Recently I've been working on simple web application for managing students and users. Application will be published on the internet, so it needs proper access control. I wanted to learn some new stuff, so I decided to use Angular5 with Oauth2 authentication. I didn't want to use any options as "Login with Facebook", or "Login with Google". I wanted my Spring Boot app to work as the authentication server and the resource server. I read a little abouth Oauth2 and different flows possible, and it turns out, that preffered flow to use with web application is IMPLICIT flow. Implicit flow uses only one token. It doesn't have a refresh token, as it could be overtaken by an attacker. Access token has defined validity period. In other flows, where refresh token exists it is used to get another access token when the first one expires. In theory in implicit flow user should just log again, but forcing a user to log in during active session is not an option.