Which OAuth 2.0 Flow Should I Use?
Fleeting- External reference: https://auth0.com/docs/get-started/authentication-and-authorization-flow/which-oauth-2-0-flow-should-i-use
Which OAuth 2.0 Flow Should I Use?
Is the Client the Resource Owner?
The first decision point is about whether the party that requires access to resources is a machine. In the case of machine-to-machine authorization, the Client is also the Resource Owner, so no end-user authorization is needed
If the Client is a regular web app executing on a server, then the Authorization Code Flow is the flow you should use. Using this the Client can retrieve an Access Token and, optionally, a Refresh Token
Is the Client absolutely trusted with user credentials?
This decision point may result in the Resource Owner Password Credentials Grant
If the Client is a Single-Page App (SPA),
an application running in a browser using a scripting language like JavaScript, there are two grant options: the Authorization Code Flow with Proof Key for Code Exchange (PKCE) and the Implicit Flow with Form Post. For most cases, we recommend using the Authorization Code Flow with PKCE because the Access Token is not exposed on the client side, and this flow can return Refresh Tokens.
If the Application is a native app, then use the Authorization Code Flow with Proof Key for Code Exchange (PKCE).