The Spring Backend for frontend project is focused on delivering a simple and flexible abstraction for managing user sessions following a successful OAuth2 authorization. The source code is heavily inspired by the latest Spring Authorization server.
The first place to start is to read the Token Mediating and session Information Backend For Frontend and OAuth 2.1 Authorization Framework to gain an in-depth understanding on how to build an Authorization Server.
This library is still in development, and probably will contain breaking changes in the future. It was built to resolve the issue of public clients not being issued a refresh token by the spring-authorization-server. If there's interest, a release structure and issue tracking system will be put in place.
Features to be considered
- Support mobile apps specific flows since using cookies isn't really convenient for android/ios apps.
Based on current best practices, it is not recommended to persist access/refresh tokens within the client since it increases the surface of attacks and possibility of certain security vulnerabilities. For more info about this, this issue discusses it in depth.
As specified by Joe Grandja, there are no plans to implement refresh tokens for public clients. Public clients are considered as not secured by nature of their uncontrolled environment. This prevents them from being able to store client secrets securely. The authorization server explicitly will not generate a refresh token if the client authentication method is none.
The recommendation is to use a backend of frontend approach to manage user tokens and reduce the surface of attack by keeping client secrets & access tokens outside of public clients
Spring Bff Authorization uses a Gradle-based build system.
In the instructions below, ./gradlew
is invoked from the root of the source tree and serves as
a cross-platform, self-contained bootstrap mechanism for the build.
Git and the JDK17 build.
Be sure that your JAVA_HOME
environment variable points to the jdk17
folder extracted from the JDK download.
git clone git@github.com:Snapwise/spring-bff-authorization.git
Pull requests are welcome. Contact me at fabrizio.rodin-miron@snapwise.app
Spring Bff Authorization is Open Source software released under the Apache 2.0 license.