If a single page application has control on the server side, it is posible to implement the authorization process like a regular web application does, using Authorization Code Grant, instead of the Implicit Code Grant used by SPAs . That is, send the server the order to authorize and let him start the authorization with Auth0 using the client secret securely stored in the backend . So we have an SPA application (like Angular) with just a traditional web app flow used for authentication. This has the advantage of being more secure than Implicit Code Grant used by SPAs and having more functions available, like using refresh tokens.
I’m considering this approach but don’t know if there is any drawback in implementing the Authorization Code Grant in SPAs as explained above, instead of the recommended Implicit Grant Flow. I’m missing something?
The big difference is that using your flow, the SPA wouldn’t have any way of knowing if the user is logged in and who the user is, until the backend is called. Other than that, I don’t really think there’s a big difference. For what it’s worth: the Auth0 Dashboard also uses your flow (as far as I can tell).
IIUC, the relevant RFC recommends using the authorization code grant over the implicit grant whenever possible:
Implicit grants improve the responsiveness and efficiency of some clients (such as a client implemented as an in-browser application), since it reduces the number of round trips required to obtain an access token. However, this convenience should be weighed against the security implications of using implicit grants, such as those described in Sections 10.3 and 10.16, especially when the authorization code grant type is available.
And goes even further to recommend the PKCE extension to the authorization code grant:
OAuth 2.0 public clients utilizing the Authorization Code Grant are
susceptible to the authorization code interception attack. This
specification describes the attack as well as a technique to mitigate
against the threat through the use of Proof Key for Code Exchange
(PKCE, pronounced “pixy”).
So generally speaking I share the opinion of @david.casillas, but still not sure why the recommended flows by Auth0 are as they are.
I hope that someone from Auth0’s team would weigh in on this…
This is actually a recommended approach in the current draft for using OAuth with SPAs:
I would recommend reading the whole draft, and also recommend reading Vittorio Bertocci’s blog post on the subject:
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.