Using OAuth SPA app to provide third party with access token

Say I had a centralized OAuth 2 authentication server, a Single Page Application (SPA) in an electron app, and a third-party server. The user launches this SPA, goes through the PKCE flow to obtain an access & refresh token, and is now authenticated. The SPA is now allowed to access & modify information in the authentication server.

Next, say this SPA wanted to access a third party API, which performs some function – in my case, it provides authenticated downloads to a client. That third party API can already authenticate a user via the normal OAuth flow, having a user access the page, redirect the user to the authentication server, and then send the user back with an access code, which the third party API exchanges for an access token. But instead, what happens if I want this SPA to access the third party service? The SPA isn’t “signed in” to the authentication server, since it is only an OAuth client, and the user can’t just go to the authentication server’s URL to follow the standard authorization code flow. What would be the process to generate an access token for this third party API to allow access to the authentication server on the user’s behalf – retrieving or modifying information about the user?

Thanks in advance!

here is solutions:

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Solution 1

Adding more accurate answer based on the discussion above.

Based on your clarification in the comments the flow is to try to download a resource through the SPA, after sign in. Then the appropriate course of action is to change the third party service to verify the access token that SPA will send to it, on behalf of the user. This way SPA will not know and neither should it care how access tokens are generated. This will make sure no one can exploit the mechanism to generate access tokens freely.

Given that secure channels(TLS) should always be used for all interactions between OAuth service and any other subsequent interactions with thirdparty service to make sure no one can eavesdrop and obtain tokens. Make sure the access token has a shorter TTL to minimize the possibility of replay attacks. Have a look at the OAuth Threat Model since you are writing your own OAuth server.

[Using OAuth SPA app to provide third party with access token

Of course this means you have to be able to configure your user permissions per resource.

Solution 2

First and foremost the OAuth protocol is used for delegated authorization. To support authentication you need to do a bit more on top of OAuth2.

Having said that, the problem you have described is a SSO(Single Sign On) problem. There are different protocols to achieve this. The most popular one right now is OpenIdConnect. Have a look at the docs of the thirdparty service you are accessing to see if they support SSO using OpenidConnect.

Almost all the major service providers support this nowadays. This is exactly what you go through when you click on Sign In with Google button on a site. As you can see from their example of server side app flow, this is leveraging OAuth2 itself.

So if I understand your dilemma, what you need to do is that;

  1. Go through the OAuth flow of you internal OAuth server to authorize your SPA to your service, which is the base service provider in this case.
  2. In case of a fresh login offer the user to integrate with the third party service using a button just like Google Sign In. This may already supported by the service provider.
  3. When user logs in and give permissions for the integration save the information returned by the thirdparty service associated with credentials of your user. When you do this you won’t have to show the integration option in step 2 again to the user until he revokes the permission or signs out from your SPA.
    1. Provide an option for user to revoke the permissions he provided for the third party services. This may or may not trigger a sign out from your SPA. Decision is based upon how tightly coupled these services are.
    2. If the user signs out you can keep the info you retrieved for the next session.

enter image description here

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply