OAuth2 is for Authorization (What can you do?); OIDC is for Authentication (Who are you?). For microservices, you must pick the right Flow for the right client.
The **Gold Standard** for modern Web (React/Angular) and Mobile apps. It ensures that the client secret is never exposed in the browser, making it significantly more secure than the older 'Implicit Flow' which is now deprecated.
Used for Service-to-Service communication where there is no 'User' involved. For example, a background 'Invoice Service' calling a 'Tax Service.' They use an `ClientId` and `ClientSecret` to get a machine-to-machine (M2M) token.
Don't just use 'Roles'. Use **Claims**. - Role: `Admin` - Claim: `CanDeleteOrders`, `SpendingLimit: $500`. Claims are much more flexible and allow you to build complex permission logic without a giant mess of `if(User.IsInRole)` statements.
Q: "What is the purpose of a 'Refresh Token'?"
Architect Answer: "Access tokens should be short-lived (e.g., 15 minutes) for security. If an access token is stolen, the attacker only has a small window. A **Refresh Token** is long-lived and stored securely. When the access token expires, the client uses the refresh token to get a new access token without making the user log in again. This provides a balance between high security and a great user experience."