A Single Page Application (SPA) that implements OpenID Connect using recommended browser security.
The SPA uses a Backend for Frontend (BFF)
approach, in line with best practices for browser based apps.
A modern evolution of Backend for Frontend is used, called the Token Handler Pattern.
The SPA uses an OAuth Agent to perform an API driven OpenID Connect flow:
This provides the best separation of web and API concerns, to maintain all of the benefits of an SPA architecture:
Strongest Browser Security
, with only SameSite=strict cookiesGreat User Experience
due to the separation of Web and API concernsProductive Developer Experience
with only simple security code needed in the SPADeploy Anywhere
, such as to a Content Delivery Network
This repository demonstrates the business focused components companies should need to develop:
- A Single Page App coded in React
- A Web Host to provide static content
- An API that validates JWT access tokens
The token handler components should be developed by Curity or another provider, then plugged in.
The SPA can be quickly run in an end-to-end flow on a development computer by following these guides:
- Standard SPA using an Authorization Code Flow (PKCE) and a Client Secret
- Financial-grade SPA using Mutual TLS, PAR and JARM
See the Curity OAuth for Web Home Page for detailed documentation on this design pattern.
Please visit curity.io for more information about the Curity Identity Server.