What is the advantage in OAuth2 of the implicit grant over Authorization Code grant

Question

What is the advantage in OAuth2 of the implicit grant over authorization code grant?

Specifically I'm wondering why the implicit grant is recommended for public clients but the authorization code grant is not. They seem so similar that the difference is unimportant.

Answer 1

The benefits of an authorization code step is as follows (from OAuth 2.0 spec 1.3.1):

The authorization code provides a few important security benefits such as the ability to authenticate the client, and the transmission of the access token directly to the client without passing it through the resource owner's user-agent, potentially exposing it to others, including the resource owner.

Generally if your client is server side (Web app) - you should use authorization code grant. If it's a JavaScript based application (client side) - implicit is appropriate. For mobile apps, authorization code grant type is preferred often if an external browser (not embedded) is used.

Client secrets are only appropriate for server side applications, since client side the secret needs to be embedded in software - and thus only secret for so long (could be reverse engineered).