I’ve been looking at SPA + API under Architecture Scenarios, and I’m wondering if this tutorial might be a bit outdated as of today’s best practices.
Firstly the tutorial is set up to use Implicit Grant. But in the guide for choosing the best OAuth 2.0 Flow, SPAs are recommended to use Authorization Code Grant with PKCE. Does it really matter?
Also the tutorial is build up around the Authorization Extension (for defining permissions and roles). But when looking in the dashboard I seem to be able to define permissions directly on the API, and I’ve got a separate section Users & Roles where roles can be defined and mapped to permissions. Is that extension needed at all?
Are there any better/more up-to-date tutorial for a SPA + API architecture?