https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
This is the flow defined in RFC 6749, 6. Refreshing an Access Token. A client application (a) presents a refresh token to a token endpoint and (b) gets a new access token.
https://software-factotum.medium.com/pkce-public-clients-and-refresh-token-d1faa4ef6965
https://www.youtube.com/watch?v=jcKDsQfBgYY
https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
https://www.youtube.com/watch?v=CGMiOHrOAYQ
This is the flow defined in RFC 6749, 4.3. Resource Owner Password Credentials Grant. A client application (a) makes a token request to a token endpoint and (b) gets an access token. In this flow, a client application accepts a user's ID and password although the primary purpose of OAuth 2.0 is to give limited permissions to a client application WITHOUT revealing the user's credentials to the client application.
Why do we need PKCE ? https://www.youtube.com/watch?v=_zWovo2zv6k
More Details : https://oauth.com/oauth2-servers/pkce/authorization-request/
Note : the malicious App and Legimate App both live in the same environment
https://www.authlete.com/developers/pkce/#2-pkce-authorization-request
[A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~" and a min of 45 and max of 128 chars
https://darutk.medium.com/diagrams-and-movies-of-all-the-oauth-2-0-flows-194f3c3ade85
https://datatracker.ietf.org/doc/html/rfc6749#section-4.2
https://www.youtube.com/watch?v=fX5U50VGxtg
This is the flow defined in "RFC 6749, 4.2. Implicit Grant". A client application (a) makes an authorization request to an authorization endpoint and (b) gets an access token directly from the authorization endpoint.
In summary difference between "Implicit Grant Flow" & "Authorization Grant flow" is in "implicit grant flow" "access token" directly without client authorization
Because implicit grant flow is for clients that are implemented entirely using javascript and are running in resource owner's browser. You do not need any server side code to use this flow. Then, if everything happens in resource owner's browser it makes no sense to issue auth code & client secret anymore, because token & client secret will still be shared with resource owner. Including auth code & client secret just makes the flow more complex without adding any more real security.
So the answer on "what has been gained?" is "simplicity".
\
OAuth2 = Open Authorization 2.0 (delegated authorization framework)
https://www.youtube.com/watch?v=7D-OU4hZW70
GET {Authorization Endpoint}?response_type=code // - Required&client_id={Client ID} // - Required&redirect_uri={Redirect URI} // - Conditionally required&scope={Scopes} // - Optional&state={Arbitrary String} // - Recommended&code_challenge={Challenge} // - Optional&code_challenge_method={Method} // - OptionalHTTP/1.1HOST: {Authorization Server}
HTTP/1.1 302 FoundLocation: {Redirect URI}?code={Authorization Code} // - Always included&state={Arbitrary String} // - Included if the authorization// request included 'state'.
POST {Token Endpoint} HTTP/1.1Host: {Authorization Server}Content-Type: application/x-www-form-urlencodedgrant_type=authorization_code // - Required&code={Authorization Code} // - Required&redirect_uri={Redirect URI} // - Required if the authorization// request included 'redirect_uri'.&code_verifier={Verifier} // - Required if the authorization// request included// 'code_challenge'.
HTTP/1.1 200 OKContent-Type: application/json;charset=UTF-8Cache-Control: no-storePragma: no-cache{"access_token": "{Access Token}", // - Always included"token_type": "{Token Type}", // - Always included"expires_in": {Lifetime In Seconds}, // - Optional"refresh_token": "{Refresh Token}", // - Optional"scope": "{Scopes}" // - Mandatory if the granted// scopes differ from the// requested ones.}