Developer Docs
sgID v2
sgID v2
  • Introduction
    • Overview
    • Getting Started
      • Register Your Application
      • Integrating With sgID
  • Integrations with sgID
    • TypeScript / JavaScript
      • Framework Guides
        • Express (with Single-Page App frontend)
        • Next.js (client-side rendering)
        • Next.js (server-side rendering)
      • API Reference
    • Python
      • Framework Guides
        • Flask (with Single-Page App frontend)
      • API Reference
    • Custom Integration
    • API Documentation
    • Troubleshooting
  • Learn the basics
    • Protocols
      • OAuth 2.0 and OpenID Connect
      • sgID
        • White Paper
    • Integration Patterns
      • Web Server and SSR Frontend
      • Backend for Single-Page App (SPA) Frontend (BFF)
  • Important Updates
    • User Migrations
      • TypeScript SDK v2.0 Major Release
  • Data Catalog
  • FAQ (Developers)
  • FAQ (Users)
  • Contact
Powered by GitBook
On this page
  • Typical Flow
  • Complete Flow Diagram
Export as PDF
  1. Learn the basics
  2. Integration Patterns

Backend for Single-Page App (SPA) Frontend (BFF)

PreviousWeb Server and SSR FrontendNextUser Migrations

Last updated 2 years ago

As discussed in , sgID does not support public clients like standalone SPAs or native mobile applications. Therefore, when using a SPA frontend, the client must also maintain a backend server which will interact with the sgID server instead of the frontend. This design pattern is known as backend for frontend (BFF).

Typical Flow

  1. The SPA frontend requests a sgID authorization URL from the backend server

  2. The SPA triggers a browser redirect to the sgID authorization URL, where a QR code is rendered

  3. The end user authorizes the transaction by scanning the QR code with their Singpass mobile app, and consents to share their data with the client application

  4. Upon successful authorization, the sgID server sends the registered redirect / callback URL (associated with the web server) to the browser, which redirects to that URL. This URL should be associated with the backend server

  5. The backend server receives the authorization code in the callback URL and exchanges it for an access token and ID token using its client ID and client secret

  6. The backend server then uses the access token to obtain the end user's data from the sgID server userinfo endpoint

  7. The backend server will then authenticate the end user's SPA session, and subsequently log the end user into their app.

Complete Flow Diagram

Note: the /auth/login and /auth/callback endpoints are to be developed by the relying party (RP) as these endpoints serve as the primary communication channel between RP SPA and RP Server.

Integration Patterns
Back-End for SPA Frontend (BFF) Flow Diagram
Back-End for SPA Front-End (BFF) Flow Diagram