What secures access credentials inside a single page webapp (SPA)?

Question

Scenario

Suppose a hacker using a single page webapp https://example.com?secure=maybe has authenticated and obtained a OpenID Connect token that is used t

Answer 1

You can and perhaps should use the Authorization Code Grant with SPA apps along with the (Since there is no client Secret) Proof Key for Code Exchange by OAuth Public Clients.