philippederyck
commented
4 months ago You're absolutely right that there is a lot of freedom in deciding how to implement the BFF or TM-BFF pattern. If there are pre-existing architecture components that can handle some of the heavy lifting, you are definitely encouraged to do so.
With that in mind, it is important to note that neither the BFF nor the TM-BFF require actual changes on the part of the resource server. It received an access token before, and it still receives an access token now. The specifics of how you implement the handling of that access token are out of scope for OAuth in general, and for this document as well.
In a nutshell, I don't think this PR addresses a core issue or adds an in-scope clarification, so I would not include it.
emmanuelgautier
As the Token Mediating Backend may be considered for performance reason sometimes, this PR shared an alternative solution. Most of the time, the resource servers are deployed with a proxy handling incoming request. Re-using those components may be a solution to not degrade security, not degrades performance, and be an alternative to use Token Mediating Backend pattern.
A not answered question in this PR is how to shared relevant informations to handle cookies decryption when applied. Does this RFC should handle this question?