How would you design a secure authentication flow for a single-page application communicating with a microservices backend?