The demonstration of modern authentication using BFF pattern and authorization enforcer using OPA
Why BFF for Authentication?
TODO
When to use BFF Auth with Cookies-based
- Used:
- Cookies (Same site) and move the authentication to the trusted backend
- Use a dedicated backend for SPA now and move the security to the trusted backend
- Azure does not support introspection or the revocation endpoint so you cannot invalidate the tokens, or logout an Azure SPA fully. BFF removes this problem
- Not used:
- High load apps or cross domain with high load
- In this case, please use tokens, but it has a risk of tokens to be robbed in the client-side
Get starting
- Start frontend
# Start front-end
> cd frontend/bff-auth-nextjs
> yarn dev
- Start backend
# Start auth-server, BFF server, and sale-api
> tye run
- Go to
https://localhost:8080, and start to play with it
High level architecture
Hosts and Services
| No. | Name | Technical Stacks | URI |
| 1 | Gateway (BFF Auth) | .NET 6 (YARP) | https://localhost:8080 |
| 2 | Duende.IdentityServer | .NET 6 | https://localhost:5001 |
| 3 | Product API | Rust (Axum, Tower, Hyper, Tokio) | http://localhost:5003 |
| 4 | Sale API | Golang (fiber) | http://localhost:5004 |
| 5 | Ship API (TODO) | .NET 6 | http://localhost:5005 |
| 5 | Web | Nextjs | http://localhost:3000 |