We have:

SPA Client: vue-app.com

Mobile App: iOS / Android

Server A: crm.company.com

Server B: orders.company.com

SSO / Identity Provider: auth.company.com

SSO is the central authentication authority.

SSO responsibilities:

User authentication (login) Authorization code issuance JWT token issuance Signing tokens with private key

Applications responsibilities:

Exchange authorization code (if applicable) Verify JWT using public key (JWKS) Manage local session (optional)

SSO (Identity Provider):

 PRIVATE KEY → signs JWT (RS256) 

Applications (Server A / B):

 PUBLIC KEY (JWKS) → verify JWT signature 

There are 3 types of clients:

Example:

Laravel / Spring / Django backend

Flow:

Backend exchanges code Backend stores session cookie

Example:

Vue.js / React.js

Flow:

Browser exchanges code Uses PKCE Stores JWT

Example:

iOS / Android apps

Flow:

App uses system browser login Uses PKCE Stores JWT in secure storage

Used by SPA + Mobile.

Client generates:

 code_verifier = random_secret 

Then derives:

 code_challenge = BASE64URL(SHA256(code_verifier)) 

 GET https://auth.company.com/authorize 

Parameters:

response_type=code client_id redirect_uri code_challenge code_challenge_method=S256 state

User authenticates:

username/password MFA optional

SSO creates session:

 SSO_SESSION=123 

SSO sets cookie (browser only):

 Set-Cookie: SSO_SESSION=123; Domain=auth.company.com 

 302 → redirect_uri?code=abc&state=xyz 

✔ code is short-lived ✔ code is one-time use

 POST https://auth.company.com/token 

Request:

 code=abc code_verifier=random_secret client_id=xxx 

 Server A → POST /token 

SSO performs:

 SHA256(code_verifier) 

Compare:

 SHA256(code_verifier) == code_challenge 

✔ match → valid ❌ mismatch → reject

SSO returns:

 access_token (JWT) id_token (JWT) refresh_token 

 PRIVATE KEY → signs JWT (RS256) 

✔ only SSO has private key ✔ tokens cannot be forged

Servers (A / B) do:

 GET https://auth.company.com/.well-known/jwks.json 

 PUBLIC KEY → validate JWT signature 

exp (expiration) iss (issuer) aud (audience) sub (user id)

✔ valid → allow request ❌ invalid → reject

User opens SPA:

 vue-app.com 

Generate PKCE → redirect to SSO

Receive code → exchange via browser JS

Store access_token

Call APIs:

 Authorization: Bearer JWT 

App opens system browser:

 auth.company.com 

Login → SSO session created

Redirect via deep link:

 myapp://callback?code=abc 

App exchanges code using PKCE

Store token in:

iOS Keychain Android Keystore

Browser → Server A

Server A redirects to SSO

Server A exchanges code

Server A creates session:

 SESSION_A=aaa 

SSO:

issues authorization code signs JWT with PRIVATE KEY

Clients:

SPA/Mobile generate PKCE Server-side exchanges code

Servers:

verify JWT using PUBLIC KEY (JWKS) remain stateless

PKCE protects authorization code interception JWT ensures stateless authentication JWKS enables distributed verification SSO is single source of identity

OAuth2/OIDC with PKCE is a secure authentication mechanism used across SPA, mobile, and server-side applications. Public clients (SPA and mobile) use PKCE to securely exchange authorization codes for JWT tokens, while confidential clients (server-side apps) perform the exchange on the backend. The identity provider (SSO) signs JWT tokens using a private key, and all services verify them using public keys obtained from JWKS. This enables stateless, scalable authentication across distributed systems.