Skip to content
/ spring-bff-authorization Public

The Spring Backend for frontend library is focused on delivering a simple and flexible abstraction for managing user sessions following a successful OAuth2 authorization.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cloudpath-software/spring-bff-authorization

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
buildSrc
buildSrc
 
 
core
core
 
 
dependencies
dependencies
 
 
gateway
gateway
 
 
gradle/wrapper
gradle/wrapper
 
 
mobile
mobile
 
 
samples
samples
 
 
spa
spa
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
build.gradle.kts
build.gradle.kts
 
 
gradle.properties
gradle.properties
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
settings.gradle.kts
settings.gradle.kts
 
 

Repository files navigation

Spring Backend for frontend authorization

The Spring Backend for frontend project is focused on delivering a simple and flexible abstraction for managing user sessions following a successful OAuth2 authorization. The source code is heavily inspired by the latest Spring Authorization server.

Getting Started

The first place to start is to read the Token Mediating and session Information Backend For Frontend and OAuth 2.1 Authorization Framework to gain an in-depth understanding on how to build an Authorization Server.

Library development

This library is still in development, and probably will contain breaking changes in the future. It was built to resolve the issue of public clients not being issued a refresh token by the spring-authorization-server. If there's interest, a release structure and issue tracking system will be put in place.

Features to be considered

  • Support mobile apps specific flows since using cookies isn't really convenient for android/ios apps.

Recommendations for spa apps

Based on current best practices, it is not recommended to persist access/refresh tokens within the client since it increases the surface of attacks and possibility of certain security vulnerabilities. For more info about this, this issue discusses it in depth.

Spring authorization server notes

As specified by Joe Grandja, there are no plans to implement refresh tokens for public clients. Public clients are considered as not secured by nature of their uncontrolled environment. This prevents them from being able to store client secrets securely. The authorization server explicitly will not generate a refresh token if the client authentication method is none.

The recommendation is to use a backend of frontend approach to manage user tokens and reduce the surface of attack by keeping client secrets & access tokens outside of public clients

Building from Source

Spring Bff Authorization uses a Gradle-based build system. In the instructions below, ./gradlew is invoked from the root of the source tree and serves as a cross-platform, self-contained bootstrap mechanism for the build.

Prerequisites

Git and the JDK17 build.

Be sure that your JAVA_HOME environment variable points to the jdk17 folder extracted from the JDK download.

Check out sources

git clone git@github.com:Snapwise/spring-bff-authorization.git

Contributing

Pull requests are welcome. Contact me at fabrizio.rodin-miron@snapwise.app

License

Spring Bff Authorization is Open Source software released under the Apache 2.0 license.

About

The Spring Backend for frontend library is focused on delivering a simple and flexible abstraction for managing user sessions following a successful OAuth2 authorization.

Topics

oauth spring-boot authorization spring-security authorization-middleware backendforfrontend

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages