OAuth 2.0 for Browser-Based Apps

tools.ietf.org/html/draft-parecki-oauth-browser-based-apps

OAuth 2.0 for Browser-Based Apps describes security requirements and other recommendations for SPAs and browser-based applications using OAuth 2.0.

Among other things, it recommends using the Authorization Code flow with the PKCE extension instead of using the Implicit flow.

More resources