4. Benefits
• Productive development, with a focus on the frontend
• Separation of concerns makes each part simple
• Deploy anywhere, such as to a content delivery network
5. Browser Cookie Changes
Same Site Cookies (updates to RFC6265):
• Considered to have stronger browser protection than tokens
• Tokens in the browser have more XSS threats and people concerns
Problems with the original SPA Flow:
• Third party SSO cookies used for token refresh are dropped
• JavaScript-only option requires a refresh token in local storage
6. Backend for Frontend (BFF)
• A backend component that issues cookies on behalf of the SPA
• Described in OAuth 2.0 for Browser Based Apps
• How to integrate one while retaining SPA benefits?
8. Differences to Alternative Solutions
• Separation of Web Host from Cookie Issuing
• API driven cookies best support micro-UI architectures
• SPA calls APIs via a high-performance API gateway
• SPA remains in control, for best usability
9. OAuth Agent: API Driven OpenID Connect
• POST /login/start
• POST /login/end
• POST /refresh
• GET /userinfo
• GET /claims
• POST /logout
12. Example Cookie Sent to APIs
• cookie:at=AVyV7pq8ctwBYYcOqgSsrIHJJJEVTMLsobjATMYMBu70tWYKI
x1nQJTNanDXGexpX0Jx80SspeXIUi0e4htdroZkgj1cFL0WCyU
• Cookies are small when opaque access tokens are used
• Small API message credential, like a web session cookie
• Backend is stateless and easy to manage