..and not 3.

To build authentication systems for modern applications, all you need to understand are two OpenID Connect / OAuth 2.0 flow. That’s it.

Client Credentials Flow
This is probably the simplest flow and it is designed for server to server communication. It’s a simple HTTP request/response flow: client ID + secret in, token out. Done. (spec, C# code sample)

Code Flow + PKCE
For all other application types (server-side web app, SPA, native app) you use an authorization code-based flow. The classic OAuth 2.0 code flow has the code substitution attack problem – but this has been mitigated by e.g. OpenID Connect Hybrid Flow or PKCE. Since PKCE is considerably easier to implement from a client point of view, just go with that. It is the official recommendation for native and web apps anyways, and since ASP.NET Core 3 is supporting it out of the box now as well (in fact it is turned on by default), that’s really all you need.

This makes for a really clean authentication/token story. Now make sure your token service support those flows (e.g. IdentityServer) and set PKCE to be required for all interactive clients.

The other flow you might care about is for devices (without browsers or keyboards) – but this is not very commonly used. Oh well – maybe it is 3. Anyways, it gets easier.