I absolutely loved this presentation! It made so many things so much clearer. My friend and I are working on a SPA + REST API project, and we thought it was a good idea to add login with Google to it. I was aware of the OAuth2.0 and OpenID Connect specifications, and thought it was going to be easy, until I found myself in a situation I didn't even know had an official term to it - Backend For Frontend. Every tutorial on the internet shows how to add Google login to either a traditional application, where the backend returns plain HTML to the browser, or purely on a SPA frontend, like the theme of this talk. So I came here thinking the presentation would talk about my problem, whereas in reality, it talks about a purely frontend based application. Just to find out at the end, that what I'm trying to implement is indeed a backend for frontend.
Thanks a lot for such a great explanation. It was extremly helpful for me! You described all my questions about authorization in SPA with microservices
Great explanation, Thanks! I don't understand why using BFF is safer. An attacker could still steal the browser's cookies and compromise the system. That is, it indirectly continues to use the tokens.
@@officialJoldag That's true. But the malicious code could execute any request and it would work, because the session cookie is sent to the backend automatically, right?
Goeimorgen Philippe, Do you still suggest using a BFF (Backend For Frontend) or Token Handler when the Authorization Code Flow with PKCE is employed for SPAs (Single Page Applications)?
I don't agree with the conclusion of this talk. The whole point of BFF and http-only auth cookies is to prevent an attacker that has gained acces to execute js code through an xss attack, to steal the auth-token from your storage and thereby execute requests on your behalf. If an attacker has managed to sucessfully gain access, he can execute api calls directly from the clients browser with or without bff.
Thanks for the great explanation. I just want to ask you one thing that how an Identity provider makes a POST request to frontend application in Step no 9 (authorization response), especially in SPA application? And if it is making post request to my server then how I will return to user browser? Please help me, I am trying to implement apple id SSO with openId connect.
I absolutely loved this presentation! It made so many things so much clearer.
My friend and I are working on a SPA + REST API project, and we thought it was a good idea to add login with Google to it. I was aware of the OAuth2.0 and OpenID Connect specifications, and thought it was going to be easy, until I found myself in a situation I didn't even know had an official term to it - Backend For Frontend.
Every tutorial on the internet shows how to add Google login to either a traditional application, where the backend returns plain HTML to the browser, or purely on a SPA frontend, like the theme of this talk.
So I came here thinking the presentation would talk about my problem, whereas in reality, it talks about a purely frontend based application. Just to find out at the end, that what I'm trying to implement is indeed a backend for frontend.
Thanks for such a lean explanation, I loved every moment of it, and I hope that you know that you made things a lot clearer for me
What a great session!!
Thanks a lot Philippe!
Thanks a lot for such a great explanation. It was extremly helpful for me! You described all my questions about authorization in SPA with microservices
Super clean and to the point. Thanks!
wow ! such an amazing and simplified explanation .
Any tips on videos on how to implement the BFF pattern? Preferably using Spring Boot.
How would the bff handle multiple calls for tolken refresh?
Senario is, frontend sends 3-4 requests to get data.
Thank you, it's very detailed.
Great explanation, Thanks! I don't understand why using BFF is safer. An attacker could still steal the browser's cookies and compromise the system. That is, it indirectly continues to use the tokens.
I think, it's because you are able to set the cookie with httponly, so it is not accessible via scripts.
@@officialJoldag That's true. But the malicious code could execute any request and it would work, because the session cookie is sent to the backend automatically, right?
Nice and great explanation ❤
Fantastic explanation. Massive thanks!
Goeimorgen Philippe, Do you still suggest using a BFF (Backend For Frontend) or Token Handler when the Authorization Code Flow with PKCE is employed for SPAs (Single Page Applications)?
Thanks a lot, great explanation
I don't agree with the conclusion of this talk. The whole point of BFF and http-only auth cookies is to prevent an attacker that has gained acces to execute js code through an xss attack, to steal the auth-token from your storage and thereby execute requests on your behalf. If an attacker has managed to sucessfully gain access, he can execute api calls directly from the clients browser with or without bff.
Great Explanation!!
❤
amazing !
Thanks for the great explanation. I just want to ask you one thing that how an Identity provider makes a POST request to frontend application in Step no 9 (authorization response), especially in SPA application? And if it is making post request to my server then how I will return to user browser? Please help me, I am trying to implement apple id SSO with openId connect.