I thought I did a good job of being clear, but I guess my ignorance is greater than I suppose.
First, I would like to confirm that “auth0 tenant can redirect the browser to a pure SPA, putting the auth code in the URL hash fragment” (step 6) is actually an option in the Authorization Code Flow with Proof Key for Code Exchange (PKCE). At least a static Javascript page will be able to read that Authorization Code, and I can proceed with a variation of what I want to deploy. Although, putting codes in the URL seems insecure.
The main use case is this: I have a simple Python script on my Windows machine. It accesses a protected service, so it needs some key to function properly. Right now, I plug in a USB dongle with credentials to get it to run, but that is not secure. I would like to change the script so I authenticate over our company sso, the script gets its Authorization Code, does its work against the protected service, and shuts down. There are no keys on my machine, there are no keys on a usb stick. I think I understand how to implement steps 1, 2, and 3. Steps 4 and 5 are between me and auth0. Step 6 is a mystery. Steps 7, 8, 9, 10 and 11 happen during the script execution, and seem clear.
How do I get the Authorization Code, in step 6, back to my python script?
I read a blog post, and one section seems to have an answer; SPAs using their backend to obtain and forward tokens back to the JS layer; I must set up some service that can “obtain and forward tokens”. I would like to confirm if this is the only way to support authentication on my python script, or if auth0 already has that service available., or if some standard has been issued to guide deployment of such a service so I do not screw it up.
Thanks again.