There is some information out there about how the implicit flow for SPA’s is inherently a less secure way to authenticate your applications. In addition, there are documents that claim that using a PKCE Authorization code flow is possible with single page applications in the browser, and has less risk.
specifically talked about here - https://tools.ietf.org/html/draft-parecki-oauth-browser-based-apps-02#section-7
If I am totally off base here, would someone mind pointing me towards resources to better inform myself of why the implicit flow is still an acceptable means of SPA authentication? I do not have the ability to authenticate via regular authorization code flow due to the architecture of the application I’m building.