We are deploying a new Angular SPA which leverages Keycloak for its SSO abilities using OIDC. The app is currently designed using Implicit flow to retrieve short-lived access tokens via the keycloak JS adapter. However, recently, I've been seeing some emails in the ietf mailing list ( https://www.ietf.org/mail-archive/web/oauth/current/msg16969.html) indicating that Auth code should be preferred over implicit flow due to security issues of having access tokens show up in browser history and/or log files (if any SSL termination/inspection is in place/etc). I understand the security concerns with having an AT show up anywhere in a log file. I do not, however, understand how the Auth Code flow can be considered as more secure, or why it should be preferred over Implicit flow. Isn't having the Refresh Token in the browser/SPA a higher security risk than having a short-lived AT in a log file? What is the preferred mechanism to use today? Is there a recommended approach? Thanks, Eric