Which flow should you use?
•
Environment: cloud
Some tooltip text!
• 1 minute to read
• 1 minute to read
The following table is meant to assist you in determining which OAuth/OpenID Connect flow is best suited for your application type.
Caution
We recommend all interactive applications use Authorization Code flow with PKCE where appropriate. Implicit and Hybrid flow are not secure enough and should be avoided at all costs. Deprecated.
Authentication scenarios for various app types
| App type | Native/mobile app | Single-page app (SPA) | Regular web app | non-interactive backend / API |
|---|---|---|---|---|
| User context | Interactive | Interactive | Interactive | Non-interactive |
| Environment | Runs on device or OS | Runs in browser | Runs on server | Runs on server |
| Flow | Native app flow | Implicit flow | Authorization Code flow, with or without PKCE | SuperOffice system user flow |
| Typical stack | OS-specific | JavaScript | .NET PHP |
web service Windows service |
| App identifiers (keys) | client ID | client ID | client ID, client secret | client ID, client secret |
| Response tokens | ID token access token (refresh token) |
ID token (access token) |
ID token access token (refresh token) |
system user token system user ticket |
This overview has been simplified for the clarity of the presentation.