In my company, we have worked on authorization, and I know that there are different types of grants. We have worked on the authorization code, client credentials, and ROPC grant. There are two types of tokens, like the JWT token and internally managed reference tokens. JWT tokens are useful for finding information related to the claim requests. Internally managed reference tokens are useful for dealing with visual data and information. For the clients to fit the user information, they need to do additional work to fit all the user info into the site, which is to define and validate the token issue and provide the request for VPNs. I worked on the key differences between the authorization code and implicit grant. In the authorization code type, you will have the authorization code issued initially to the client, and the client has to exchange it with the authorization server, like using a DAC channel to get the access token. In implicit grants, tokens are issued right away if the application is a single-page application. We can either use the authorization code or an implicit grant.
