Quiz Entry - updated: 2026.07.14
What OAuth flows exist and which ones are recommended?
Use Authorization Code + PKCE for essentially all apps (web, mobile, SPA); the Implicit and Password flows are deprecated as insecure, and Device Code/Refresh Token cover their niche cases.
* OAuth 2.0 Authorization-Code flow with PKCE — the code_verifier/challenge binds the token exchange to the original client. *
| Flow | Status | Use Case |
|---|---|---|
| Implicit | Discontinued | Was for SPAs, insecure |
| Password | Discontinued | Direct password exchange, insecure |
| Authorization Code (no PKCE) | Legacy | Server-side apps only |
| Authorization Code + PKCE | ✓ Recommended | All apps (web, mobile, SPA) |
| Device Code | ✓ OK | Smart TVs, CLI tools |
| Refresh Token | ✓ OK | Renewing access tokens |
Authorization Code Flow with PKCE:
- App generates
code_verifier(random string) andcode_challenge(hash) - User redirects to auth server WITH
code_challenge - User logs in, auth server issues
authorization_code - App exchanges code +
code_verifierfor tokens - Auth server verifies challenge matches verifier
- App receives access token
Why PKCE? Prevents authorization code interception attacks, especially on mobile/SPA where client secrets can't be kept secure.
Go deeper:
RFC 7636 — Proof Key for Code Exchange (PKCE) — the spec behind Authorization Code + PKCE; the code-verifier/challenge that defeats code interception.