Auth0 Home Blog Docs

SPA with Authorization Code Grant



If a single page application has control on the server side, it is posible to implement the authorization process like a regular web application does, using Authorization Code Grant, instead of the Implicit Code Grant used by SPAs . That is, send the server the order to authorize and let him start the authorization with Auth0 using the client secret securely stored in the backend . So we have an SPA application (like Angular) with just a traditional web app flow used for authentication. This has the advantage of being more secure than Implicit Code Grant used by SPAs and having more functions available, like using refresh tokens.

I’m considering this approach but don’t know if there is any drawback in implementing the Authorization Code Grant in SPAs as explained above, instead of the recommended Implicit Grant Flow. I’m missing something?


The big difference is that using your flow, the SPA wouldn’t have any way of knowing if the user is logged in and who the user is, until the backend is called. Other than that, I don’t really think there’s a big difference. For what it’s worth: the Auth0 Dashboard also uses your flow (as far as I can tell).

I believe your proposed flow is even considered to be slightly more secure, but don’t quote me on that. Both flows have their unique security considerations: the recommended flow is vulnerable to someone stealing the access token through JavaScript, the other one needs CSRF protection. Pick your poison :stuck_out_tongue_winking_eye: