Aaron Parecki
It’s true that the spec allows the authorization code flow without a client secret for clients that were not issued a client secret. This is vulnerable to a few different attacks, so in practice most servers never allowed that from the beginning, instead making the Implicit flow available to public clients (which has its own problems too).
Some time after RFC6749 was published, PKCE was developed as way to enable the authorization code flow securely without using a client secret. But of course since RFCs don’t get updated, if you’re only reading RFC6749 you may not necessarily find your way to PKCE.
This is one of the motivations for OAuth 2.1, which is to consolidate all the current best practices into a new spec so that this kind of thing doesn’t confuse people.
Peter Cimring
Thanks, Aaron!
One more question, if I might - since you used the word ‘public’ 
I’m trying to characterize the following 4 flows.
Would the following accurately summarize their use cases?
1. Client Credentials - ‘private’, server-to-server
2. Password Credentials - ‘private’, app-to-server (generally not recommended, because the resource owner passes his credentials)
3. Implicit - ‘public’, app-to-server (used when ‘Authorization Code’ is not an option)
4. Authorization Code - ‘private’, app-to-server
Sorry - but of an involved question…
Aaron Parecki
This would be a good summary of RFC6749, but doesn’t reflect the current best practice. Implicit serves no purpose anymore and is being removed, Password is also being removed because it’s dangerous and inflexible, and the authorization code flow is being extended to include PKCE by default. Web apps, mobile apps, and single-page apps should all use authorization code + PKCE now. Take a look at https://oauth.net/2.1/ and https://oauth.net/2/oauth-best-practice/ for some more links and background.
Farte Razvan
"This post is the first part of a series where we explore frequently used OAuth 2.0 grant types."
Hey Aaron, do you have some sort of link with this series of OAuth articles? I was unable to find a category or a place where I could find them all (like an index/curriculum page with each chapter)
Although I could use the search button and find the other articles.(the ones with Implicit Grant Type and Password Grant Type. Are there others?)
I think I managed to fulfill my need, but anyways I was curious to ask and maybe my question might be some sort of feedback if you can say that.
Great article!
Cheers!
aaronpk
Thanks! We didn’t have any sort of organization of the blog posts when this was first posted, but we have tags and author pages now! I made a tag for the posts in this series, but it sounds like you already found the others:
https://developer.okta.com/…
You can also find my other posts here:
https://developer.okta.com/…
Farte Razvan
I don’t see the tags nowhere on the side maybe they’re not shown.
Yeah, I found the others, thank you! Great articles!
Alexander Bocharov
Hey Aaron! Thank you for a great post!
I’m looking into how to make auth code flow to work for idp initiated cases (yeah, we need to support saml post initiated authentication which should proceed as an oidc flow) and I’m kinda struggling whether it’s possible at all. Almost succeded by making PKCE optional in the auth server’s configuration though the need to have a client initiated state makes oidc client to fail since it’s not available in the idp initiated flow.
Appreciate if anybody reading could give any recommendation around this!
Thibault Daoulas
"If the user approves the request, the authorization server will redirect the browser back to the redirect_uri specified by the application, adding a code and state to the query string."
How to you extract the code from that string to be used in the exchange?
Amir
Thanks, i took few hours online but still wasn’t sure, but you made it a lot clear. I guess I wasted my time taking notes. I have a question. When talking about the flow-grant type you have not describe the authentication process. I guess the purpose is that Oauth does not care about the identity and assume that authentication has been completed prior to get authorization code to access resource server. Does my assumption is correct? Then I have 2nd question. Do I have to work with the openId connect in order to use OAuth 2? ,
Selcuk Akyigit
Why am I getting this error when I send a get request?
oauth_problem=parameter_absent&oauth_parameters_absent=oauth_consumer_key%26oauth_signature%26oauth_signature_method%26oauth_nonce%26oauth_timestamp
MR
Why am I not seeing the POST exchanging authorization code for id_token in Fiddler? My web app is running localhost and I can see all other interactions between it and OKTA but there is nothing between the receipt of the code and final redirection to sign in completed page. What am I missing?