Hello,
I'm trying to get my head around the current recommendation for using
OpenId Connect with an SPA, that cannot directly communicate with a
stateful backend for holding a session.
First I thought the Implicit Flow would be the way to go, then I noticed
that it isn't recommended anymore because of the broad support of CORS
nowadays, instead one shall use the Authorization Code Flow.
I think what confuses most people is, that the Authorization Code Flow
can be implemented in two ways: With or without a backend service doing
the token exchange for the frontend.
I understood the following: Using a backend service for doing the
exchange of the auth code for the token with the IdP is considered more
secure, because one cannot trust the browser to store the tokens
securely. The drawback is that you will have to create your own session
state between your backend and your frontend SPA (e.g. using a cookie).
I am in a scenario where I do not have "the one backend", but a bunch of
microservices running on Kubernetes, so they could die and respawn at
any given time. Do I need a API-Gateway for dealing with the
Authorization Code Flow? Which ones would be recommended (standard
compliant)?
Or is the alternative of handling the complete Authorization Code Flow +
PKCE in the Browser considered a safe scenario?
I have been doing a lot of research but having trouble to clarify this.
Thanks for your help!
Regards,
David
---
Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft.
https://www.avast.com/antivirus
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
