OKTA SPA -- why choose this over web application?

I’m in the process of building an application that is React on the frontend and Django on the back. I’ve looked through this tutorial and I’m curious to know what is behind the choice of SPA vs web application? How do the two differ?


Good question! A SPA is when it’s all JavaScript on the front end and the code can’t be trusted to keep a secret. A web app is one that runs on a server and can be trusted to keep a secret. A SPA app has no client secret and uses PKCE to obtain tokens. A web app can you the client secret to get access tokens.

So in this way, if the authentication happens completely on the front end (even if the back end uses the authentication to validate REST calls) it’s best to go with PKCE over a client secret?

Yes, that is correct.

Actually I’m finding it remarkably difficult to do this when Django is involved. If I just stuck with web application and used a client secret, is there a downside to letting the server handle the authentication for a single page application?

Update: I think I found the answer to my question.

Per the doc:

code is the authorization code that you got from the /authorize endpoint.
code_verifier is the PKCE code verifier that your app generated at the beginning of this flow.

I assume code is the same code in the used in the callback. However I don’t know what code_verifier refers to. I’m assuming it’s either the nonce or the state.