Single Page Apps
Authentication and delegated authorization for single page applications.
Was this video helpful?
Lab 4: Single-Page Applications
Jump to Section
Jump to a section in the video for explanation on a specific topic.
- Single Page Apps (SPA)
- Modeling SPAs in OAuth2 and OIDC
- Choosing between token and cookie based strategies depending on where the API lives
- Implicit grant
- Definition of “implicit” in OAuth2
- Classic use of “implicit” in the context of SPAs
- Mechanics of implicit + fragment token delivery
- Considerations on implicit flow usage today
- Issues with implicit + fragment for requesting access tokens
- Challenges renewing tokens in SPAs
- Implicit grant + fragment diagram
- Authorization request
- Authorization response
- Considerations on requesting ID token, access tokens for calling API
- Renewing tokens in SPAs
- Silent (no user interaction) token request via iframe
- Authorization response
- Issues with the iframe token renewal approach
- Implicit flow response_type=token deprecation
- New OAuth2 SPA best practice: code + PKCE
- Alternative topologies for securing SPAs
Previous
-
48:54
Introduction to Identity
A whirlwind tour of identity history, concepts, and terminology: protocols, open standards, SSO, OAuth2, OpenID Connect and more.
-
14:58
OpenID Connect and OAuth2
OpenID Connect and OAuth specifications, roles, and grants.
-
34:56
Web Sign-In
Authentication for web applications using OpenID Connect.
-
53:12
Calling an API
How to obtain and use access and refresh tokens for delegated authorization in a traditional web application.
-
41:01
Desktop and Mobile Apps
Authentication and delegated authorization for desktop and mobile applications and a public client overview.