i m following implicit grant flow for my SPA Application (supported by a backend) , i m able to get the access_token in the url as # fragment,but i dont want the access token to be visible in the url therefore i went with response_mode=“form post”, but in this case i get an error “cannot post to/callback” error since the callback url is just a angular route (state) , i did not find a way out to get the response ,therefore i tried to give the callback url as a backend api url , which was able to receive the access token but now the issue is how do i send the token to my Front end UI so that it can be used as bearer token in every ajax call, what is the safest possible way to send my access token ?
If you want to avoid the tokens coming in the fragment, the solution would be to use the authorization code flow with PKCE. Unfortunately, at this moment, you would be on your own to implement the flow.
We are working on guidance and updated SDKs for this approach, but we aren’t here yet.
You can read more about SPAs, the implicit grant and the authorization code grant at https://auth0.com/blog/oauth2-implicit-grant-and-spa/
If your SPA is supported by a backend and you want to take an even safer approach of keeping the access token out of the browser, you would create a session for the user via a session cookie (coming from the SPA backend after authentication), and store the access token in the user’s session.
In this way your SPA authenticates to its backend via the session cookie, and then the SPA backend communicates with the resource server (API) using the access token. So, essentially, the access token never leaves the backend.
Our own dashboard (https://manage.auth0.com) works in this fashion: it’s an SPA, but all requests go to the dashboard’s backend and are authenticated via the session cookie. The dashboard backend then reaches out to the actual API that handles the resources.
Thankyou @nicolas_sabena thats a good idea will try that, thankyou once again for the quick response.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.