Auth0 Home Blog Docs

Implement a hybrid authentication flow for a traditional .Net MVC Web app in Single page app style

We have multiple apps that we need to bring under SSO. We have some apps which are written in ASP.Net MVC and thus are web apps using server side rendering. Some of them are Single page apps. We can easily use the SDK, perform authentication and get the token silently for the SPA. The problem is we need to try and keep the implementation in the Web app similar too. Currently, the Web app implements, the Authorization Code flow. It gets the auth code in callback, we then get the token using the /token endpoint. That token is then being passed through the ViewBag and rendered directly inside the HTML. This is how the token is being passed to the client side.
What we want to achieve here is, we should be able to get the token at the client side and does not need to pass the token from server to the client. This is a security risk when we pass the access token from server to the client. We want to avoid this and we need to be able to get the token on the client side itself. We can use client credentials flow, but we are not comfortable with storing sensitive information like client secret on the client side.
Can you suggest some flow that is close to the Auth code with PKCE flow and that can be easily implemented in an app that is based on ASP.Net MVC and performs the authentication on the server side?