Can I make browser calls using authorization code grant, given that my backend service does the client id <> auth code exchange and auth code <> token exchange so then the browser once authenticated can grab that token from the backend and use it for calls?
I did ask a similar questions here but I wanted to see if the answer is the same even if the backend does the exchange and token generation part.
If I want my browser to make some purecloud api call, then is the only viable auth strategy to do implicit grant?
If your front end needs to make API requests, it must be authorized using the implicit grant. If your backend needs to make API requests for a user, it must be authorized using the auth code grant. If you must do both, the proper implementation is to implement both flows because the front end and back end are separate apps running in separate environments.
If you must go against best practices, authorize the front end and devise a method of securely transmitting the auth token to the back end. This is a potential security problem because the back end is receiving an auth token from a source it cannot validate. Which is why back end services should always implement the auth code grant.