With the “Implicit” flow the client (likely a browser) will get a access token, after the Resource Owner (i.e. the user) gave access.
With the “Authorization Code” flow however, the client (usually a web server) does only get an authorization code after the Resource Owner (i.e. the user) gave access. With that authorization code the client then makes another call to the API passing client_id and client_secret together with the authorization code to obtain the access token. All well described here.
Both flows have the exact same result: an access token. However, the “Implicit” flow is much simpler.
The question: Why bother with “Authorization Code” flow, when “Implicit” flow seams to be fine? Why not also using “Implicit” for webserver?
It’s more work both for the provider and the client.
