In January 2019, Dominick Baier (known for his work on IdentityServer) published an article about "An alternative way to secure SPAs (with ASP.NET Core, OpenID Connect, OAuth 2.0 and ProxyKit)".
This is a sample implementation with a Blazor WebAssembly SPA as front-end.
You can find more details in my blog post "Secure a Blazor WebAssembly application with cookie authentication".
Updated to work with NET 7 and new demo server.