Hi all,

I'm exploring the idea of an OAuth server comprising two separate
components:

* Static *frontend* web app that handles all UI functionality
* Headless *backend* that never returns HTML

These two components would communicate via some well-defined internal
protocol. For example, the frontend would be responsible for hosting the
"/authorize" endpoint, which it might accomplish by steps like:

1. ask the user to sign in, perhaps via an internal Resource Owner
Password Credentials Flow to the backend

2. call a special "/code" endpoint on the backend, which generates an
authorization code for the client that's attempting to authorize

3. return this code to the client via in-browser redirect

And the backend would host the "/token" endpoint, responding directly to an
authorized client. All this could happen without cookies, and without tight
coupling between the two components.

Does something like this exist? Are there obvious security show-stoppers?
Is anyone aware an effort to standardize what the "well-defined protocol"
between these components would look like?

Thanks for your help!

-Josh