Guidance on which grant / flow to use for OpenID Connect

Many people seem to ask for the guidance on which grant / flow to use in OpenID Connect.

Here is my straw-man answer.

Conditions / Requirement code grant implicit grant hybrid grant
Server is not directly reachable from the client x
Want less round trip x x
Do not want to reveal tokens for better security x (some)
Want client authentication x x
Want refresh token x x
Slow front channel, fast back channel x x

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.