https://workon.app uses Auth0 and implicit grants. When you log in, you get an access token. That access token is append to the XHR requests to a Kinto server. Since the whole all uses Kinto.js all data is stored in IndexedDB but when it syncs that to the server my code adds an extra header.
Kinto supports OpenID Connect and when configured (basically just setting my Auth0 domain) every XHR request is validated and cached. So I have an offline app, with secure backend storage and I don’t have a single password input field in sight.