How would you design a secure authentication flow for a single-page application and backend microservices?