Single Page Application + API

In this scenario you have a Single Page Web Application “Client” which talks to an API (“Resource Server”).

The application will use OpenID Connect with the Implicit Grant Flow to authenticate users with Domec Tools. When a user logs in, Domec Tools will return to the application an access_token as well as an id_token. The id_token is used to securely call the API on behalf of the user. Alternatively the user profile can be obtained by calling the /userinfo endpoint in the Domec Tools Authentication API with the access_token.

The application will usually store the information about the user’s session (i.e. whether they are logged in, their tokens, user profile data, etc) inside some sort of storage such a Local Storage.