BFF cookies vs application cookies

[rikardbo-visma]

Using Duende BFF 2.2.1 BFF running on .net6

Other webapplication running on .net framework net472

How it works today Currently we have an application on .net472 that uses IdentityServer for auth. Here we are using Hybrid Flow, but we are soon moving over to Authorization Flow with PKCE. We have setup the Owin OpenIdConnect and cookie middleware. So we have cookie authentication here. We also have implemented our own token management middleware, that verifies if the access token need refreshing.

Changes coming We are migrating from AngularJs to Angular and in that transition, we are also creating a new Api to serve it.

Challenge Call from frontend Angular to new backend API. This frontend uses cookies only and has no information about the tokens. For this we plan to use BFF.

Question: BFF is working as its supposed to, we end up with a new cookie on the BFF application and this results in calls to the api with tokens. Our question is regarding these two applications on the same site; Our existing AngularJs/razor application and the BFF application. How are these meant to work as a pair? They will both have cookies, and they would have their own separate set of tokens. We assume they would act as the same client, and they can both use the IdentityServer browser SSO cookie on auth, but what is the best practice here regarding these two applications with separate cookies?

[josephdecock]

The BFF and IdentityServer each get a separate cookie. The BFF cookie manages the session of the angular application, and contains tokens. While you are using the angular application, you are primarily interested in its BFF cookie.

IdentityServer's cookie manages the session at IdentityServer. Having a session at identity server allows you to get a single sign on experience. Imagine if someday another application also used your IdentityServer as its authority. Then users of that application and the existing application would only need to enter credentials once.

Your existing angular application using the hybrid flow is probably storing tokens with some other mechanism, like session storage.

Your API is authorized with an access token, and it normally doesn't matter which client application requested that access token. The API can validate things like the scope of access granted by the token (is there an expected scope in the token?) and the audience of the token (was the token intended to be used at the API, as indicated by the aud claim), but typically the client application that requested the token is not validated. So, it is fine to have both the legacy and BFF applications side by side.

[rikardbo-visma]

Thanks @josephdecock Yes, there are BFF cookies and IdentityServer cookies, but we also have our own auth cookie on our apsnet applicaiton, and all requests to the backend is authenticated with this custom forms auth cookie, even from Angular and AngularJs to current apis.

We would like to continue using this forms auth cookie on frontend (its a big job to replace), but somehow transition this to tokens in a middleware when doing calls to our new Api. We would of course like to avoid the forms auth cookie to be used as auth to the new Api, so we want to use the tokens we currently have in the middleware. How can we "share" these tokens with BBF, making it use/access the same tokens as use in our backend custom token middleware.

Its starting to sound like combining our forms auth cookie not possible to combine with BFF? Maybe we would need to transition fully to BFF instead? What are your thoughts on the combination and the possibilities, is it possible to share the tokens somehow?

[josephdecock]

The BFF isn't designed to be combined with forms authentication. Instead, the intent is that you would use OpenID Connect to authenticate and obtain access tokens, and combine that with the cookie handler. The cookie then authenticates requests between the frontend and the BFF, while the BFF translates from the cookie into access tokens and calls APIs.

Without getting further into the details of your architecture and implementation than we can do in a support ticket, my first thought is that you probably will want to convert from forms auth to OIDC. However, one other tool you might consider is the IUserTokenStore, which is the abstraction that the BFF uses to obtain and store tokens. If you've got some other way of getting your tokens in mind, you might be able to express that in the IUserTokenStore.

I don't think we have a direct example of doing what you're attempting, but our Blazor Server sample does include a custom token store. Blazor server doesn't allow us to manage tokens in a cookie based session, since blazor server is streaming/not making individual http requests. So, our sample shows how you can store the tokens server side instead. Again, not directly applicable here, except that it is using the same IUserTokenStore abstraction, but hopefully you get some insight from seeing it in action. See here.

[AndersAbel]

@rikardbo-visma Do you have any further questions on this or can we close the issue?

[josephdecock]

Closing, but feel free to reopen if necessary.