<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Hi Sascha,</p>
<p>OAuth / OIDC are not really concerned with the UI paradigm of the
web app and how it is implemented.<br>
</p>
<p>The thing that matters is whether the web app has a backend or
not: A web app with a backend should use the code flow, an
HTML5+JS-only app the implicit flow. If you have an app with a
significant JS front-end (potentially an SPA) it may benefit from
the hybrid flow, which delivers a copy of the ID token to the JS.
I haven't encountered such apps though.<br>
</p>
<p>Vladimir<br>
</p>
<br>
<div class="moz-cite-prefix">On 17/08/16 00:44, Preibisch, Sascha H
via Openid-specs-ab wrote:<br>
</div>
<blockquote cite="mid:D3D8D730.1A969%25sascha.preibisch@ca.com"
type="cite">
<pre wrap="">Hi everybody!
I get many questions regarding best practices for SPA with OAuth/ OIDC from colleagues and customers. But since I am not a web development expert I do not have the biggest experience on this topic.
I have searched via google and bing but I do not really find good info about that topic. Or I just did not recognize it.
I would be happy if I could get an answer that refers to good reads, example apps, typical message flows, biggest pros and cons, which tokens would usually be used for what, if cookies should be/have to be involved. Something that is valuable to others on this list would help.
Thanks a lot,
Sascha
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Vladimir Dzhuvinov</pre>
</body>
</html>