OAuth 2.0 spec defines confidential and public clients. https://tools.ietf.org/html/rfc6749#section-2.1
Here is the prescription according to the OAuth 2.0 spec
- Confidential client - Web application - Auth code grant flow.
- Public clients - Desktop App, Mobile App, SPA(Single page app) - Implicit flow.
However AD B2C's prescription according to Microsoft documentation is as follows https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-oauth-code
- Confidential client - Web application - OpenIDConnect signin (Built on top of auth code grant)
- Public clients - Desktop App, Mobile App - Auth code grant flow
- Public clients - SPA(Single page app) - Implicit flow
Based on the above inference, we are clear with Web Apps and SPAs, no confusions here.
However for Desktop and mobile apps why is Microsoft suggesting Auth code grant flow instead of implicit flow [even though they are public clients according to Microsoft documentation as well]?