Togo ID supports the following authentication methods:
The Authorization Code Flow is intended for clients that can securely maintain a client secret between themselves and the authorization server, whereas the Implicit Flow is intended for clients that cannot.
The Hybrid Flow combines aspects of the Authorization Code Flow and the Implicit Flow. It enables clients to obtain an ID Token optionally an Access Token with only one round trip to the authorization server.
Access User Resource
Requires Secret Key (Server-side)
The authorization code flow is suitable for long-running applications, such as mobile apps, in which the user grants permission only once. It provides an access token that can be refreshed. Since the token exchange involves sending your secret key, perform this on a secure location, like a backend service, and not from a client such as a browser or from a mobile app.
If you are building single-page applications (SPA) and websites that have no back end logic on the webserver, then the Implicit flow is the recommended method for controlling access between your application and a resource server. Since the SPA is a public client, it is unable to securely store a client secret.
The Hybrid flow is an OpenID Connect (OIDC) grant that enables use cases where your application can immediately use an ID token to access information about the user while obtaining an authorization code that can be exchanged for an Access Token, therefore, gaining access to protected resources for an extended period of time.
Updated about a year ago