Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Auth for SPAs and Micro Frontends: ...
Search
Manfred Steyer
PRO
May 18, 2022
Programming
760
0
Share
Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways
Manfred Steyer
PRO
May 18, 2022
More Decks by Manfred Steyer
See All by Manfred Steyer
Agentic UI beyond Chats Architecture Patterns & Open Standards @ngMunich 05/2026
manfredsteyer
PRO
0
87
Agentic AI in the Frontend: Architectures with Open Standards @iJS London 2026
manfredsteyer
PRO
0
75
Agentic AI & UI: Arcitecture, HITL, Emerging Standards
manfredsteyer
PRO
0
100
Agentic UI Requires Standards: AG-UI, A2UI, and MCP Apps Work Together @Angular London
manfredsteyer
PRO
1
64
Signal Forms: Beyond the Basics @ngBelgrade 2026
manfredsteyer
PRO
0
180
Agentic UI in the Frontend: Architectures with Open Standards @JAX 2026 in Mainz
manfredsteyer
PRO
0
110
Rethinking Angular: The Future with Signal Store and the New Resource API @JAX 2024 in Mainz
manfredsteyer
PRO
0
76
Agentic UI with Angular @ngAir April 2025
manfredsteyer
PRO
0
190
Migration to Signals, Signal Forms, Resource API, and NgRx Signal Store @Angular Days 03/2026 Munich
manfredsteyer
PRO
0
360
Other Decks in Programming
See All in Programming
属人化しないコード品質の作り方_2026.04.07.pdf
muraaano
1
360
関係性から理解する"同一性"の型用語たち
pvcresin
1
130
空間オーディオの活用
objectiveaudio
0
150
実践ハーネスエンジニアリング:ステアリングループを実例から読み解く / Practical Harness Engineering: Understanding Steering Loops Through Real-World Examples
nrslib
5
5.5k
Import assertionsが消えた日~ECMAScriptの仕様はどう決まり、なぜ覆るのか~
bicstone
2
180
運転動画を検索可能にする〜Cosmos-Embed1とDatabricks Vector Searchで〜/cosmos-embed1-databricks-vector-search
studio_graph
3
940
ソフトウェア設計の結合バランス #phperkaigi
kajitack
0
510
TypeScriptだけでAIエージェントを作る フロント・エージェント・インフラのフルスタック実践
har1101
1
240
HTML-Aware ERB: The Path to Reactive Rendering @ RubyKaigi 2026, Hakodate, Japan
marcoroth
0
720
Hive Metastoreを通して学ぶIceberg REST Catalog ― 仕様から実装まで
okumin
0
130
Back to the roots of date
jinroq
0
860
要はバランスからの卒業 #yumemi_grow
kajitack
0
170
Featured
See All Featured
The untapped power of vector embeddings
frankvandijk
2
1.7k
Build The Right Thing And Hit Your Dates
maggiecrowley
39
3.1k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.9k
Abbi's Birthday
coloredviolet
2
7.6k
The Limits of Empathy - UXLibs8
cassininazir
1
330
We Have a Design System, Now What?
morganepeng
55
8.1k
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.6k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
Side Projects
sachag
455
43k
We Are The Robots
honzajavorek
0
230
The SEO Collaboration Effect
kristinabergwall1
1
450
Transcript
@ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io
@ManfredSteyer Folie▪ 2 Client Authorization-Server Resource-Server
@ManfredSteyer Folie▪ 3 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token 3. Access-Token
@ManfredSteyer Folie▪ 4 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC)
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Manfred Steyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Several suggestions for using OAuth 2 in a more
secure way
@ManfredSteyer Example: Using Code Flow + PKCE instead of Implicit
Flow
@ManfredSteyer Remaining Problem: XSS -> Stealing Tokens
@ManfredSteyer
@ManfredSteyer Why Token Refresh? Short living Tokens increase Security Users
don't want to login over and over again
@ManfredSteyer Folie▪ 23 Client Authorization-Server Resource-Server 1. Redirection 2. Code
for Access-Token und Id-Token and Refresh-Token
@ManfredSteyer Folie▪ 24 Client Authorization-Server Resource-Server 3. Refresh-Token 4. Code
for Access-Token und Id-Token and new Refresh-Token
@ManfredSteyer * in specific situations …
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie
Static Files (SPA) + XSRF Token SameSite +
@ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only
Cookie Static Files (SPA) Resource-Server 2 ⁉️
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer // 1. Register Services var builder = WebApplication.CreateBuilder(args); builder.Services.AddReverseProxy()
.LoadFromConfig(builder.Configuration.GetSection("ReverseProxy")); […] builder.Services .AddAntiforgery([…]) .AddSession([…]) .AddAuthentication([…]) .AddCookie([…]) .AddOpenIdConnect([…]); YARP 101
@ManfredSteyer // 2. Add Middleware app.UseSession(); app.UseAuthentication(); app.UseAuthorization(); app.UseCookiePolicy(); app.UseXsrfCookie();
app.UseGatewayEndpoints(); app.MapReverseProxy([…]); // 3. Start Sever app.Run("http://+:8080"); YARP 101
@ManfredSteyer
@ManfredSteyer DEMO
@ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:
https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway-client/
@ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic
Implementation Token Refresh & Exchange Easier + More Secure
@ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops
manfredsteyer
muraaano
pvcresin
objectiveaudio
nrslib
bicstone
.jpg){kind=avatar}
studio_graph
kajitack
har1101
marcoroth
okumin
jinroq
frankvandijk
maggiecrowley
addyosmani
coloredviolet
cassininazir
morganepeng
hatefulcrawdad
palkan
chriscoyier
sachag
honzajavorek
kristinabergwall1
