From d0d7c043f0c3aecf29ee1332ae28b9a3479c852e Mon Sep 17 00:00:00 2001 From: Roland Guijt Date: Tue, 10 Sep 2024 16:00:14 +0200 Subject: [PATCH 1/3] Use MapInboundClaims and get rid of useEndpoints --- .../quickstarts/js_clients/js_with_backend.md | 31 +++++++------------ 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md b/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md index 0d768b96..0a42452d 100644 --- a/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md +++ b/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md @@ -106,7 +106,6 @@ builder.Services .AddBff() .AddRemoteApis(); -JwtSecurityTokenHandler.DefaultMapInboundClaims = false; builder.Services .AddAuthentication(options => { @@ -125,6 +124,7 @@ builder.Services options.Scope.Add("offline_access"); options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; + options.MapInboundClaims = false; }); var app = builder.Build(); @@ -153,11 +153,7 @@ app.UseAuthentication(); app.UseBff(); app.UseAuthorization(); - -app.UseEndpoints(endpoints => -{ - endpoints.MapBffManagementEndpoints(); -}); +app.MapBffManagementEndpoints(); app.Run(); ``` @@ -412,25 +408,20 @@ HttpContext.GetUserAccessTokenAsync();* ### Update routing to accept local and remote API calls Next, you need to register both the local API and the BFF proxy for the remote -API in the ASP.NET Core routing system. Add the code below to the *UseEndpoints* -call in *src/JavaScriptClient/Program.cs*. +API in the ASP.NET Core routing system. Add the code below to the endpoint configuration code in *src/JavaScriptClient/Program.cs*. ```cs -app.UseEndpoints(endpoints => -{ - endpoints.MapBffManagementEndpoints(); - - // Uncomment this for Controller support - // endpoints.MapControllers() - // .AsBffApiEndpoint(); + app.MapBffManagementEndpoints(); - endpoints.MapGet("/local/identity", LocalIdentityHandler) - .AsBffApiEndpoint(); + // Uncomment this for Controller support + // app.MapControllers() + // .AsBffApiEndpoint(); - endpoints.MapRemoteBffApiEndpoint("/remote", "https://localhost:6001") - .RequireAccessToken(Duende.Bff.TokenType.User); + app.MapGet("/local/identity", LocalIdentityHandler) + .AsBffApiEndpoint(); -}); + app.MapRemoteBffApiEndpoint("/remote", "https://localhost:6001") + .RequireAccessToken(Duende.Bff.TokenType.User); ``` The call to the *AsBffApiEndpoint()* fluent helper method adds BFF support to the local APIs. This includes anti-forgery protection as well as suppressing From 6bc277a11b5b1a6b21b9f91eee41ea1f50605f05 Mon Sep 17 00:00:00 2001 From: Roland Guijt Date: Thu, 12 Sep 2024 14:58:15 +0200 Subject: [PATCH 2/3] Sunset qs js wo backend --- .../content/quickstarts/js_clients/_index.md | 17 +++++++++-------- .../quickstarts/js_clients/js_with_backend.md | 2 +- .../js_clients/js_without_backend.md | 1 + 3 files changed, 11 insertions(+), 9 deletions(-) diff --git a/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md b/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md index ccf08f0e..08f0016c 100644 --- a/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md +++ b/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md @@ -1,20 +1,20 @@ +++ -title = "Building JavaScript client applications" +title = "Building Browser-Based Client Applications" weight = 10 chapter = true +++ # JavaScript/SPA Client Applications -When building JavaScript (or SPA) applications, there are two main styles: those +When building browser-based or SPA applications, there are two main styles: those with a backend and those without. JavaScript applications **with a backend** are more secure, making it the -preferred style. This style uses the ["Backend For Frontend" +recommended style. This style uses the ["Backend For Frontend" pattern](https://blog.duendesoftware.com/posts/20210326_bff/), or "BFF" for short, which relies on the backend host to implement all of the security protocol interactions with the token server. The *Duende.BFF* library is used in -this quickstart to easily support the BFF pattern. +[this quickstart]({{< ref "js_with_backend.md" >}}) to easily support the BFF pattern. JavaScript applications **without a backend** need to do all the security protocol interactions on the client-side, including driving user authentication @@ -22,11 +22,12 @@ and token requests, session and token management, and token storage. This leads to more complex JavaScript, cross-browser incompatibilities, and a considerably higher attack surface. Since this style inherently needs to store security sensitive artifacts (like tokens) in JavaScript reachable locations, this style -is not encouraged for applications dealing with sensitive data. As the ["OAuth -2.0 for Browser-Based Apps" IETF/OAuth working group BCP +is not recommended. **Consequently we don't offer a quickstart for this style**. + +As the ["OAuth 2.0 for Browser-Based Apps" IETF/OAuth working group BCP document](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps) -says ->there is no browser API that allows to store tokens in a completely secure way. +says: +>there is no browser API that allows to store tokens in a completely secure way. Additionally, modern browsers have recently added or are planning to add privacy features that can break some front-channel protocol interactions. See diff --git a/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md b/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md index 0a42452d..a8bf253a 100644 --- a/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md +++ b/IdentityServer/v7/docs/content/quickstarts/js_clients/js_with_backend.md @@ -1,5 +1,5 @@ --- -title: "JavaScript applications with a backend" +title: "Browser-Based Applications with a BFF" weight: 10 --- diff --git a/IdentityServer/v7/docs/content/quickstarts/js_clients/js_without_backend.md b/IdentityServer/v7/docs/content/quickstarts/js_clients/js_without_backend.md index e1200393..76986ca2 100644 --- a/IdentityServer/v7/docs/content/quickstarts/js_clients/js_without_backend.md +++ b/IdentityServer/v7/docs/content/quickstarts/js_clients/js_without_backend.md @@ -1,4 +1,5 @@ --- +expiryDate: 2024-09-11 title: "JavaScript applications without a backend" weight: 20 --- From 650a282ad46b431e65d025441a83818ee801ca50 Mon Sep 17 00:00:00 2001 From: Roland Guijt Date: Thu, 12 Sep 2024 15:08:43 +0200 Subject: [PATCH 3/3] Change title of js overview --- .../v7/docs/content/quickstarts/js_clients/_index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md b/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md index 08f0016c..0a988e8a 100644 --- a/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md +++ b/IdentityServer/v7/docs/content/quickstarts/js_clients/_index.md @@ -4,19 +4,19 @@ weight = 10 chapter = true +++ -# JavaScript/SPA Client Applications +# Building Browser-Based Client Applications -When building browser-based or SPA applications, there are two main styles: those +When building browser-based or SPA applications using javascript, there are two main styles: those with a backend and those without. -JavaScript applications **with a backend** are more secure, making it the +Browser-based applications **with a backend** are more secure, making it the recommended style. This style uses the ["Backend For Frontend" pattern](https://blog.duendesoftware.com/posts/20210326_bff/), or "BFF" for short, which relies on the backend host to implement all of the security protocol interactions with the token server. The *Duende.BFF* library is used in [this quickstart]({{< ref "js_with_backend.md" >}}) to easily support the BFF pattern. -JavaScript applications **without a backend** need to do all the security +Browser-based applications **without a backend** need to do all the security protocol interactions on the client-side, including driving user authentication and token requests, session and token management, and token storage. This leads to more complex JavaScript, cross-browser incompatibilities, and a considerably