Validate Session Server Side - Implicit Flow

My team is building an Angular SPA and we are planning on using Implicit flow as recommended. We’d like to add an additional check on the Express server hosting the Angular app to verify that the user is indeed authenticated before sending down any application code. If the User isn’t authenticated, we send them a stripped down login page that uses your Widget and libraries to log the user in, and redirect back to the Angular SPA after sign in.

My initial thought was to configure the tokenManager to store the tokens as cookies, and after these cookies are sent to the express server, create a middleware that uses the introspect endpoint to verify the access token. However, it looks like configuring the tokenManager this way isn’t an option.

Is there a recommended approach for this?

Hi @m_dev

The updated recommendation from IETF for SPA is Auth Code with Pkce.


not sure if this is a best practice, but you can achieve this by creating a separate app by choosing ‘OAuth Service’. This one has client_id/client_secret - so it’s only safe to be used server-side.
You can introspect tokens created with the SPA.