Add login to an SPA

Single-page apps (SPAs) by design run with the source code exposed in the browser, which means that they cannot maintain any secrets. These kinds of applications are called public clients.

Based on the OAuth 2.0 best practices for browser-based apps, WSO2 Identity Server recommends securing your SPAs using the OpenID Connect Authorization Code Flow for public clients with the PKCE (Proof Key for Code Exchange) extension.

See the guides given below to add login to your SPAs with WSO2 Identity Server.

Try out samples

• React SPA Sample
• JavaScript SPA Sample

Use an SDK to add login to your SPA

• React SDK
• Javascript SDK

Manually add login to your SPA

• Implement authorization code flow with PKCE