SSO SPA APP ANGULAR Refresh token Implicit flow

I’m making an application that must always keep the token updated to make api calls I saw that it needs a secret to update the hybrid flow but it’s not safe for a fe side only app.

So first I thought about making a nodejs broker api to manage the get token and refresh token, but I’m having problems regarding getting the body params code, I saw that it is passed to the login and silent redirection, but I noticed that the It actually works by updating the token when it first enters

   initOptions: {
        enableLogging: true,
        flow: 'implicit',
        onLoad: "check-sso",
        checkLoginIframe: false,
          window.location.origin + '/assets/silent-check-sso.html'


so I tried to redo the init exactly what I do when I first enter here

    this.key.keycloakEvents$.subscribe((value => {
      if (value.type == KeycloakEventType.OnTokenExpired) {

and damn, update the token without logging out, it doesn’t seem like the optimal solution to me but it works, I was thinking of logging in again every time a call failed (token expired) and not within the expiration event.

what do you think? Thank you

First of all, you MUST not use Implicit flow anymore due to security reasons [1], and it will be removed eventually in OAuth 2.1 [2]. Therefore, you MUST use Authorization Code + PKCE.

In my experience, it’s always challenging to protect a Single Page Application (SPA), and it all depends on your security requirements. I usually delegate authentication (OpenID Connect) to a proxy with an OIDC module such as lua-resty-openidc [3], which simplifies everything. Alternatively, you can follow the BFF Application patterns [4].

[1] draft-ietf-oauth-security-topics-27
[2] draft-ietf-oauth-v2-1-11
[3] GitHub - zmartzone/lua-resty-openidc: OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
[4] draft-ietf-oauth-browser-based-apps-18