RolandGuijt
commented
1 month ago Any SPA stack works with IdentityServer. We do recommend using a BFF to keep secrets out of the browser context and to avoid other browser related problems. When using .NET our BFF framework is designed to work with any SPA. Having the SPA hosted somewhere else works too. The only caveat here is that you'll want to use a session cookie that has the samesite flag set to avoid Cross Site Request Forgery. But problems around that are relatively easy to overcome when you use a reverse proxy.
This is an overly generic question and I apologize upfront if this is not the right place. We are evaluating security options and we came across identity server. I am a .net dev and thus lots of things here feal super comfortable. I have not tried to set up a demo version yet, and before I invested that time, i wanted to check to see what SPA stacks are supported. For example is their any reason why a Vue or React app would not be compatible with IdentityServer if it was hosted outside of the .net world. i.e. Nodejs. Intent would be to utilize an API Gateway / BFF (which would be a .net).