Can someone please explain how Authorization code flow is more secured than implicit flow?
At the end access token is sent back to the browser
with the code flow you receive a token in the redirect url and then by calling /token you get the access token back which will end up in the browser in a sessionstorage.
The same thing in the implicit flow you will directly request the token which will end up also in the browser.
How is this different?