My understanding of the difference between Oauth2.0 implicit and OIDC authorization code flow is that with implicit, the access token is returned in the URL response from the /authorize call, but with auth code flow the access token is retrieved by a subsequent POST to a /token endpoint. The latter is far more secure and it also separates authentication from authorization.
My client-side SPA is being authorized with Auth0 via “code” type. I assume this is authorization code flow; indeed, I have deselected implicit in the control panel so it can’t be implicit! Also, I see a code being transmitted in the call to the /authorization endpoint, and my access token is being retrieved via a POST to the /token endpoint.
So that’s great… but clearly there is a gap in my understanding and I would really love to fill it. How does the above work without me setting a secret key (the code part of auth code flow)?