Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Rethinking Auth for SPAs and Micro Frontends: ...
Search
Manfred Steyer
PRO
September 26, 2022
Programming
0
270
Rethinking Auth for SPAs and Micro Frontends: Easy and Secure With Gateways
Manfred Steyer
PRO
September 26, 2022
Tweet
Share
More Decks by Manfred Steyer
See All by Manfred Steyer
Rethinking Angular: The Future with Signals and the New Resource API @iJS Munich 2025
manfredsteyer
PRO
0
37
Reactivity, Reimagined: Angular Signals at Every Layer
manfredsteyer
PRO
0
53
Angular Architecture Workshop @AngularDays in Berlin 2025
manfredsteyer
PRO
0
46
Migration to Signals, Resource API, and NgRx Signal Store
manfredsteyer
PRO
0
120
Reactive Thinking with Signals and the Resource API
manfredsteyer
PRO
0
110
All About Angular's New Signal Forms
manfredsteyer
PRO
0
210
Your Perfect Project Setup for Angular @BASTA! 2025 in Mainz
manfredsteyer
PRO
0
220
Signals & Resource API in Angular: 3 Effective Rules for Your Architecture @BASTA 2025 in Mainz
manfredsteyer
PRO
0
150
Your Architecture as a Crime Scene Forensic Analysis @BASTA! 2025 in Mainz, Germany
manfredsteyer
PRO
0
78
Other Decks in Programming
See All in Programming
テーブル定義書の構造化抽出して、生成AIでDWH分析を試してみた / devio2025tokyo
kasacchiful
0
310
Claude Agent SDK を使ってみよう
hyshu
0
1.4k
開発組織の戦略的な役割と 設計スキル向上の効果
masuda220
PRO
10
1.7k
Developer Joy - The New Paradigm
hollycummins
1
370
「ちょっと古いから」って避けてた技術書、今だからこそ読もう
mottyzzz
12
7.2k
CSC509 Lecture 07
javiergs
PRO
0
250
TransformerからMCPまで(現代AIを理解するための羅針盤)
mickey_kubo
7
5.5k
フロントエンド開発のためのブラウザ組み込みAI入門
masashi
7
3.6k
なんでRustの環境構築してないのにRust製のツールが動くの? / Why Do Rust-Based Tools Run Without a Rust Environment?
ssssota
14
46k
マンガアプリViewerの大画面対応を考える
kk__777
0
340
Introduce Hono CLI
yusukebe
6
3.1k
実践Claude Code:20の失敗から学ぶAIペアプログラミング
takedatakashi
18
8.9k
Featured
See All Featured
A designer walks into a library…
pauljervisheath
209
24k
Into the Great Unknown - MozCon
thekraken
40
2.1k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
22k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.6k
How GitHub (no longer) Works
holman
315
140k
For a Future-Friendly Web
brad_frost
180
10k
Rebuilding a faster, lazier Slack
samanthasiow
84
9.2k
Scaling GitHub
holman
463
140k
A Tale of Four Properties
chriscoyier
161
23k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
36
6.1k
Principles of Awesome APIs and How to Build Them.
keavy
127
17k
Product Roadmaps are Hard
iamctodd
PRO
55
11k
Transcript
@ManfredSteyer ManfredSteyer Manfred Steyer, ANGULARarchitects.io
@ManfredSteyer Folie▪ 2 Client Authorization-Server Resource-Server
@ManfredSteyer Folie▪ 3 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token in Query String 3. Access-Token
@ManfredSteyer Folie▪ 4 Client Authorization-Server Resource-Server 1. Redirection 2. Redirect
w/ (Code for) Access-Token and Id-Token 3. Access-Token User Info Endpoint (OIDC)
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Manfred Steyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Several suggestions for using OAuth 2 in a more
secure way
@ManfredSteyer Example: Using Code Flow + PKCE instead of Implicit
Flow
@ManfredSteyer Remaining Problem: XSS -> Stealing Tokens
@ManfredSteyer
@ManfredSteyer Why Token Refresh? Short living Tokens increase Security Users
don't want to login over and over again
@ManfredSteyer Folie▪ 23 Client Authorization-Server Resource-Server 1. Redirection 2. Code
for Access-Token und Id-Token and Refresh-Token
@ManfredSteyer Folie▪ 24 Client Authorization-Server Resource-Server 3. Refresh-Token 4. Code
for Access-Token und Id-Token and new Refresh-Token
@ManfredSteyer * with conditions …
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer Client Gateway Authorization-Server Resource-Server Access-Token Id-Token Refresh-Token HTTP-only Cookie
Static Files (SPA) + XSRF Token SameSite +
@ManfredSteyer Client Gateway Authorization-Server Resource-Server 1 Access-Token Id-Token Refresh-Token HTTP-only
Cookie Static Files (SPA) Resource-Server 2 ⁉️
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer
@ManfredSteyer DEMO
@ManfredSteyer Demo • SPA: https://purple-flower-021fa1b03.azurestaticapps.net/home • SPA behind Security Gateway:
https://demo-auth-gateway.azurewebsites.net/home • Source Code for Gateway: https://github.com/manfredsteyer/yarp-auth-proxy • Source Code for Auth in SPA: https://github.com/manfredsteyer/auth-gateway-client/
@ManfredSteyer Conclusion Browser: No Safe Place for Tokens Gateway: Generic
Implementation Token Refresh Easier + More Secure
@ManfredSteyer d Slides & Examples Remote and In-House http://softwarearchitekt.at/workshops
manfredsteyer
kasacchiful
hyshu
masuda220
hollycummins
mottyzzz
javiergs
mickey_kubo
masashi
ssssota
kk__777
yusukebe
takedatakashi
pauljervisheath
thekraken
danielanewman
marktimemedia
holman
brad_frost
samanthasiow
chriscoyier
kevinliebholz
keavy
iamctodd
