Blog

OAuth2 authorization code with PKCE: CORS on token endpoints, SPA redirect URIs, and silent refresh pitfalls

The authorization server and resource server may differ—CORS must allow your SPA origin on the token endpoint, not only on APIs.

Published: 2028-01-02Updated: 2028-01-041 min read

oauth2pkcecors

Refresh tokens

Public clients should not receive long-lived refresh tokens in SPAs—prefer rotation with short TTLs.

Refresh failures often surface as 401s confused with CORS in frontend logs.

SAML bridges may add extra redirects—measure total latency impact on preflight-sensitive flows.

Conditional access policies can block silent iframe renewals—document user-visible fallbacks.