[keycloak-user] keycloak js adapter - authorization code vs implicit flow

[petr40@wp.pl]

Hello !  I dont understand why authorization code is default mode in keycloak.js adapter ? (for SPA javascript application)  Should it be implicit flow instead ? Is it safe to use this flow for public clients ?   I know that 'sending access token in the url fragment can be security vulnerability', but   - authorizaiton code is also returned in query params  - CORS needs to be enable on server side (to exchange code for token via POST)  - we have an extra step  - we can use refresh tokens, but we can also make this work in implicit flow (hidden iframe)    If my arguments are wrong:   why do we need implicit flow if it is authorization code ?  how does it relate to openidconnect , oauth  specification ?    Thanks !