I started learning about OAuth2 and OpenID and I constantly have some new questions. To many of them I found the answer but this thing is really bothering me.
I read that implicit flow is used by SPA and authorization code is used for server side apps, because of security reasons. Today, SPA's are really popular, developer used them whenever they can, especially new developers.
Does this mean that implicit flow is actually more in use than authorization code at this time for developing new apps? Did I understand this correctly?
Also, what if I want high level security and I'm using SPA?
Actually the opposite is true: Implicit is deprecated in favour of Authorization Code flow with PKCE, also for SPAs. In the latter case we're talking about a Public Client as opposed to a Confidential Client that would be applicable for server side apps. To increase security for these Public Clients, it is advised to use theProof Key for Code Exchange (PKCE) option when using the Authorization Code flow.
See e.g. https://pragmaticwebsecurity.com/articles/oauthoidc/from-implicit-to-pkce.html