Is it possible to have SPA authentication without redirecting to an outside login page

Question

I am currently developing an SPA application that connects to a bunch of webAPI's. These API require that the user is logged in, so I started digging into Openid Conect and OAuth2 examples, mostly using IdentityServer.

They all require, for SPA reasons, that the implicit grant should be used for retrieving access_tokens. Token refreshes are handled connecting to authentication server using hidden iframe.

What I understand from this approach o renewing your access_token is that, sessions is maintained at authentication service. Hidden iframe goes to the authentication server, sessions is still active, new access_token is provided.

All that looks good for me, except (for UX reasosn) the fact that my user needs to be redirected to authentication server page for providing credentials.

Isn't it possible to have my SPA application send credentials to authentication server, getting the access_token, and then do the refresh using the hidden iframe for silently renewing (we, obviously dont want the user to keep informing credentials every 15 minutes or every hour..).

If this is not acceptable for security reasons, could you please explain why?

Answer 1

Technically it is possible with "resource owner password flow", but in that model identity provider can not trust your application and will not create a session for your user (to use silent renew later on). Thus such non-interactive approach is not truly SSO.
For 2019 the recommended flow for any web app such as Angular SPA is Code flow with PKCE extension, as described here or there.