[Openid-specs-ab] SPA (Single Page App) - Best practices

Vladimir Dzhuvinov vladimir at connect2id.com
Wed Aug 17 07:48:39 UTC 2016

Hi Sascha,

OAuth / OIDC are not really concerned with the UI paradigm of the web
app and how it is implemented.

The thing that matters is whether the web app has a backend or not: A
web app with a backend should use the code flow, an HTML5+JS-only app
the implicit flow. If you have an app with a significant JS front-end
(potentially an SPA) it may benefit from the hybrid flow, which delivers
a copy of the ID token to the JS. I haven't encountered such apps though.


On 17/08/16 00:44, Preibisch, Sascha H via Openid-specs-ab wrote:
> Hi everybody!
> I get many questions regarding best practices for SPA with OAuth/ OIDC from colleagues and customers. But since I am not a web development expert I do not have the biggest experience on this topic.
> I have searched via google and bing but I do not really find good info about that topic. Or I just did not recognize it.
> I would be happy if I could get an answer that refers to good reads, example apps,  typical message flows, biggest pros and cons, which tokens would usually be used for what, if cookies should be/have to be involved. Something that is valuable to others on this list would help.
> Thanks a lot,
> Sascha
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Vladimir Dzhuvinov

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160817/1a401681/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160817/1a401681/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list