Can't code substitution happen in Hybrid Flow?

Hope this helps Regarding the code: It looks like the actual problem is one relating to threads, not to files:
Whilst you are executing this code:

    for t in list:
        fileo.write(t + "\n")
    list = []
    fileo.close()
    fileo = open(OutFile, 'a')
    k = 0

This might help you The short answer is: absolutely not
The longer answer depends on level of risk and what risk you're willing to accept, but in general it seems like a bad idea. It assumes that the either the connection between client and server has a low chance of being intercepted or manipulated, or that the information being protected by oauth is of incredibly low value that nobody would ever try. Neither of these seem like safe prospects.

I think the issue was by ths following , Yes, dispatchEvent blocks. However, it is assumed that the event handlers will take a trivial amount of time since ActionScript has few ways of performing non-trivial blocking operations like I/O.

around this issue i think the risk is higher if you use Authorization or hybrid flow for SPA, for Hybrid and authorization code you have to keep a secret code that is shared between identity provider and clients which is very risky in case of SPA. because it is a refresh token that can be used to get new tokens if stolen
you know refresh token live longer that access_token, so it's better to provide an access token (implicit flow) with 1 hour for expiration rather than giving a refresh token that lives longer and can be used get new token