how to choose flow in a nutshell
- is there a back end for the webapp/spa. (webapp always has a backend)
- yes - use authorization code flow.
- no - use authorization code flow with pkce
- Is the app native app ?
- use authorization code flow with pkce
- is the client webapp and only authentication is required
- Implict flow with form post. (the id token will be issued by authorization end point)
- Athorization code flow.
- Hybrid flow should be used to learn who the user is before redeeming an authorization code, it's common for applications to also request an ID token when they request the authorization code. (This is called the hybrid flow because it mixes the implicit grant with the authorization code flow).
how to choose flow in detail
- Is the Client a web app executing on the server and authorization and/or authentication is required.
- Use authorization code flow.
- Is the Client a web app executing on the server and only authentication is required.
- implicit flow with response_mode=form_post.
- Use authorization code flow.
- Is the Client spa (with its own backend) and authorization and/or authentication is required.
- Use authorization code flow.
- Is the client spa (with no back end server to keep client secret) and authroization and/or authentication is required.
- Authorization code flow with pkce.
- Is the client native app and authorization and/or authentication is required.
- Authorization code flow with pkce.
- The authorization is done with the help of external user agent (browser)
- Note that in case of native app you do not need to consider if native app has a backend server, you should always use pkce flow as the redirect uri is a customer uri which will launch the native app on redirect and then the native app will need code verifier to protect against authorization code interception attack.
- Authorization code flow with pkce.
- Is the Client absolutely trusted with user credentials?
- Use Resource owner password credentials grant.