Oath flow 2

Client Credential :  give 3rd party access to API on behalf of itself (service account)

 

authrization code: 

纯前端，可以无Client_Secret, 用PKCE。但是不管怎么操作，token 要存在前端；这是不安全的。所以，一个相应的后端服务。reference: https://docs.duendesoftware.com/identityserver/v6/bff/overview/