I hope this helps you . You are correct: the fact that the token is signed by the issuer and contains an aud claim that the Client must check will prevent swapping with tokens that are for a different Client.
This might help you The short answer is: absolutely not The longer answer depends on level of risk and what risk you're willing to accept, but in general it seems like a bad idea. It assumes that the either the connection between client and server has a low chance of being intercepted or manipulated, or that the information being protected by oauth is of incredibly low value that nobody would ever try. Neither of these seem like safe prospects.
What does happen to code flow when a AS3 listener is called?
I think the issue was by ths following , Yes, dispatchEvent blocks. However, it is assumed that the event handlers will take a trivial amount of time since ActionScript has few ways of performing non-trivial blocking operations like I/O.
SPA Implicit Flow vs Authorization Flow vs Hybrid Flow
around this issue i think the risk is higher if you use Authorization or hybrid flow for SPA, for Hybrid and authorization code you have to keep a secret code that is shared between identity provider and clients which is very risky in case of SPA. because it is a refresh token that can be used to get new tokens if stolen you know refresh token live longer that access_token, so it's better to provide an access token (implicit flow) with 1 hour for expiration rather than giving a refresh token that lives longer and can be used get new token
Open ID Connect and native public app...no implicit flow, no hybrid flow...so what?