If a single page application has control on the server side, it is posible to implement the authorization process like a regular web application does, using Authorization Code Grant, instead of the Implicit Code Grant used by SPAs . That is, send the server the order to authorize and let him start the authorization with Auth0 using the client secret securely stored in the backend . So we have an SPA application (like Angular) with just a traditional web app flow used for authentication. This has the advantage of being more secure than Implicit Code Grant used by SPAs and having more functions available, like using refresh tokens.
I’m considering this approach but don’t know if there is any drawback in implementing the Authorization Code Grant in SPAs as explained above, instead of the recommended Implicit Grant Flow. I’m missing something?