Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

preview_player
Показать описание
Modern web development means that more and more application code is running in the browser. Traditionally this has been JavaScript but more recently there has been the trend to use C#/WASM with Blazor.

These modern applications typically also need authentication and single-sign-on as well as token-based security for calling APIs – in other words OpenID Connect and OAuth 2. There are different patterns for securing such applications and this session covers some of the pitfalls of the various approaches, especially given the ever-changing browser landscape. We will conclude with the “backend for frontend” (or BFF) pattern which has become the most secure and stable of these approaches.

Check out our new channel:
NDC Clips:

Check out more of our featured speakers and talks at
  1. NDC Conferences
  2. Security
  3. Dominick Baier
  4. SPA
  5. Blazor Application
  6. BFF
Рекомендации по теме
Securing SPAs and 1:03:16

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

Securing SPAs and 0:56:53

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier

Securing SPAs and 1:39:12

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern

Securing SPAs and 1:01:38

Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Anders Abel

Using the BFF 1:02:16

Using the BFF pattern to secure SPA and Blazor Applications - Dominick Baier - NDC Oslo 2021

How to securely 0:04:17

How to securely store JWTs for your Blazor or JavaScript SPA

How to Add 0:05:30

How to Add Security Headers to Blazor Web Application

Session vs Token 0:02:18

Session vs Token Authentication in 100 Seconds

Protect Your Blazor 0:20:49

Protect Your Blazor WASM APP (via Obfuscation)

The .NET 8 0:10:27

The .NET 8 Auth Changes You Must Know About!

Application State in 0:29:43

Application State in Blazor Apps

Blazor Security - 0:00:10

Blazor Security - 01 Clone git project

Multi page vs 0:15:00

Multi page vs Single Page Applications - Which One Is Right For You?!

Blazor SPA Card 0:00:35

Blazor SPA Card Sort w/ Simple Search Filter

Blazor.Auth0 0:00:23

Blazor.Auth0

Microsoft's new SPA 0:22:49

Microsoft's new SPA framwork Blazor - What is it and should you learn it?

Stop using JSON 0:23:33

Stop using JSON Web Tokens. Use Cookies & Server Sessions instead

Blazor Security And 0:10:42

Blazor Security And My Take On It

Blazor Server vs 0:02:21

Blazor Server vs WebAssembly in 2 minutes

Secure ASP.NET Web 0:29:40

Secure ASP.NET Web API with Microsoft Entra ID or Azure MSAL

Blazor and Web 0:02:34

Blazor and Web Development (Single Page Applications) Part 1.7 - Progressive Web Applications

Backend for Frontend 0:17:33

Backend for Frontend for ASP.NET Core Authentication

🛡️ BFF ( 0:09:24

🛡️ BFF ( Backend For Frontend ) Security Pattern

Securing SPAs with 0:50:58

Securing SPAs with Spring by Marcus Hert Da Coregio @ Spring I/O 2022

Комментарии
Автор

Great talk! I understand things with respect to a SPA.. But not sure how things work with openid connect and a mobile app.

BrendanAlexander
Автор

Can you please share the source code that you used in the demo?

fieryscorpion
Автор

So, we back again to cookie, so we need store them to identificate user on BFF layer, is not?

povdata
Автор

Sounds very complicated but really interesting. What I’ve got from this video is that we should use our backend API to work with all of this authentication and authorisation stuff and that we should not use our frontend for this purposes.

torrvic
Автор

In the OIDC authorization code flow with pkce, which would be taken care of here through the bff, the user will be redirected to a signin page on the Idp. How can the spa redirect the user to the idp without getting the redirect url from the bff? Wouldn't the spa have to get the redirect url from the bff, including any clientId and codeChallenge?

tombalabomba
Автор

How do we secure mobile apps? Can this pattern work with mobile as well?

fieryscorpion
Автор

Could this be used on SSR applications?

nathangrosvenor
Автор

If an attacker has access to your client-application, he can make api calls regardles of using auth with session-tokens or http-only cookies. BFf just seems to add unnecessary complexity.

tombalabomba
Автор

So all in all this is just an advertising for Deunde server product?

vixntjf
Автор

The world does come full circle. This so called "BFF" is exactly the same old traditional way how application handles oauth login before so many misinformed incompetent developers bindly doing things just because they could. Now these people reinvent the wheel with a new fancy name for a decade old technique like they imvented it. Yay!

chauchau
Автор

going back to 20y ago is a waste of time …

Alperic