SPA using the Token Handler Pattern
A Single Page Application (SPA) that implements OpenID Connect using recommended browser security.
The SPA uses a Backend for Frontend (BFF) approach, in line with best practices for browser based apps.
A modern evolution of Backend for Frontend is used, called the Token Handler Pattern.
The SPA uses an OAuth Agent to perform an API driven OpenID Connect flow:
Architecture Benefits
This provides the best separation of web and API concerns, to maintain all of the benefits of an SPA architecture:
Strongest Browser Security, with only SameSite=strict cookiesGreat User Experiencedue to the separation of Web and API concernsProductive Developer Experiencewith only simple security code needed in the SPADeploy Anywhere, such as to a Content Delivery Network
Simple Code in Apps
This repository demonstrates the business focused components companies should need to develop:
- A Single Page App coded in React
- A Web Host to provide static content
- An API that validates JWT access tokens
The token handler components should be developed by Curity or another provider, then plugged in.
Run the End-to-end Flow
The SPA can be quickly run in an end-to-end flow on a development computer by following these guides:
- Standard SPA using an Authorization Code Flow (PKCE) and a Client Secret
- Financial-grade SPA using Mutual TLS, PAR and JARM
Website Documentation
See the Curity OAuth for Web Home Page for detailed documentation on this design pattern.
More Information
Please visit curity.io for more information about the Curity Identity Server.