(Don’t feel obligated to reply just b/c you replied to my compliment 😉 but) has anyone written about an SPA architecture where you: - Retrieve access token in backend and store in server session - Return access token to SPA, which only stores it in memory 1/2

- SPA makes unproxied requests to resource server - On page refresh, SPA re-requests access token from backend using session cookie Seems like this is as secure as memory-only storage, allows refreshes, avoids extra hops from proxying. Am I missing risks/downsides?