Single Sign On (SSO) solution/architecture for Single Page App (SPA)

问题

I've been investigating SSO solution for SPAs for some time. There're a lot of solutions with subtle difference, while I also found not really everyone has the same understanding of SSO and not many established pattern of SSO for SPA are out there. Thus I'm not asking for a detailed design/architecture, but just try to see if there's any common practice on this topic.

What do I mean for SSO?

1. We have a few new SPAs under development(also potentially mobile and tablet apps), which will be deployed in different servers and have different domains.
2. We also have a central IdP (authServer) where all the user identify will be stored.
3. Once I log into SPA1 and clicked a button which brings me to SPA2(or SPA3, SPA4, potentially), I don't have to enter user credentials and will be logged in automatically.

What's the difference for SPA? (as opposed to regular web app)

I've looked at a few solutions, even old solutions like SAML(just want to get a sense about SSO..). my current candidate is OpenId Connect, but then I realized a difference for SPA, if my understanding is correct: Unlike regular web apps, SPA usually doesn't have (or we try not to have) a backend server. What SPA has is just a server serving static pages along with scripts, style sheets, and images.

Now comes the problem:

OpenId Connect is based on OAuth2 Authorization Code grant type, which means either:

1. I need a backend proxy-like module for each SPA if I want to make it work.
2. I use a different solution to do client-side SSO, such as the one auth0 provides
3. I haven't found any other solution/examples

My question:

For above point 1, is my understanding correct ? Is it better not to let SPA have backend code like a regular web app?

For above point2, that sounds like a solution, but how is that essentially different than OAuth2 Implicit grant type ?

And, are there other solutions(framework, protocol etc.) that I should know but haven't explored yet ?

回答1:

In addition to the Basic Client Profile that uses the Authorization Code grant, OpenID Connect has an Implicit Client Profile that builds on the Implict grant from OAuth 2.0. This profile allows for tokens to be delivered directly to in-browser/Javascript clients without involving a backend.

来源：https://stackoverflow.com/questions/33311079/single-sign-on-sso-solution-architecture-for-single-page-app-spa