Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can delegate Access Token acquisition to a BFF?

Tags:

spring

openid-connect

oauth-2.0

There is a several options on how to secure access to resource APIs from clients(web/mobile...), And in recent years, it was common to implement OIDC for SPAs in JS / TS, and this is no longer recommended.

The recommendation for SPA is to avoid storing tokens in the browser Or using service worker, And use a BFF insted of direct connect to Identity Server.

In this approach the BFF works as proxy of Identity Server and handle all oauth requests.

What is the best practice to implement this pattern with spring BFF, Or if there is another better approach.

like image 926
selllami Avatar asked Oct 20 '25 04:10

selllami

1 Answers

Perhaps you're aware of this doc which explains the options. Assuming you are using an SPA and don't want the website option, there are 2 options, identical from a security viewpoint, and which you use is a matter of preference.

WEB BACKEND

The SPA sends OAuth and API requests to a web backend first, which forwards them and implements the OAuth client. The web backend uses a runtime that issues cookies.

Pros are an easier initial developer setup and fewer components to deploy. Cons are that all developers have to run the backend, and web deployment options are limited to those that can host the runtime.

REVERSE PROXY BACKEND

The SPA sends OAuth and API requests via a reverse proxy such as NGINX. OAuth requests are forwarded to a utility API. The web backend remains static content only.

Pros are that you can get rid of the cookie issuing runtime from a developer PC, and it is easier to do things like deploy web resources to a content delivery network. Cons are that the initial developer setup is harder and that there are more moving parts.

BEHAVIOR

In both cases the SPA uses URLs like this, for static content, oauth client and API routing responsibilities.

  • https://www.example.com
  • https://www.example.com/oauth-client
  • https://www.example.com/api

Within the oauth-client path, the SPA calls endpoints like this. The SPA OAuth code is very light:

  • POST /login/start
  • POST /login/end

IMPLEMENTATIONS

There are quite a few out there, including components you can plug in. Search for a term like BFF OAuth and do some reading. It is a journey though - cookies are complicated little things.

like image 186
Gary Archer Avatar answered Oct 22 '25 19:10

Gary Archer
Sign in to Comment

Related questions

Hire Spring MVC databinder
Spring Overloaded Constructor Autowiring
Spring security group based authorization [closed]
Define a JPA Repository in the test folder Spring
How to update a session attribute in Spring MVC web app
Dependecy conflict Apache Spark and Spring Boot
How can I define index on inherited fields in MongoDB with Spring Data?
Spring Boot: Calling a @Bean method several times
Change VS Code debug console font color?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!