Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Auth for SPAs and Micro Frontends: ...
Search
Manfred Steyer
PRO
September 26, 2022
Programming
0
270
Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways
Manfred Steyer
PRO
September 26, 2022
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
Migration to Signals, Signal Forms, Resource API, and NgRx Signal Store @Angular Days 03/2026 Munich
manfredsteyer
PRO
0
170
AI Assistants for Your Angular Solutions @Angular Graz, March 2026
manfredsteyer
PRO
0
110
AI Assistants for Your Angular Solutions @ngVienna March 2026
manfredsteyer
PRO
0
59
AI Assistants for Your Angular Solutions
manfredsteyer
PRO
0
160
Nostalgia Meets Technology: Super Mario with TypeScript
manfredsteyer
PRO
0
110
Full Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
manfredsteyer
PRO
0
81
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios @OOP 2026, Munic
manfredsteyer
PRO
0
240
Beyond the Basics: Signal Forms
manfredsteyer
PRO
0
140
360° Signals in Angular: Signal Forms with SignalStore & Resources @ngLondon 01/2026
manfredsteyer
PRO
0
230
Other Decks in Programming
See All in Programming
へんな働き方
yusukebe
6
2.8k
今年もTECHSCOREブログを書き続けます!
hiraoku101
0
180
モダンOBSプラグイン開発
umireon
0
180
Nuxt Server Components
wattanx
0
140
それはエンジニアリングの糧である:AI開発のためにAIのOSSを開発する現場より / It serves as fuel for engineering: insights from the field of developing open-source AI for AI development.
nrslib
1
600
Geminiをパートナーに神社DXシステムを個人開発した話(いなめぐDX 開発振り返り)
fujiba
0
120
どんと来い、データベース信頼性エンジニアリング / Introduction to DBRE
nnaka2992
1
340
Linux Kernelの1文字のミスで 権限昇格ができた話
rqda
0
2.2k
Java 21/25 Virtual Threads 소개
debop
0
280
実践ハーネスエンジニアリング #MOSHTech
kajitack
7
4.5k
守る「だけ」の優しいEMを抜けて、 事業とチームを両方見る視点を身につけた話
maroon8021
3
1.5k
CSC307 Lecture 15
javiergs
PRO
0
270
Featured
See All Featured
What does AI have to do with Human Rights?
axbom
PRO
1
2.1k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
150
Art, The Web, and Tiny UX
lynnandtonic
304
21k
New Earth Scene 8
popppiees
1
1.8k
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.8k
The Curse of the Amulet
leimatthew05
1
11k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
aleyda
1
1.9k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
130
The World Runs on Bad Software
bkeepers
PRO
72
12k
The Limits of Empathy - UXLibs8
cassininazir
1
270
Raft: Consensus for Rubyists
vanstee
141
7.4k
Transcript
@ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io
@ManfredSteyer Folie▪ 2 Client Authorization-Server Resource-Server
@ManfredSteyer Folie▪ 3 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token in Query String 3. Access-Token
@ManfredSteyer Folie▪ 4 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC)
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Manfred Steyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Several suggestions for using OAuth 2 in a more
secure way
@ManfredSteyer Example: Using Code Flow + PKCE instead of Implicit
Flow
@ManfredSteyer Remaining Problem: XSS -> Stealing Tokens
@ManfredSteyer
@ManfredSteyer Why Token Refresh? Short living Tokens increase Security Users
don't want to login over and over again
@ManfredSteyer Folie▪ 23 Client Authorization-Server Resource-Server 1. Redirection 2. Code
for Access-Token und Id-Token and Refresh-Token
@ManfredSteyer Folie▪ 24 Client Authorization-Server Resource-Server 3. Refresh-Token 4. Code
for Access-Token und Id-Token and new Refresh-Token
@ManfredSteyer * with conditions …
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie
Static Files (SPA) + XSRF Token SameSite +
@ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only
Cookie Static Files (SPA) Resource-Server 2 ⁉️
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer DEMO
@ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:
https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway-client/
@ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic
Implementation Token Refresh Easier + More Secure
@ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops
manfredsteyer
yusukebe
hiraoku101
umireon
wattanx
nrslib
fujiba
nnaka2992
rqda
debop
kajitack
maroon8021
javiergs
axbom
.png){kind=avatar}
helenjbeal
lynnandtonic
popppiees
jnunemaker
leimatthew05
cassininazir
aleyda
cargoodrich
bkeepers
vanstee
