my customer wants to use an API Gateway as a BFF / Token Handler for SPAs. A request hits the API Gateway. If there is no Session for the browser it is redirected to the IdP and does the Authorization Code Flow with PKCE to log into the API Gateway without exposing the id/access token to the browser anywhere (besides in secure, http only cookies).
This approach was chosen in accordance with the current ietf recommendation for browser based apps (6.1):
Is my understanding correct that Tyk does only support Bearer Tokens?
Are there any Plans to extend Tyk for such a functionality or do you have any pointers on how to implement this?
This is a very interesting use-case which I hadn’t considered before. I’m not so sure Tyk can do this without a custom plugin, that said - it has intrigued me so much that I have already started playing with a possible solution.
If you need any input concept-wise let me know. My Customer is an Open Source Company, so Technology Exchange should not be a problem (but the project I’m working on is not released yet, so I can’t put a link here). If something like this should end up on the Tyk roadmap they might also be inclined to share some of the effort.
Question for you about this. Cavaet is I’m not familiar with the RFC you share.
So, usually front-end apps is where the logic is contained for checking if a session exists, and retrieving one (through IDP/APIGateway) if it does not exist.
The pattern you’re describing is fundamentally different in that regard.
Have you considered the approach above? Where the end user is redirected to the IDP for login if the frontend detects an expired or missing session?
@sedky There is different kind of frontend apps with different challenges concerning secure storage of credentials. See Chapter 6 auf the linked spec. Especially Single Page Apps without a backend are virtually unable to securely store credentials. Thusly the so called Backend for Frontend (BFF) or Token Handler Patterns were invented.
The documentation of the Kong OIDC Plugin gives a nice overview. Note the Authorization Code Flow i.e. the id/access Tokens are never exposed to the Browser.
That’s helpful thanks. The benefit here is that the Gateway will be responsible for redirecting or authenticating depending on the presence of the session from cookie.
Hi, has there been any development on this? I can’t find any mentions on Token Handler / BFF on the tyk homepage / this thread is the first search result.
The ietf has released a new version of the document above, further describing different ways of handling Tokens in SPAs in a secure fashion (BFF now has it’s own section).
It would be helpful to document how to implement something like this with tyk, the folks writing this document also write the OAuth 2.1 Spec, so their wording is pretty much what everybody is searching for on the web.
