Hi, I am “researching” how could I create SPA (REACT) with API written in .NET and it all would be secured by Auth0.
I have already created blazor application that was using API and all was secured. But now I need to work with such scenario:
- FRONT SPA - written in REACT
- BFF (backend for frontend) as secure layer between SPA and API. BFF is a reverse proxy written in .NET and using YARP
- My WebAPI in .NET
For now my API issues JWTokens and refresh tokens. So the flow is like that:
- user logs in SPA app
- SPA calls BFF
- BFF pushes the request to webApi to issue the tokens
- WebApi issues tokens and responses to BFF
- BFF crypts the tokens and sends them to SPA in a HttpOnly secure cookie
In next requests, SPA calls BFF with that cookie, BFF reads cookie, decrypts it, adds Authorization Header and then pushes the request to WebApi.
BFF is written on top of Yarp, so every cookie-jwt operation is done in transformations.
It all works fine. But there are too much security to be aware off in WebApi, so I am thinking to give this part to OAuth, so othat WebApi will not be the token issuer anymore.
Do you have any clues how to do it in such stack?