@mlukianenko the OAuth2 working group recent best practices talk about the implicit flow (see OAuth2 Implicit Grant and SPA) mainly because it includes the access token on the URL.
We default to the hybrid flow (which is a perfectly OK flow) if the discovery document indicates that the OIDC provider can handle response_mode=form_post and response_type=id_token. This sends the ID token in a form post instead of through the URL. The advantage of this flow is:
- one less request (no need for an extra server-to-server request, so everything goes through the “front channel”)
- no need for a client secret
In any case, as I said before, even though we default to the front channel, you should be able to change it.
We just deployed a quick fix where, after saving the connection, you should be able to change the type to “back_channel” and get a field to type the token endpoint (click on Show Issuer Details to see the field).
For now you’ll need to read it from the discovery URL, but next week we’ll get it directly from the discovery URL even if we default to front channel, so that you can switch to back channel seamlessly without having to type the token endpoint.
Let me know if that works for you.