Skip to content

SPA with Backend for Frontend

There is dedicated backend component for the Single Page Application (SPA), which exposes the client API. The client API backend can act just as a proxy in front of APIs provided by Resource servers, or there is dedicated client facing API logic implemented. The client backend is responsible for an user session authentication with the IAM Authorization Server and it uses the confidential client to access the IAM Authorization Server. The Client API Backend manages the application sessions and associated tokens. The Access Token is not exposed to SPA application.

diagram

  1. The User click Sign in/Log in button on SPA application.
  2. The client API Backend initializes the Authentication flow by calling the IAM Server standard Oauth2 Authorization endpoint (/auth).
  3. The IAM Server redirects User to Login page provided by the IAM Server. An User provides his/her credentials in order to Authenticate.
  4. Upon successful authentication the IAM Server returns Authorization code via browser agent to Client API Backend.
  5. The Client API Backend calls he IAM Server standard Oauth2 Token endpoint (/token) to exchange Authorization Code for Tokens (ID Token, Access Token and Refresh Token).
  6. The IAM Server returns Tokens to the Client API Backend.
  7. The Client API Backend creates authenticated session with associated tokens and returns session to SPA client.
  8. The SPA client calls the Client API with authenticated session.
  9. The Client API Backend calls the underlying Service APIs with Access Token.