Why BFF for Authentication?

TODO

When to use BFF Auth with Cookies-based

• Used:
  • Cookies (Same site) and move the authentication to the trusted backend
  • Use a dedicated backend for SPA now and move the security to the trusted backend
  • Azure does not support introspection or the revocation endpoint so you cannot invalidate the tokens, or logout an Azure SPA fully. BFF removes this problem
• Not used:
  • High load apps or cross domain with high load
  • In this case, please use tokens, but it has a risk of tokens to be robbed in the client-side

Get starting

• Start frontend

# Start front-end
> cd frontend/bff-auth-nextjs
> yarn dev

• Start backend

# Start auth-server, BFF server, and sale-api
> tye run

• Go to https://localhost:8080, and start to play with it

High level architecture

Hosts and Services

No.	Name	Technical Stacks	URI
1	Gateway (BFF Auth)	.NET 6 (YARP)	https://localhost:8080
2	Duende.IdentityServer	.NET 6	https://localhost:5001
3	Product API	Rust (Axum, Tower, Hyper, Tokio)	http://localhost:5003
4	Sale API	Golang (fiber)	http://localhost:5004
5	Ship API (TODO)	.NET 6	http://localhost:5005
5	Web	Nextjs	http://localhost:3000

References

• RFC-8693: https://github.com/RockSolidKnowledge/TokenExchange
• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-08
• https://github.com/manfredsteyer/yarp-auth-proxy
• https://developer.okta.com/blog/2021/01/04/offline-jwt-validation-with-go