At the end of 2018, the OAuth working group released a new best current practices (BCP) document which recommended developers no longer implement the Implicit Grant Authorization Flow and instead implement the Auth Code with PKCE Authorization Flow. Unfortunately, the majority of Single Page Applications today implement the Implicit Flow. In this talk we’ll discuss the impacts of the BCP, compare differences between Implicit and Auth Code with PKCE, demo both of these approaches in a modern SPA, and share the knowledge you need to know when deciding on whether to follow the BCP or continue with the Implicit Grant for your authentication and authorization purposes.