curityio/spa-using-token-handler

API driven OpenID Connect SPA security, using only the most secure cookies in the browser

SPA using the Token Handler Pattern

A Single Page Application (SPA) that implements OpenID Connect using recommended browser security.
The SPA uses a Backend for Frontend (BFF) approach, in line with best practices for browser based apps.
A modern evolution of Backend for Frontend is used, called the Token Handler Pattern.

Architecture Benefits

This provides the best separation of web and API concerns, to maintain all of the benefits of an SPA architecture:

• Strongest Browser Security, with only SameSite=strict cookies
• Great User Experience due to the separation of Web and API concerns
• Productive Developer Experience with only simple security code needed in the SPA
• Deploy Anywhere, such as to a Content Delivery Network

Run the End-to-end Flow

The SPA can be quickly run in an end-to-end flow on a development computer by following these guides:

• Standard SPA using an Authorization Code Flow (PKCE) and a Client Secret
• Financial-grade SPA using Mutual TLS, PAR and JARM

Website Documentation

• See the Token Handler Design Overview for further documentation on this design pattern.

More Information

Please visit curity.io for more information about the Curity Identity Server.