Advice on SSO Integration with Custom Authorization on Backend

Hello,

We are working on integrating SSO into our system, which consists of an Angular front-end, a React Native mobile app, and a Node.js backend. We want users to authenticate via SSO but retain the authorization logic on our backend.

Currently, without SSO, users log in with a username and password from the front/mobile app, and the backend returns a JWT for further API calls.

With SSO, I’m unsure how to handle this scenario:

  1. Should we initiate the authorization flow from the SPA, obtain an authorization code, send it to the backend, and have the backend exchange it for a token using the client_secret? This would allow us to then return our own JWT.
  2. Alternatively, should we implement the Authorization Code flow with PKCE, pass the authorization header to the backend, and have the backend call the /userinfo endpoint to verify the user’s identity before returing the JWT?

Which approach would you recommend for this setup?

Thank you in advance for your help.