Currently we hava a SPA backed by PHP API. The authorization runs in the backend (no Client Id or Secret are exposed to the browser), so we are using a pseudo Authorization code grant.
We are planning to update the workflow with 4 main objectives:
- Switch to be OIDC conformant
- Remove deprecated methods
- Adopt Lock login form (currently using custom login form)
- Better align with Auth0 patterns
The very first big question is if we should adopt Authorization Code Grant or Implicit Code Grant. Being a SPA seems that the second will be most suitable, but since we already have
authentication implemented in the server we could take also the first, letting the server lead the process.
Is there any major advantage / drawback chosing any of these two aproaches?
Right now we only support username/password and ADFS connections, but we surely will include others in the future.
We do not allow users to register. Any user login into the application must first be registerd by an admin. Since we find no way to prevent ADFS users to login, we have to implement a local database of registered users. Before any login attempt, the server checks if the user is in the database to continue to authentication in Auth0. This was what make us choose a custom login form and being able to remove it is another bonus.
How can the Hosted Login Form (Lock) prevent an ADFS user to login into the application if it is not first registered by an admin?