Let me summarize the points that I learned from above answers and add some of my own understandings.

Authorization Code Flow!!!

• If you have a web application server that act as OAuth client
• If you want to have long lived access
• If you want to have offline access to data
• when you are accountable for api calls that your app makes
• If you do not want to leak your OAuth token
• If you don't want you application to run through authorization flow every time it needs access to data. NOTE: The Implicit Grant flow does not entertain refresh token so if authorization server expires access tokens regularly, your application will need to run through the authorization flow whenever it needs access.

Implicit Grant Flow!!!

• When you don't have Web Application Server to act as OAuth Client
• If you don't need long lived access i.e only temporary access to data is required.
• If you trust the browser where your app runs and there is limited concern that the access token will leak to untrusted users.

The access_token is what you need to call a protected resource (an API). In the Authorization Code flow there are 2 steps to get it:

1. User must authenticate and returns a code to the API consumer (called the "Client").
2. The "client" of the API (usually your web server) exchanges the code obtained in #1 for an access_token, authenticating itself with a client_id and client_secret
3. It then can call the API with the access_token.

So, there's a double check: the user that owns the resources surfaced through an API and the client using the API (e.g. a web app). Both are validated for access to be granted. Notice the "authorization" nature of OAuth here: user grants access to his resource (through the code returned after authentication) to an app, the app get's an access_token, and calls on the user's behalf.

In the implicit flow, step 2 is omitted. So after user authentication, an access_token is returned directly, that you can use to access the resource. The API doesn't know who is calling that API. Anyone with the access_token can, whereas in the previous example only the web app would (it's internals not normally accessible to anyone).

The implicit flow is usually used in scenarios where storing client id and client secret is not recommended (a device for example, although many do it anyway). That's what the the disclaimer means. People have access to the client code and therefore could get the credentials and pretend to become resource clients. In the implicit flow all data is volatile and there's nothing stored in the app.

Which one is more secure and why?

Both are them are secure, it depends in the environment you are using it.

I don't see a reason why an extra step (exchange authorization code for token) is added in one work flow when the server can directly issue an Access token.

It is simple. Your client is not secure. Let's see it in details.

Consider you are developing an application against Instagram API, so you register your APP with Instagram and define which API's you need. Instagram will provide you with client_id and client_secrect

On you web site you set up a link which says. "Come and Use My Application". Clicking on this your web application should make two calls to Instagram API.

First send a request to Instagram Authentication Server with below parameters.

1. `response_type` with the value `code`
2. `client_id` you have get from `Instagram`
3. `redirect_uri` this is a url on your server which do the second call
4. `scope` a space delimited list of scopes
5. `state` with a CSRF token. 

You don't send client_secret, You could not trust the client (The user and or his browser which try to use you application). The client can see the url or java script and find your client_secrect easily. This is why you need another step.

You receive a code and state. The code here is temporary and is not saved any where.

Then you make a second call to Instagram API (from your server)

 1. `grant_type` with the value of `authorization_code`
 2. `client_id` with the client identifier
 3. `client_secret` with the client secret
 4. `redirect_uri` with the same redirect URI the user was redirect back to
 5. `code` which we have already received.

As the call is made from our server we can safely use client_secret ( which shows how we are) with code which shows the user have granted out client_id to use the resource.

In response we will have access_token

From practical perspective (What I understood), The main reason for having Authz code flow is :

1. Support for refresh tokens (long term access by apps on behalf of User), not supported in implicit: refer:https://tools.ietf.org/html/rfc6749#section-4.2
2. Support for consent page which is a place where Resource Owner can control what access to provide (Kind of permissions/authorization page that you see in google). Same is not there in implicit . See section : https://tools.ietf.org/html/rfc6749#section-4.1 , point (B)

"The authorization server authenticates the resource owner (via the user-agent) and establishes whether the resource owner grants or denies the client's access request"

Apart from that, Using refresh tokens, Apps can get long term access to user data.

I'll add something here which I don't think is made clear in the above answers:

• The Authorization-Code-Flow allows for the final access-token to never reach and never be stored on the machine with the browser/app. The temporary authorization-code is given to the machine with the browser/app, which is then sent to a server. The server can then exchange it with a full access token and have access to APIs etc. The user with the browser gets access to the API only through the server with the token.
• Implicit flow can only involve two parties, and the final access token is stored on the client with the browser/app. If this browser/app is compromised so is their auth-token which could be dangerous.

tl;dr don't use implicit flow if you don't trust the users machine to hold tokens but you do trust your own servers.

The implicit grant is similar to the authorization code grant with two distinct differences.

It is intended to be used for user-agent-based clients (e.g. single page web apps) that can’t keep a client secret because all of the application code and storage is easily accessible.

Secondly instead of the authorization server returning an authorization code which is exchanged for an access token, the authorization server returns an access token.

Please find details here http://oauth2.thephpleague.com/authorization-server/which-grant/