Single Page Applications (SPAs) face a unique security challenge: they cannot keep a secret. Because the source code is visible in the browser, storing a client_secret is impossible. For years, de…