Hi!

It's not the implicit flow. In the implicit flow (https://oauth.net/2/grant-types/implicit/), the auth server redirects back to the original webapp with the access_token (in URL) itself. In authorization_code flow, auth server redirects only with the authorization code. The webapp should then use the authorization code and invoke the/token endpoint of the authorization server to obtain the access_token.

Here, I have used the authorization code flow. And you are correct about "the Authorization Code flow is used on the backend". Using the authorization code flow is recommended to be used with a backend so a 3rd party (for example, the web view in mobile apps has this issue) cannot intercept the authorization code. For mobile apps and single page apps which doesn't have a backend, the recommended flow is authorization code with PKCE (proof key code exchange) (see https://oauth.net/2/pkce/). It additionally uses a proof key which cannot be intercepted/replicated easily by a 3rd party. To keep my article short, I explicitly mentioned that the recommended approach is to use "authorization code with PKCE", but I'm using authorization code flow. Usually the client libraries/SDKs provided by identity servers have this flow inbuilt.

Hope this explains :-)