SPA using the Token Handler from Curity

An example Single Page Application (SPA) client that uses the production supported backend components.\ The SPA uses an API-driven OAuth 2.0 and OpenID Connect flow:

The SPA follows best practices for browser based apps with no tokens in the browser.\ The SPA transports access tokens to APIs using HTTP-only SameSite=strict cookies.

Architecture Benefits

This provides the best separation of web and API concerns, to maintain all of the benefits of an SPA architecture:

• Strongest Browser Security developed by experts
• Supported Solution, with design guidance and professional services support
• Great User Experience due to the separation of web and API concerns
• Productive Developer Experience with only simple security code needed in the SPA
• Deploy Anywhere, such as to a content delivery network

Simple Code in Apps

This repository demonstrates the business focused components you should need to develop:

• A Single Page App coded in React
• A Web Host to provide static content
• An API that validates JWT access tokens

It also provides an example deployment so that you can understand the moving parts.

Run the End-to-end Flow

The SPA can be quickly run in an end-to-end flow on a development computer by following this guide:

• Deployment Instructions

Website Documentation

See the following resources for further information and tutorials:

• Token Handler Product
• Create a Token Handler
• SPA Code Example
• Deployment Tutorial

More Information

Please visit curity.io for more information about the Curity Identity Server.