When should the authorization code flow be used?

Following is from Getting Started with OAuth 2.0 book.

When Should the Authorization Code Flow Be Used? The Authorization Code flow should be used when

Long-lived access is required.

The OAuth client is a web application server.

Accountability for API calls is very important and the OAuth token shouldn’t be leaked to the browser, where the user may have access to it.

I'm working on ReactJS frontend and multiple microservice as the backend and we are using Authorization code flow. We,

Generates the state for authorization request in the frontend
Once access token is exchanged for a authorization code, we sends that to frontend
Refreshing the access token is done in the frontend
Frontend calls individual microservice through service gateway service using the token

Is this not the way to use authorization code flow? What would be the method of accessing different microservices from frontend without exposing the access token?

Solution

What you are doing seems pretty standard for implementing an authorization code flow for a JavaScript app - similar to my messages blog post. Consider using a library to simplify the logic.

WEB BEST PRACTICES

Also be aware of the Best Pratices for Browser Based Apps. This provides ways to avoid exposing access tokens to JavaScript, and to use only the latest secure HTTP only cookies instead. See section 6.2 on a backend for frontend proxy.

OAUTH 2.1

OAuth 2.0 was released in 2012, which is the year your book was released. Much of the book will still be relevant, but there have been some best practice updates since 2012.

These are informally described as OAuth 2.1, and there are some online summaries on it, eg this article is pretty good I think.

CODE FLOW

These days, always use the code flow to login users in web and mobile apps, since it is the most vetted security solution. To be up to date, use response_type=code, which prevents tokens being revealed in browser URLs. Also use PKCE. Also aim to use a client credential.