I am having a problems defining the flow of an application that is supposed to be authenticated / authorized securely with an SPA frontend. Currently using an SPA with a Spring application server as a backchannel / client for Oauth2. The spring application / client will be used to communicate with the IDP provider to exchange token information which is then going to be stored only on the server and communicated with Resource Servers.
The idea is to have a stateful session id between the SPA and Client (Backchannel) and Statelss communication between Client (Backchannel) and Resource Servers (API). The Client will serve as a reverse proxy to the resource servers most likley agregating data from them before delivering it to the SPA.
However I am having issues understanding the SPA flow, the SPA needs to establish a session with the Client. I have currently configured the sping app to redirect to the IDP login page when login is requested and throw 401 unauthorized for any of the protected endpoints. It works fine as far as the spring app client - oauth2 flow is concerned. But now i would like to plug in an SPA in the loop which will communicate with the spring app client, which will then communicate with the IDP, exchange and store securely the data.
I hope there is a proper way of solving this issue, put simply, SPA -> Oauth2 client -> Resource Server.
