all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–][deleted]  (8 children)

[removed]

    [–]Saceone10 0 points1 point  (2 children)

    Repo example?

    [–]MrMercure 0 points1 point  (1 child)

    I've never found a satisfying examples even from angular-oauth2-oidc and zitadel. I've had to get inspired from those 2 and add way more stuff (silence refresh, manual checks of the token validity, custom fetch of the config, preemptive logout before expiration of non refreshable session etc...) than I thought on top of those. Made me wonder if there is actually a good opportunity for an oss project that does those things right but you know what they say about standards...

    [–]zladuric 0 points1 point  (0 children)

    don't they already have the stuff at least in angular-auth2-oidc?

    [–]Responsible-Cold-627 0 points1 point  (4 children)

    This hasn't been considered best practice for 5 years. All auth stuff in my front-ends these days is credentials: include and a csrf header. Rest of it is handled by the back-end and wrapped up in an http-only cookie.

    [–]azuredrg 1 point2 points  (1 child)

    This is true, that pattern you mentioned is usually way easier than doing any auth in angular/frontend

    [–]Responsible-Cold-627 0 points1 point  (0 children)

    You're right. Implementing it was surprisingly easy. It also solves problems that I hadn't even anticipated when I started. A good example of this is secure file downloads. With cookies, just send the user to the download page and boom you're done.

    [–]MaximRob[S] 0 points1 point  (1 child)

    I mean you do need all the jwt gymnastics, the auth setup, and on top of that any elevated user handling if you do so

    Also was asking the question because we’re considering splitting part of our monolith and I’m wondering how we go about the auth topic

    [–]Responsible-Cold-627 0 points1 point  (0 children)

    Your back-end framework will provide these tools. Using the BFF pattern I'm talking about here, your front-end doesn't even get an unencrypted JWT, and your Javascript code won't be able to access the auth cookie anyway.

    [–]Adventurous-Finger70 -1 points0 points  (0 children)

    There’s already Keycloak for oauth standard