OAuth 2.0 best practices for SPA: token storage, PKCE, ID token validation

[Evelyn_W]

I'm implementing user authentication for a new web application using OAuth 2.0 with a third-party identity provider, and I want to ensure the implementation is secure from the start. I'm specifically trying to understand the best practices around storing and refreshing access tokens on the client side, whether to use the authorization code flow with PKCE for a single-page application, and how to properly validate ID tokens to prevent common attacks. Are there any critical security considerations or common implementation mistakes I should be aware of, especially regarding token lifetime and scope management?

[EllaYM]

Best practice for a new web app: use the Authorization Code Flow with PKCE. Do not rely on the implicit flow for SPAs. Keep tokens out of localStorage; store them in memory and, if you need persistence, handle sessions server-side with HttpOnly cookies and a back-end token proxy. Aim for short-lived access tokens (roughly 5–15 minutes) and rotate refresh tokens only via a trusted backend (or avoid offline access unless you truly need it). Always validate PKCE code_verifier and the state, and rely on the provider’s discovery document to configure endpoints.