Which OAuth flow must the caller application use?

Authorization code flow

Authorization code flow is designed for browser-based applications that typically have a user interface and that users interact with.

Within authorization code flow:

1. The caller application requests a JWT from Guidewire Hub.
2. Guidewire Hub acquires the user's user name and password from the user. It sends this information to the appropriate IdP.
3. The IdP authenticates the user.
4. The IdP provides a SAML response with the information that defines the user's authorization. This could include endpoint access role names and resource access IDs.
5. Guidewire Hub sends a code to the caller application. The caller application uses this code to request a JWT.
6. Guidewire Hub sends the JWT to the caller application.

Once the caller application has the JWT, it can send the API request to PolicyCenter (7), which then processes the request and sends the reply (8).

Authorization code flow can be used with the following Cloud API auth flows:

• Internal user
• External user

Client credential flow

Client credential flow is designed for services that typically do not have a user interface and that take action without any synchronous user input.

Within client credential flow:

1. The caller requests a JWT from Guidewire Hub.
2. Guidewire Hub authenticates the caller.
3. Guidewire Hub sends the JWT to the caller application.

Once the caller application has the JWT, it can send the API request to PolicyCenter (4), which then processes the request and sends the reply (5).

Client credential code flow can be used with the following Cloud API auth flows:

• Standalone service
• Service with internal user context
• Service with external user context
• Service with service account mapping

Summary of behaviors

The following table summarizes these behaviors.

For a summary of all the issues to consider in a single table, see Summary of the issues to consider.