I'm building a REST API using Symfony2 (FOSRestBundle and FOSOAuthServerBundle) and I'm unsure on which grant type to use for this service.
I will have other developers register as users. I was looking at GitHub, and for each user they have a section called 'applications' in their settings which allows adding an application and it gives back client_id and client_secret. But AFAIK GitHub uses the authorization grant type which means you're sent to GitHub to accept and then redirected back to your application with the auth code (does the auth code live forever or what?). I'm not sure if this is what I'm looking for.
What I want is a way to allow developers to consume my API with me knowing who is accessing (FOSUserBundle integrates pretty well here) and what they are allowed to do.
Also, I'll have my own browser based application, Angular.js probably which is the main website where developers can register. It will make API calls to present data for whichever dev logs in. I could use a Node.js backend (need it for some other stuff) so the actual calls are made from there instead as it seems browser only applications aren't really safe. I was thinking of using client credentials grant type from the Node.js backend.
And last, I'll have my own mobile app interacting with the API. Since it's a trusted service it should use Resource owner credentials grant, right?
I'm not sure I understand what you ask for here. As I understand it your developpers will have an account on which they will have to log in in order to use your API. In this case Client Credentials does not seem appropriate, since it would not identify a developper but a client. A client does not represent a user, it represents "an application that accesses your API" (it, in your case you would have one client for your mobile App and one client for your Angular website). I would use a password grant type, that does not redirect you to an external service.
When I had to implement a OAuth2 authentication for my API, I found this article very helpful, it is based on a Symfony2 example but most of the explanations apply everywhere.