OAuth 2.0
OAuth 2.0 is the authorization framework TraffiTech builds on. It answers the question "is this client allowed to access this resource on behalf of this user (or itself)?" by issuing an access token.
OAuth 2.0 is about authorization. If you also need to know who the user is, use OpenID Connect - it's OAuth 2.0 plus an identity layer on top.
Grant types
TraffiTech supports four grant types. Pick the one that matches your application's trust model.
| Grant | When to use | Notes |
|---|---|---|
| Authorization Code + PKCE | Single-page apps, mobile apps, native desktop apps - any public client that can't safely store a secret | Recommended default for user-facing apps |
| Authorization Code + Client Secret | Confidential web apps with a trusted backend that can hold a secret | Use PKCE too where the library supports it |
| Client Credentials | Machine-to-machine - a backend service calling TraffiTech on its own behalf, with no user involved | Grants an access token for a service account; no refresh token |
| Refresh Token | Renew an expired access token without re-prompting the user | Issued alongside the access token when offline_access is requested |
Which grant should I use?
| Your app is a… | Grant to use |
|---|---|
| SPA, mobile app, or native desktop app | Authorization Code + PKCE |
| Traditional server-rendered web app | Authorization Code + Client Secret (add PKCE) |
| Backend cron job / internal service | Client Credentials |
Implicit flow and resource owner password credentials are not supported. If you're coming from an older integration that used them, migrate to Authorization Code + PKCE.
Access tokens
TraffiTech issues access tokens as JWTs signed with the same keys used for ID tokens (published at /jwks). Typical claims:
| Claim | Meaning |
|---|---|
iss | Issuer - always https://oidc.traffitech.com |
sub | Subject - the user (for user flows) or the client (for client credentials) |
aud | Audience - the resource the token is intended for |
exp | Expiration (unix seconds) |
scope | Space-separated list of granted scopes |
client_id | The client that requested the token |
Resource servers that receive a TraffiTech access token should:
- Fetch the JWKS from
/jwks. - Verify the signature,
iss,aud, andexp. - Check that the
scopecovers the action being performed.
The token endpoint
All grant types exchange their input (authorization code, refresh token, client credentials) at POST /token:
POST /token HTTP/1.1
Host: oidc.traffitech.com
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=...&redirect_uri=...&client_id=...&code_verifier=...
Response:
{
"access_token": "eyJhbGci...",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "eyJhbGci...",
"id_token": "eyJhbGci...",
"scope": "openid profile email offline_access"
}
The id_token is only returned when the request included the openid scope.