Authorization Code with Implicit for Web Application Authentication

Why we need to select “Authorization Code” and “Implicit” grant type for a Web App authentication which should not require “Implicit” grant type as it is less secure ? Implicit should only be required for SPA’s where back channel communication is not possible?

Thanks,
Vikas

You can uncheck those boxes if you are up to authz_code flow or PKCE

Un-checking boxes do not work.Please refer to following post:

Thanks,
Vikas

As you can see from the explanation, it’s just an issue/limitation of MS OWIN model (https://github.com/oktadeveloper/okta-aspnet-mvc-example/issues/18#issuecomment-374825066) If you’ve decided to go with Java stack for example, it wouldn’t have been an issue.

Ahh! Got it. Are you aware of any other option for ASP.NET app that does not has this limitation?

Appreciate the insights.

Thanks,
Vikas

No insights here :slight_smile: I think I used .net core with authz_code and it worked fine, but it was a while ago