SPA with Token Mediation

The Single Page Application (SPA) calls the API provided by the Resource server directly. The Token Mediation Backend is responsible for an user session authentication with the IAM Authorization Server and it uses the confidential client to access the IAM Authorization Server. The Token Mediation Backend manages the application sessions and associated tokens. The Access Token is not exposed to SPA application, but the SPA application can get the Access Token with authenticates session, so the SPA application does not need to store the Access Token in a Cookie or the Browser storage.

1. The User click Sign in/Log in button on SPA application.
2. The Token Mediation Backend initializes the Authentication flow by calling the IAM Server standard Oauth2 Authorization endpoint (/auth).
3. The IAM Server redirects User to Login page provided by the IAM Server. An User provides his/her credentials in order to Authenticate.
4. Upon successful authentication the IAM Server returns Authorization code via browser agent to Token Mediation Backend.
5. The Token Mediation Backend calls he IAM Server standard Oauth2 Token endpoint (/token) to exchange Authorization Code for Tokens (ID Token, Access Token and Refresh Token).
6. The IAM Server returns Tokens to the Token Mediation Backend.
7. The Token Mediation Backend creates authenticated session with associated tokens and returns session to SPA client.
8. The SPA client gets the Access Token from the Token Mediation Backend with authenticated session.
9. The SPA client calls the underlying Service APIs with Access Token.