A Single Page Application (SPA) that implements OpenID Connect using recommended browser security.
The SPA uses a Backend for Frontend (BFF) approach, in line with best practices for browser based apps.

A modern evolution of Backend for Frontend is used, called the Token Handler Pattern.
The SPA uses an OAuth Agent to perform an API driven OpenID Connect flow:

This provides the best separation of web and API concerns, to maintain all of the benefits of an SPA architecture:

• Strongest Browser Security, with only SameSite=strict cookies
• Great User Experience due to the separation of Web and API concerns
• Productive Developer Experience with only simple security code needed in the SPA
• Deploy Anywhere, such as to a Content Delivery Network

This repository demonstrates the business focused components companies should need to develop:

• A Single Page App coded in React
• A Web Host to provide static content
• An API that validates JWT access tokens

The token handler components should be developed by Curity or another provider, then plugged in.

The SPA can be quickly run in an end-to-end flow on a development computer by following these guides:

• Standard SPA using an Authorization Code Flow (PKCE) and a Client Secret
• Financial-grade SPA using Mutual TLS, PAR and JARM

See the Curity OAuth for Web Home Page for detailed documentation on this design pattern.

Please visit curity.io for more information about the Curity Identity Server.