SPA with direct API access

The Single Page Application (SPA) calls the API provided by the Resource server directly. The SPA application is responsible for an user authentication with the IAM Authorization Server and it uses the public client to access the IAM Authorization Server. The SPA application manages ans uses Tokens. The Access Token (ID Token, Refresh Token) is exposed to the SPA application.

1. The User click Sign in/Log in button on SPA application and the SPA application initializes the Authentication flow by calling the IAM Server standard Oauth2 Authorization endpoint (/auth).
2. The IAM Server redirects User to Login page provided by the IAM Server. An User provides his/her credentials in order to Authenticate.
3. Upon successful authentication the IAM Server returns Authorization code via browser agent to the SPA application .
4. The SPA application calls he IAM Server standard Oauth2 Token endpoint (/token) to exchange Authorization Code for Tokens (ID Token, Access Token and Refresh Token).
5. The IAM Server returns Tokens to the SPA application and the SPA application stores token utilizing the Browser API.
6. The SPA application stores received tokens and the SPA client calls the underlying Service APIs with Access Token.