Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/thangchung/bff-auth

The demonstration of modern authentication using BFF pattern and authorization enforcer using OPA
https://github.com/thangchung/bff-auth

authentication bff-microservice dotnet golang identityserver4 nextjs opa reverse-proxy rust

Last synced: about 11 hours ago
JSON representation

The demonstration of modern authentication using BFF pattern and authorization enforcer using OPA

Host: GitHub
URL: https://github.com/thangchung/bff-auth
Owner: thangchung
License: mit
Created: 2021-12-06T06:05:08.000Z (almost 3 years ago)
Default Branch: main
Last Pushed: 2021-12-27T15:11:22.000Z (almost 3 years ago)
Last Synced: 2024-02-26T11:38:44.557Z (7 months ago)
Topics: authentication, bff-microservice, dotnet, golang, identityserver4, nextjs, opa, reverse-proxy, rust
Language: C#
Homepage:
Size: 3.72 MB
Stars: 47
Watchers: 3
Forks: 4
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Why BFF for Authentication?

TODO

# When to use BFF Auth with Cookies-based
- Used:
- Cookies (Same site) and move the authentication to the trusted backend
- Use a dedicated backend for SPA now and move the security to the trusted backend
- Azure does not support introspection or the revocation endpoint so you cannot invalidate the tokens, or logout an Azure SPA fully. BFF removes this problem
- Not used:
- High load apps or cross domain with high load
- In this case, please use tokens, but it has a risk of tokens to be robbed in the client-side

# Get starting

- Start frontend

```bash
# Start front-end
> cd frontend/bff-auth-nextjs
> yarn dev
```

- Start backend

```bash
# Start auth-server, BFF server, and sale-api
> tye run
```

- Go to `https://localhost:8080`, and start to play with it

![](assets/auth_flow.gif)

# High level architecture

![](assets/overview.png)

# Hosts and Services

No.
Name
Technical Stacks
URI

1
Gateway (BFF Auth)
.NET 6 (YARP)
https://localhost:8080

2
Duende.IdentityServer
.NET 6
https://localhost:5001

3
Product API
Rust (Axum, Tower, Hyper, Tokio)
http://localhost:5003

4
Sale API
Golang (fiber)
http://localhost:5004

5
Ship API (TODO)
.NET 6
http://localhost:5005

5
Web
Nextjs
http://localhost:3000

# References
- RFC-8693: https://github.com/RockSolidKnowledge/TokenExchange
- https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps-08
- https://github.com/manfredsteyer/yarp-auth-proxy
- https://developer.okta.com/blog/2021/01/04/offline-jwt-validation-with-go