Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Auth for SPAs and Micro Frontends: ...
Search
Manfred Steyer
PRO
September 26, 2022
Programming
0
270
Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways
Manfred Steyer
PRO
September 26, 2022
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
Premier Disciplin for Micro Frontends Multi Version/ Framework Scenarios @OOP 2026, Munic
manfredsteyer
PRO
0
92
Beyond the Basics: Signal Forms
manfredsteyer
PRO
0
63
360° Signals in Angular: Signal Forms with SignalStore & Resources @ngLondon 01/2026
manfredsteyer
PRO
0
140
All About Angular‘s New Signal Forms
manfredsteyer
PRO
0
29
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
manfredsteyer
PRO
0
260
Your Architecture as a Crime Scene? Forensic Analysis
manfredsteyer
PRO
0
180
Full-Cycle Reactivity in Angular: SignalStore mit Signal Forms und Resources
manfredsteyer
PRO
0
280
Your Architecture as a Crime Scene: Forensic Analysis
manfredsteyer
PRO
0
130
Reactive Thinking with Signals and the new Resource API
manfredsteyer
PRO
0
250
Other Decks in Programming
See All in Programming
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
hekuchan
2
690
CSC307 Lecture 08
javiergs
PRO
0
670
Rust 製のコードエディタ “Zed” を使ってみた
nearme_tech
PRO
0
210
フロントエンド開発の勘所 -複数事業を経験して見えた判断軸の違い-
heimusu
7
2.8k
開発者から情シスまで - 多様なユーザー層に届けるAPI提供戦略 / Postman API Night Okinawa 2026 Winter
tasshi
0
210
並行開発のためのコードレビュー
miyukiw
0
1.2k
IFSによる形状設計/デモシーンの魅力 @ 慶應大学SFC
gam0022
1
310
CSC307 Lecture 09
javiergs
PRO
1
840
CSC307 Lecture 06
javiergs
PRO
0
690
Apache Iceberg V3 and migration to V3
tomtanaka
0
170
生成AIを使ったコードレビューで定性的に品質カバー
chiilog
1
280
プロダクトオーナーから見たSOC2 _SOC2ゆるミートアップ#2
kekekenta
0
230
Featured
See All Featured
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
9.6k
The Spectacular Lies of Maps
axbom
PRO
1
530
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
7.9k
Raft: Consensus for Rubyists
vanstee
141
7.3k
Discover your Explorer Soul
emna__ayadi
2
1.1k
Abbi's Birthday
coloredviolet
1
4.8k
The AI Revolution Will Not Be Monopolized: How open-source beats economies of scale, even for LLMs
inesmontani
PRO
3
3.1k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
430
WENDY [Excerpt]
tessaabrams
9
36k
Amusing Abliteration
ianozsvald
0
110
Why Your Marketing Sucks and What You Can Do About It - Sophie Logan
marketingsoph
0
77
SEO Brein meetup: CTRL+C is not how to scale international SEO
lindahogenes
0
2.4k
Transcript
@ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io
@ManfredSteyer Folie▪ 2 Client Authorization-Server Resource-Server
@ManfredSteyer Folie▪ 3 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token in Query String 3. Access-Token
@ManfredSteyer Folie▪ 4 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC)
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Manfred Steyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Several suggestions for using OAuth 2 in a more
secure way
@ManfredSteyer Example: Using Code Flow + PKCE instead of Implicit
Flow
@ManfredSteyer Remaining Problem: XSS -> Stealing Tokens
@ManfredSteyer
@ManfredSteyer Why Token Refresh? Short living Tokens increase Security Users
don't want to login over and over again
@ManfredSteyer Folie▪ 23 Client Authorization-Server Resource-Server 1. Redirection 2. Code
for Access-Token und Id-Token and Refresh-Token
@ManfredSteyer Folie▪ 24 Client Authorization-Server Resource-Server 3. Refresh-Token 4. Code
for Access-Token und Id-Token and new Refresh-Token
@ManfredSteyer * with conditions …
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie
Static Files (SPA) + XSRF Token SameSite +
@ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only
Cookie Static Files (SPA) Resource-Server 2 ⁉️
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer DEMO
@ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:
https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway-client/
@ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic
Implementation Token Refresh Easier + More Secure
@ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops
manfredsteyer
hekuchan
javiergs
nearme_tech
heimusu
tasshi
miyukiw
gam0022
tomtanaka
chiilog
kekekenta
aleyda
axbom
eileencodes
vanstee
emna__ayadi
coloredviolet
inesmontani
tomoyanonymous
tessaabrams
ianozsvald
marketingsoph
lindahogenes
