Single Page Application

When building APIs that are consumed by Single Page Applications running on browsers, security control is different from service to service calls. This repository contains all the middleware handlers designed for SPA only. It automatically renews the JWT token from the OAuth 2.0 provider before the token expires and handles the CSRF token to prevent cross-site request forgery attacks.

The embedded handler also handles the login and logout from the UI and manages the session with cookies.

Stateless Auth

Stateless Auth Handler

This is the handler that is responsible for handling redirected authorization code from light-oauth2 code service after SPNEGO/Kerberos or Basic authentication or Form authentication. It is also responsible for verifying the subsequent requests, prevent XSS and CSRF attacks, renew JWT tokens with the refresh token when the previous JWT token is expired. It is called stateless auth handler because it doesn’t need any stateful session on the BFF server so that the BFF can be scaled freely. Read More »