Using SPAs as the UI in front of an API has become standard practice, with OAuth 2.0 / OIDC being the common authz mechanism for this. This approach generally entails the SPA receiving its access via the the authorization code flow or the implicit flow by first redirecting the user to an authorization server where they can log in and consent to the SPA’s access.
I am having trouble determining if this approach can be used for the authorization server itself: in other words, use an SPA to generate the UI for a login form and have the user log in securely.
Naively, one could assume the resource owner password flow matches this criteria since it accepts a username and password. But it requires the client to be able to use a secret. An SPA can’t do this.
Of course, I could design my own API to accept a username and password and respond with enough information for the SPA to work. But I am wondering if this portion is specified in any of the OAuth 2.0 or OIDC RFCs/specs, or if there is an alternative, highly-specified API for logging in users securely via an SPA that should be considered before rolling one’s own.