, so I am going to paste only Authorization Code and Client Credentials
Grant Type: Authorization Code
The authorization code grant type is the most commonly used because it is optimized for server-side applications, where source code is not publicly exposed, and Client Secret confidentiality can be maintained. This is a redirection-based flow, which means that the application must be capable of interacting with the user-agent (i.e. the user’s web browser) and receiving API authorization codes that are routed through the user-agent.
Grant Type: Client Credentials
The client credentials grant type provides an application a way to access its own service account. Examples of when this might be useful include if an application wants to update its registered description or redirect URI, or access other data stored in its service account via the API.
Paradigma Digital Article
(Sorry this article is in Spanish because its my native language, I pasted in English the fragments that I consider relevant)
https://www.paradigmadigital.com/dev/oauth-2-0-equilibrio-y-usabilidad-en-la-securizacion-de-apis/
OAuth 2 Flows or grant types
OAuth flows also called grant types refer to the way an application obtains an access token that allows it to access the exposed data through an API.
The existence of these flows by the standard arises to respond to all the business scenarios that can occur in the consumption of APIs according to three variables:
The type of consuming application.
Your degree of confidence.
How is the interaction by the user in the process.
Grant Type: Client Credentials
This flow represents the case in which the application belongs to the user, so there is no need for the user to authenticate or help the authentication server in any way to decide if access for that application is guaranteed, that is, the access token sent by the server is obtained by authenticating only the application, not the user.
The main difference with the rest of the flows is that the user does not interact in the process, so the application cannot act on behalf of the user, only on its own behalf.
WHEN IT'S USED?
Consumer application type: Internal applications of the organization or the data that the API exposes is not sensitive.
User interaction: none.
Application confidence level: high, usually internal, or the data exposed by the API is not sensitive.
Communication type: server-server.
Grant Type: Authorization Code
This flow is characterized by user intervention to explicitly authorize access to their data by the application and by the use of a code provided by the authentication server so that the application can obtain an access token.
WHEN IT'S USED?
Type of consumer application: web applications, it can also be used in mobile applications, but without storing the client secret and making use of the PKCE extension, which protects against attacks that intercept the authorization code. Degree of trust of the application: an untrusted third party.
User interaction: explicit consent through a browser.
Communication type: commonly used in client-server communications.
Questions
From my point of view I have to use 2 flows: Authorization Code with PKCE for requests from the tenant application (considering that it is an untrusted third party) and Client Credentials for request from my front-end
Can you give me additional beginner-friendly resources to know best practices of OAuth flows (storage, requests, etc)?
What do I have to keep in mind?
Can you give me some tricks?
Can you explain me OAuth flows better or with the resources I have is enough?
How Google Cloud services such as Google Maps API Keys work?
What type and flow of authentication do they use?
Why do they generate client and secret API Keys?
Am I in the right path?
IF NOT
Which flows should I use for my multi-tenant API and why?
Can you give me some resource to help me understand OAuth2 better?
Useful links
You can read more about Laravel Passport here:
https://laravel.com/docs/8.x/passport#deploying-passport
You can read more about hybrid multi-tenancy here:
https://blog.sharetechlinks.com/hybrid-multi-tenant-saas-application-system-design/