Auth0 Home Blog Docs

OAuth2 Implicit Grant and SPA



“Everything you always wanted to know (but were afraid to ask)”


Thanks to Vittorio Bertocci for this excellent blog post. Like (perhaps) many others, I noticed the 2018 change in the OAuth2 Working Group’s recommendation regarding the use of the Implicit flow for web SPAs, and it concerned me greatly at the time. Like (very probably) many others however, I had a hard time conceptualizing how to adopt ‘Authorization Code Grant w\PKCE’ within a SPA. It’s semi-easy to imaging how it might be done, but very hard to implement without the use of refresh tokens. Also, the working group recommendation provides no helpful ‘next steps’ (or pointers to any).

This article provides a very nice wrapper around the subject of ‘should I switch from Implicit Flow to ACG+PKCE?’, and also provides some concrete steps regarding how one can make that decision, and actually begin to make the switch.

Many thanks to Auth0 and to Mr. Bertocci.