Which flow should you use?
The following table is meant to assist you in determining which OAuth/OpenID Connect flow is best suited for your application type.
We recommend all interactive applications use Authorization Code flow with PKCE where appropriate. Implicit and Hybrid flow are not secure enough and should be avoided at all costs. Deprecated.
Authentication scenarios for various app types
|App type||Native/mobile app||Single-page app (SPA)||Regular web app||non-interactive backend / API|
|Environment||Runs on device or OS||Runs in browser||Runs on server||Runs on server|
|Flow||Native app flow||Implicit flow||Authorization Code flow, with or without PKCE||SuperOffice system user flow|
|App identifiers (keys)||client ID||client ID||client ID, client secret||client ID, client secret|
|Response tokens||ID token
|system user token
system user ticket
This overview has been simplified for the clarity of the presentation.