| Sure. If your security posture is such that you can risk tokens being stolen, then perhaps the tradeoffs of the implicit flow are okay. I don't know what you are building, but the example I always use is a recipe site vs a banking site. If you are building a recipe site where the data being protected by the token is not super valuable, then sure, the implicit flow is okay. If you're building a banking app, please take better care of your tokens and avoid the implicit flow. > if anyone can gain access to my nextauth server, all tokens will be compromised for all users This is where running on a PaaS like heroku and an open source library for handling the token exchance can be really helpful. You don't worry as much about the server maintenance issues due to the former, and you can rely on the "wisdom of the crowds" to help you secure the latter. > With the implicit flow I am no longer responsible for this security Correct. You are trading off securing the server for securing the client. In general it's harder to secure the client than a server (a bigger attack surface, less in your control), though of course it does depend on your skillset too. > and can rely on AWS/CDN being secure. And the browser. Don't forget you're depending on the browser being secure when you use the implicit flow :) . |