#OAuth2 Flows#

###Authorization code grant### The Authorization code grant flow is used where not only the user needs to authenticate to gain access to a protected resouce but so does the 3rd party application. This means only applications you have approved in advance can act on the users behalf

###Implicit Grant flow### This flow is used when either the client secret and client ID can't be protected (that being if they wouldn't be held on a server but would be distributed as an application) or you explicitly want non preapproved applications to be able to act on the users behalf

###Resource Owner Password Credentials### In this case the 3rd party app collects the credentials and then passes them onto you. If you're thinking that the 3rd party app could also email them to a hostile party; you're absolutely correct, they could. But sometimes this is the only practical implementation (e.g. a mobile app - although it is technically possible to use the Implicit Grant flow with a mobile app it is clunky)

#Your Scenarios# I can see 2 things you want to protect; the public REST endpoints and the private web services.

###public REST endpoints###

###Private web services###

#Authorisation and authentication.

#Who holds the tokens

OAuth2 Flows

Authorization code grant

The Authorization code grant flow is used where not only the user needs to authenticate to gain access to a protected resouce but so does the 3rd party application. This means only applications you have approved in advance can act on the users behalf

Implicit Grant flow

This flow is used when either the client secret and client ID can't be protected (that being if they wouldn't be held on a server but would be distributed as an application) or you explicitly want non preapproved applications to be able to act on the users behalf

Resource Owner Password Credentials

In this case the 3rd party app collects the credentials and then passes them onto you. If you're thinking that the 3rd party app could also email them to a hostile party; you're absolutely correct, they could. But sometimes this is the only practical implementation (e.g. a mobile app - although it is technically possible to use the Implicit Grant flow with a mobile app it is clunky)

Your Scenarios

I can see 2 things you want to protect; the public REST endpoints and the private web services.

public REST endpoints

Private web services

Authorisation and authentication.

Who holds the tokens

Now this is an entirely different beast, you do want it only accessable by preapproved applications. These may not be authenticated by an OAuth flow at all but if they are you definately want to use a client ID and client Secret. As the user is not "present" in the interactions between the REST endpoints and the webservices you can only use the ROPC flow, but here you oblige the passing of valid clientID/clientSecrets. This means your (presumably) more high level access to your private webservices can't be accessed by anyone not approved by you. It may make more sense to use a 2 legged server to server OAUTH for this but that is outside my area of expertise.

Now this is an entirely different beast, you do want it only accessable by preapproved applications. These may not be authenticated by an OAuth flow at all but if they are you definately want to use a client ID and client Secret. As the user is not "present" in the interactions between the REST endpoints and the webservices you can only use the ROPC flow, but here you oblige the passing of valid clientID/clientSecrets. This means your (presumably) more high level access to your private webservices can't be accessed by anyone not approved by you. It may make more sense to use a 2 legged server to server OAUTH for this but that is outside my area of expertise.

Now this is an entirely different beast, you do want it only accessable by preapproved applications. These may not be authenticated by an OAuth flow at all but if they are you definately want to use a client ID and client Secret. As the user is not "present" in the interactions between the REST endpoints and the webservices you can only use the ROPC flow, but here you oblige the passing of valid clientID/clientSecrets. This means your (presumably) more high level access to your private webservices can't be accessed by anyone not approved by you.

Now this is an entirely different beast, you do want it only accessable by preapproved applications. These may not be authenticated by an OAuth flow at all but if they are you definately want to use a client ID and client Secret. As the user is not "present" in the interactions between the REST endpoints and the webservices you can only use the ROPC flow, but here you oblige the passing of valid clientID/clientSecrets. This means your (presumably) more high level access to your private webservices can't be accessed by anyone not approved by you. It may make more sense to use a 2 legged server to server OAUTH for this but that is outside my area of expertise.