Back-End for SPA Front-End (BFF)

Summarize Flow

  1. The SPA frontend requests an authentication URL from the backend server.

  2. The SPA opens the authentication URL through browser redirection, which redirects the user to the sgID server for authorization.

  3. The user authorizes using their Singpass mobile app, and consents to share their data with the application.

  4. The sgID server sends an authorization code to the browser, which performs a callback redirect to the backend server's callback URL.

  5. The backend server exchanges the authorization code for an access token and id token using its client ID and secret.

  6. The backend server then uses access token an obtain encrypted user information from sgID server.

  7. The backend server will then handle client authentication.

Complete Flow Diagram

Back-End for SPA Front-End (BFF) Flow Diagram
Back-End for SPA Front-End (BFF) Flow Diagram

auth/login and /auth/callback endpoints are to be developed by RP as these endpoints serve as primary communication channel between RP SPA and RP Server.

Client Authentication Recommendations

Session-based authentication

Session-based authentication is a mechanism where the server creates a unique session ID for each authenticated user and stores it in memory or in a database. The session ID is then sent to the client as a cookie, allowing the server to identify the user for subsequent requests. The client's session ID is typically destroyed when the user logs out or when the session expires.

In this mechanism, client authentication is handled by the server, which creates a session ID after successful authentication. The session ID is then used to identify the client for subsequent requests.

Token-based authentication

Token-based authentication is a mechanism where the server creates a JSON Web Token (JWT) after successful authentication. The JWT is then sent to the client as a response to the authentication request, and the client stores the JWT in local storage or in a cookie. The client includes the JWT in subsequent requests, allowing the server to identify the user.

In this mechanism, client authentication is handled by the server, which creates a JWT after successful authentication. The JWT is then sent to the client, and the client includes the JWT in subsequent requests. The server can then verify the JWT to authenticate the client.

PreviousWeb Server and SSR Front-EndNextBack-End for Native Mobile Application

Last updated