OAuth 2.0 with SPAs example
13.5.3. OAuth 2.0 SSO with single-page applications - a configuration example

Using single-page applications (SPA) in OpenID Connect setups poses some security risks since access and refresh tokens are insufficiently protected by web browsers.

In this configuration example, we demonstrate how Airlock Gateway (WAF) and Airlock IAM can be configured to protect access and refresh tokens issued by a third-party authorization server from being stored in the browser.

Solution overview

The solution will use the following components:

  • The authorization server supports the standard OpenID Connect authorization flow.
  • The Airlock Gateway (WAF) receives and stores access tokens.
  • Airlock IAM acts as an OIDC client towards the authorization server.
  • The SPA has an authentication session with the authorization server.
  • The SPA receives session cookies from Airlock IAM.

The following sequence diagram details the authentication flow:

API Service authorization over OAuth 2.0


This configuration ensures that a target application receives the access token issued by the authorization server with every request made by the SPA.


Known limitations of this setup are:

  • This setup only works with access tokens only. Airlock IAM as a client does not support refresh tokens.