Initial SSO chapter

[DarkoKukovec]

The goal of this chapter is to explain how to work with auth (right now the focus is on sso).
Once we have libs for this, we could also add more specifics for them.

New chapter PR:
https://github.com/infinum/frontend-handbook-private/pull/76

[fvoska]

Generally this is a good approach, but we should battle-test it a bit with commonly used FE libraries like MSAL which has both React and Angular flavours.

If we are using AD, we will most probably use MSAL and we would have to see how we can use it with BFF and redirect-based flows.

MSAL also has a popup-based flow, but I guess that is out of the question because BFF flow could only work in a redirect-based flow.

[fvoska]

In general, that means that our backend is the SSO client
I would maybe clarify here that by "backend" you mean BFF backend that was mentioned in the previous sentence, and not the "core backend" that BFF connects to

[DarkoKukovec]

I'm not convinced MSAL is a good solution:

1. I don't like having a special case solution for a single provider, especially if we only need the login part
2. We often work with other providers, so it's not like it's solving most of our problems
3. Does it have a good SSR support? Looking at the NextJS example, it seems like it's doing everyting on th client?
4. The point of this chapter: I'm not sure that the MSAL library is handling tokens in the recommended ways - from the looks of it, it is saving them to localStorage, which might be good enough for some cases, but is vulnerable to XSS attacks.

[fvoska]

Is there some FE lib that we are ok with using for standard OIDC flows?

I can speak for Angular that, if using AD, MSAL makes most sense. For other providers, we can use angular-auth-oidc-client. We used angular-auth-oidc-client on CEERIS and there it was actually done as you describe here. We didn't have BFF explicitly, but our Rails backend handled the redirect from SSO provider and then set cookies for frontend and redirected back to frontend SPA. CEERIS is SPA, not SSR, but I think that current setup on CEERIS would work with SSR as well.

We could probably do the same with MSAL, but I am not 100% sure.

Note: Based on some examples, angular-auth-oidc-client also supports AD, at least to some extent.

[DarkoKukovec]

angular-auth-oidc-client is another example of a lib using localStorage to store sensitive credentials.

The CEERIS approach is good, but it might not be possible or practical to do this in other cases (e.g. with microservices).

Basically, there is only one client side way to do this securely, and that is with service workers. I didn't find a good lib for this, but I'm working on something for that).