I’m trying to make up my mind for the following scenario: I have a SPA and a backend API that serves it. SPA authenticates on by backend with implicit flow. Now, I’d like to integrate with 3rd party API, allowing my backend (or the SPA eventually) to interact with the external API. Notice I don’t want to use 3rd party for login.
How should the Authorization Code flow work in this case?
I’m expecting my users to log in to my app using implicit flow from the SPA to my API (i.e. get an access token with my API as audience via auth0). Then, they should probably move to a specific section of my SPA for adding integration to 3rd party API. The goal is to have a refresh token securely stored in my backend so it can get access tokens for the 3rd party api without having the user to login again on it.
I’m not sure how this part should work. auth0 is probably not directly involved, since I don’t need to login on my API with 3rd party credentials. I’m expecting the user agent to be redirected to 3rd party’s authorize endpoint with the required scopes, but what about the following redirect? Should I redirect to my SPA and have it send the authorization code to my backend (seems a no no to me) or should 3rd party redirect directly to my backend, have it check the authorization code by getting a refresh token, store it and redirect my SPA to the results?
Is there any documentation you suggest me to read covering this (common I think) scenario?