Which OAuth strategy to use to authenticate owned SPA and which for 3rd parties?

Question

The case: the System-K has many microservices. One of them is the OAuth microservice which provides access tokens for 3rd parties that will consume some data managed by others microservices of the System-K. The System-K also have a frontend that is a SPA web application. This SPA also consumes the same data that 3rd parties do, but with the difference that this SPA will be able to query privileged data since is the owned Sysmte-k front-end.

The question: Which OAuth strategy to use for the SPA? or I should use another approach to handle authentication request made by the SPA and leaves the OAuth server just for 3rd parties?

Under the hood: The web application is built with Angular 7+, this sends requests to an APIGateway which is a microservice, part of the Sysmte-k, then APIGateway routes such requests to the target microservice. 3rd parties OAuth request are sent also to APIGateway which routes to the OAuth microservice. All microservices are build in Node and written with TypeScript.

Update 1 I do not want users who authenticate in the SPA to see a screen saying "Do you allow the System-K to access your Sysmte-k profile?" since the SPA is the System-k client itself.

Answer 1

Question: - Which OAuth strategy to use for the SPA? or I should use another approach to handle authentication request made by the SPA and leaves the OAuth server just for 3rd parties?

Unless your SPA has a backend server (which means that your SPA is not really an SPA) you are limited to using implicit OAuth. Implicit OAuth runs in JavaScript in the browser.

For implicit OAuth I strongly recommend using a third party Identity Provider (Google, Auth0, Okta). Getting the security correct in your own code is very difficult.

If you can add a backend service to provide three-legged OAuth, your security will improve and you will have many more options. Again I recommend a third party Identity Provider.