• Public Flow – Through the Browser, Token returned to the browser. Implicit Grant Flow
  • Private/Confidential Clients (Backend OAuth Flow), Client Credentials Flow
 Public clients use different authorization flows, like the implicit grant flow, while confidential clients use flows like the authorization code flow. 
Here’s a more detailed breakdown:

1. Client Types:
  • Public Clients:
    • Applications that run in a browser or on a mobile device.
    • Cannot securely store client secrets (client ID and client secret).
    • Examples: Single-page applications (SPAs), mobile apps.
  • Confidential Clients:
    • Applications that can securely store client secrets.
    • Examples: Web applications running on a server. 
2. OAuth Flows:
  • Public Client Flows:
    • Implicit Flow: Used for public clients, where the access token is returned directly to the client in the browser URL. 
    • PKCE (Proof Key for Code Exchange): An extension to the Authorization Code flow, designed to enhance security for public clients. 
  • Confidential Client Flows:
    • Authorization Code Flow: The most secure flow, where the client exchanges an authorization code for an access token. 
    • Client Credentials Flow: Used for server-to-server communication, where the client authenticates with its credentials to obtain an access token. 
    • Resource Owner Password Credentials Flow: Not recommended for most use cases, as it involves the client receiving the user’s password.