The article briefly mentions that the Implicit Grant is a less secure and more simplified version of the Authorization Code grant, but then it doesn't elaborate (or it's possible I missed that bit). In an introductory article such as this, I think it's important to explain why it's less secure -- otherwise the Authorization Code grant seems like an unnecessary complication.
The implicit grant returns an access token directly upon authorization being granted. By removing the additional network request, it can make your system vulnerable via manipulation of redirect URLs. if you’re implementing an OAuth 2 server, you can address this by validating the provided redirect URLs, but you should be doing that regardless.
My advice is to just always use the auth code grant with the PKCE extension. TLDR of that extension:
1) client generates a “secret key” that it sends with the authorization request.
2) server associates that key with the authorization code it returns to the authorized client
3) client must present that key again in order to exchange the authorization code for the access token.
Prevents the authorization code from being intercepted and abused.
Oh, I wasn't clear: I understand the implicit grant and I indeed worked on the implementation of an authorization server in a past job (we validated redirect URLs, indeed!). My point is that OAuth flows are confusing enough for a beginner that it's important to explain why seemingly unnecessary hoops are there. This article doesn't (as far as I can see).
Yeah, I gathered you knew what you were talking about after I had already posted my comment lol. Just left it up in case any others have that question. :D
