I am a little confused as to how I should use the OAuth 2.0 Authorization grant for my web app.
I understand that the Implicit grant for SPAs is now decommissioned and that I should use the Authorization grant.
However the articles and documentation I have read, and the videos I have watched still leave some ambiguity.
If I have a React JS front end and a Spring Boot back end I see three ways in which I could do a token exchange. So when a user clicks login I could:
1) Have my React front end perform the authorization grant without the client secret and obtain the token as recommended by the OAuth 2.0 docs for SPAs
2) Have my React front end perform half of the authorization grant, i.e. get the authorization code. Then pass this on to my back end to exchange the authorization code with the client secret to get a token back, and then pass this token to my front end.
(This is the approach recommended here: what's the alternative to password grant now that it is deprecated? OAUTH 2.0).
To be honest I don't understand how this would work as surely the client IDs for the front end and back end would be different?
3) Have my React Front End delegate the authorization flow to my back end server which can perform the authorization grant using the client secret.
Have I misunderstood something or are all of these approaches possible? What is the recommended approach here?