I absolutely loved this presentation! It made so many things so much clearer. My friend and I are working on a SPA + REST API project, and we thought it was a good idea to add login with Google to it. I was aware of the OAuth2.0 and OpenID Connect specifications, and thought it was going to be easy, until I found myself in a situation I didn't even know had an official term to it - Backend For Frontend. Every tutorial on the internet shows how to add Google login to either a traditional application, where the backend returns plain HTML to the browser, or purely on a SPA frontend, like the theme of this talk. So I came here thinking the presentation would talk about my problem, whereas in reality, it talks about a purely frontend based application. Just to find out at the end, that what I'm trying to implement is indeed a backend for frontend.

Thanks for such a lean explanation, I loved every moment of it, and I hope that you know that you made things a lot clearer for me

What a great session!! Thanks a lot Philippe!

Thanks a lot for such a great explanation. It was extremly helpful for me! You described all my questions about authorization in SPA with microservices

Super clean and to the point. Thanks!

wow ! such an amazing and simplified explanation .

Fantastic explanation. Massive thanks!

Excellent and elegant explaination

Thanks a lot, great explanation

Nice and great explanation ❤

amazing !

Great Explanation!!

Thanks for sharing! However do you have a tutorial which implements Backend For Frontend (BFF) framework with Authorization code with PKCE in addition to this tutorial? It is unsafe to store access token on browser.

❤

Any tips on videos on how to implement the BFF pattern? Preferably using Spring Boot.

How would the bff handle multiple calls for tolken refresh? Senario is, frontend sends 3-4 requests to get data.

Thanks for the great explanation. I just want to ask you one thing that how an Identity provider makes a POST request to frontend application in Step no 9 (authorization response), especially in SPA application? And if it is making post request to my server then how I will return to user browser? Please help me, I am trying to implement apple id SSO with openId connect.

Goeimorgen Philippe, Do you still suggest using a BFF (Backend For Frontend) or Token Handler when the Authorization Code Flow with PKCE is employed for SPAs (Single Page Applications)?

Great explanation, Thanks! I don't understand why using BFF is safer. An attacker could still steal the browser's cookies and compromise the system. That is, it indirectly continues to use the tokens.

I don't agree with the conclusion of this talk. The whole point of BFF and http-only auth cookies is to prevent an attacker that has gained acces to execute js code through an xss attack, to steal the auth-token from your storage and thereby execute requests on your behalf. If an attacker has managed to sucessfully gain access, he can execute api calls directly from the clients browser with or without bff.