Does authentication belong to frontend or backend?

Hi everyone,

I’ve joined a team where they had auth0-js + auth0-lock set on an Angular application. My boss asked me to audit the bundles and both auth0 library dramatically increase the vendor bundle. I suggested to get rid of those and place everything on the backend (we do have a backend) so it would improve security (do you guys trust the browser ?) and globally improve performance. I think I’ve never seen auth0 implement on the client and read a lot of articles saying it wasn’t the best approach (though sdk and libraries are availables) but the backend really insist to keep it on the client.

So, my question is pretty simple but I’d love to have a serious answer with pros and cons, if you can decide where to put the authentication, would you go frontend or backend ?

Thank you.

Hey @wapo

tl;dr: Angular is a SPA framework that usually handles authentication on the front end (auth0-spa-js). Though front end or back end is a personal preference. Decide based on how you plan to structure your app.

Here is a diagram showing how a SPA links a browser to the API and here is a diagram showing how a regular web app connects a browser to an app to an API.

Here is a guide to picking the best flow for you.

SPA: a smaller/simpler backend with authentication logic in the browser (auth0-spa-js can replace auth0-js and auth0-lock). Pairs well with Angular, see here.

Regular Web App: build a more complex backend and keep authentication logic on the server. A wide range of SDKs available.

Hope you find this helpful?
Tom