Secure SPA - OAuth Confidential Client (BFF pattern)

Question

i want to reach a confidential client for my backend-system.

The SPA is an angular app. The backend a spring-boot application with different rest-endpoints which stores the objects in a postgres-db.

Actual my SPA got a login page which are connected to the oauth-server. My SPA is currently a public client (client-credentials are stored there). I want to reach a confidential client.

I attached a picture above. The SPA triggers the login. The backend now takes over the authentication, so that the backend is now the client. The backend receives the access token and stores it in a session db. The backend then issues an httponly cookie to the SPA so that the session is secured accordingly.

Is my architecture possible? Are there any examples somewhere? I have no experience in session management and want to programming as less as possible to avoid mistakes and vulnerabilities.

Thanks for help!

Answer 1

yes, you can setup a reverse proxy in the backend that will perform the OAuth 2.0 BFF task, for example see:

https://hanszandbelt.wordpress.com/2017/02/24/openid-connect-for-single-page-applications/ https://github.com/zmartzone/mod_auth_openidc/wiki/Single-Page-Applications https://curity.io/blog/token-handler-the-single-page-applications-new-bff/