How Authorization code flow is more secured

Can someone please explain how Authorization code flow is more secured than implicit flow?

At the end access token is sent back to the browser

with the code flow you receive a token in the redirect url and then by calling /token you get the access token back which will end up in the browser in a sessionstorage.
The same thing in the implicit flow you will directly request the token which will end up also in the browser.

How is this different?


I guess, authorization code assumes that you will be calling /token endpoint, which requires authentication with client_id/client_secret as an additional security measure. Also your backend doesn’t have to give you any access token, after it exchanges the code for the token, as the flow was developed for traditional web-apps in mind.

For SPAs code works with PKCE, and request is sent with XHR, so again additional security steps to get your token back, compared to implicit.

So the bottom line is, it’s not how you are storing it but how you are obtaining it, and that it’s not saved in the history of your browser as a part of URL.

But I’d google more to get maybe a better explanation. Or maybe some of seasoned web devs chime in with a better explanation.