How to integrate OAuth with a single page application?

Question

When using OAuth (2) I need a redirection endpoint in my application that the OAuth-offering service can redirect to, once I have been authenticated.

How do I handle

Answer 1

OAuth2 has 4 flows a.k.a. grant types, each serving a specific purpose:

• Authorization Code (the one you alluded to, which requires redirection)
• Implicit
• Client Credential
• Resource Owner Password Credential

The short answer is: use Implicit flow.

Why? Choosing a flow or grant type relies on whether any part of your code can remain private, thus is capable of storing a secret key. If so, you can choose the most secure OAuth2 flow - Authorization Code, otherwise you will need to compromise on a less secure OAuth2 flow. e.g., for single-page application (SPA) that will be Implicit flow.

Client Credential flow only works if the web service and the user are the same entity, i.e., the web service serves only that specific user, while Resource Owner Password Credential flow is least secure and used as last resort since the user is required to give her social login credentials to the service.

To fully understand the difference between recommended Implicit flow and Authorization Code flow (the one that you alluded to and requires redirection), take a look at the flow side-by-side:

This diagram was taken from: https://blog.oauth.io/introduction-oauth2-flow-diagrams/