I'm coding a project composed by an SPA and an API. On the SPA, I have a button to link Google or Microsoft accounts to the user's account. The API can whenever it wants call google/microsoft apis.
I've succeeded with google using the Authorization code flow:
- From the SPA redirecting the user to https://accounts.google.com/o/oauth2/v2/auth with query parameters response_type=code and access_type=offline
- Send the returned code to the API
- The API call https://oauth2.googleapis.com/token to get an access_token and a refresh_token
- Tokens are saved in the database, and can be used whenever the API wants.
==============
Microsoft has a similar authorization flow (https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) but I can't use the authorization_code retrieved from an SPA into the API because of CORS policies. I'm not using PKCE codes because tokens are retrieved from the API that use client_id and client_secret.
=============
Am I missing something ? Is it even possible to get an authorization_code from an SPA and use it to generate access_tokens and refresh_tokens from an external API ?
Thank you so much, sorry for my english !
