Hi Vittorio,
This has been a really helpful post, that one of your colleagues put me on to.
I have one quick question if that is OK? With your alternative solutions where you control the backend, could you not extend option 1 such to support third party apis by the backend acting as reverse proxy.
You could have routing in your spa backend such that 应用宝官网-全网最新最热手机应用游戏下载 would obtain access token and then forward the request onto thirdpartyapi.com/someendpoint with the access_token and then simply return whatever the response is to the spa. Access to 应用宝官网-全网最新最热手机应用游戏下载 via session cookie and no tokens delivered to the client ? In theory this gets around the short comings of the second approach in that the application requesting the token is the same as forwards the api request and dont need to be an authorization server.
Interested in your thoughts on the above anyway.
Thanks, Ed