LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What OAuth flows exist and which ones are recommended?

Use Authorization Code + PKCE for essentially all apps (web, mobile, SPA); the Implicit and Password flows are deprecated as insecure, and Device Code/Refresh Token cover their niche cases.

OAuth Authorization-Code + PKCE sequence: client sends code_challenge, gets an auth code, exchanges it with the verifier for a token.

* OAuth 2.0 Authorization-Code flow with PKCE — the code_verifier/challenge binds the token exchange to the original client. *

Flow Status Use Case
Implicit Discontinued Was for SPAs, insecure
Password Discontinued Direct password exchange, insecure
Authorization Code (no PKCE) Legacy Server-side apps only
Authorization Code + PKCE ✓ Recommended All apps (web, mobile, SPA)
Device Code ✓ OK Smart TVs, CLI tools
Refresh Token ✓ OK Renewing access tokens

Authorization Code Flow with PKCE:

  1. App generates code_verifier (random string) and code_challenge (hash)
  2. User redirects to auth server WITH code_challenge
  3. User logs in, auth server issues authorization_code
  4. App exchanges code + code_verifier for tokens
  5. Auth server verifies challenge matches verifier
  6. App receives access token

Why PKCE? Prevents authorization code interception attacks, especially on mobile/SPA where client secrets can't be kept secure.

Go deeper:

From Quiz: SPRG / Authorization | Updated: Jul 14, 2026