Forem: Albert Starreveld The latest articles on Forem by Albert Starreveld (@appie2go). https://forem.com/appie2go https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F377330%2F8178fb1c-77ca-40c6-b315-e9a383b4a313.jpeg Forem: Albert Starreveld https://forem.com/appie2go en Custom Sign-In Redirects in BFF Architectures: A Guide Using OidcProxy.Net Albert Starreveld Wed, 24 Jan 2024 15:17:08 +0000 https://forem.com/appie2go/custom-sign-in-redirects-in-bff-architectures-a-guide-using-oidcproxynet-5a63 https://forem.com/appie2go/custom-sign-in-redirects-in-bff-architectures-a-guide-using-oidcproxynet-5a63 <p>Implementing authentication in ASP.NET Core is usually straightforward in most cases. Installing a couple of NuGet packages and configuring them typically does the trick, unless there are complex requirements. In such cases, implementing authentication can be quite daunting.</p> <p>Consider the following scenario: it isn't uncommon for web applications to have an admin console. Both administrators and end-users use the same login page to authenticate. However, after signing in, the admin sees the admin page, while the end-user does not.</p> <p>Assume the following requirements:</p> <ul> <li>Admins see the /admin.aspx page after signing in.</li> <li>Users see the /welcome.aspx page after signing in.</li> <li>Users see the /birthday.aspx page after signing in on their birthday.</li> </ul> <p>This article covers:</p> <ul> <li>How to bootstrap an Angular Spa + BFF project</li> <li>How to implement custom sign-in requirements using OidcProxy.Net</li> <li>Security considerations when implementing custom-redirection</li> </ul> <h2> Context </h2> <p>The Backend For Frontend architectural pattern has been widely adopted. However, it is advisable to move the authentication process out of Single-Page applications that run in the browser, to the server-side.</p> <p>In a .NET 8 ecosystem, this is easily accomplished by installing a package called OidcProxy.Net. By installing this package in a solution, the web application becomes an Identity-Aware proxy. It is meant to receive requests from a front-end and forward it to downstream services. This is illustrated in the following context diagram:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7wnezs837alv27k2ij0s.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7wnezs837alv27k2ij0s.png" alt="Figure 1.) A back-end for front-end architecture." width="800" height="356"></a></p> <h2> Creating the Single-Page Application and the BFF. </h2> <p>Adhering to the latest best-practices in web-authentication, token-exchange takes place at the server side. This requires hosing the Single-Page Application and the BFF on the same domain. </p> <p>Implementing that requires runtime on the server-side and wwwroot to serve the dist folder of the Single-Page Application. To implement that, scaffold an Angular App + BFF using the OidcProxy.Net Template-Pack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Download and install the template pack first</span> dotnet new <span class="nb">install </span>OidcProxy.Net.Templates <span class="c"># Scaffold the proxy</span> dotnet new OidcProxy.Net.Angular <span class="nt">--backend</span> <span class="s2">"https://backend-1.myapp.com"</span> <span class="nt">--idp</span> <span class="s2">"https://idp.myapp.com"</span> <span class="nt">--clientId</span> xyz <span class="nt">--clientSecret</span> abc <span class="c"># Run it</span> dotnet run </code></pre> </div> <p>This will generate the following project:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fekrkmq8d4vq96v3vc566.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fekrkmq8d4vq96v3vc566.png" alt="figure 2.) A boilerplate Bff project with Angular" width="800" height="948"></a></p> <p><em>Sidenote: This boilerplate project is only compatible with OpenID Connect implementations that are fully compliant such as IdentityServer or KeyCloak, for example. For products that deviate from the OpenID Connect specification, like Auth0, install the <code>OidcProxy.Net.Auth0</code> package. For Microsoft Entra Id, install the <code>OidcProxy.Net.EntraId</code> package.</em></p> <p>Run the project by typing dotnet run or by clicking the play button in Visual Studio. This action will launch the website, which features a sign-in button in the upper left corner. You can use this button to test the sign-in functionality. When clicked, it will navigate the user to the /.auth/login endpoint. Subsequently, it will redirect the user to the identity provider for signing in, and eventually bring them back to the website.</p> <h2> Configuring the default landing-page </h2> <p>The scaffolded project contains an appsettings.json file, which includes a section named OidcProxy. In this section, the configuration for the identity provider's address (idp), client_id, and client_secret is specified.</p> <p>Configuring the destination after a user signs in is also a matter of configuration, with a setting called <code>OidcProxy__Landingpage</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"OidcProxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">Your</span><span class="w"> </span><span class="err">other</span><span class="w"> </span><span class="err">settings..</span><span class="w"> </span><span class="err">#...</span><span class="w"> </span><span class="nl">"LandingPage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/welcome.aspx"</span><span class="w"> </span><span class="err">#</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Configuring this would be sufficient for most cases. However, in light of the requirements outlined in the first part of the article, this doesn't address the need for the administrator to land on the /admin endpoint, and users aren't redirected to the birthday.aspx page on their birthday.</p> <h2> Specifying a landing-page on the fly </h2> <p>Most websites have fewer admins than customers who sign in. And usually, websites have a special link for admins to sign in.</p> <p>With OidcProxy.Net it is possible to specify the landingpage an end-user should be redirected to after signing in. Assume administrators need to be redirect to /admin.aspxafter signing in, use the following link: <code>/.auth/login?landingpage=/admin.aspx</code></p> <p>For security reasons, this link will not work out of the box. You need to whitelist the landing pages that may be specified in the ?landingpage= query string parameter in the config. To enable this functionality, add the following configuration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="nl">"LandingPage"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/welcome.aspx"</span><span class="p">,</span><span class="w"> </span><span class="nl">"AllowedLandingPages"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"/admin.aspx"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Implementing complex business-rules to determine the landing-page </h2> <p>Then there's still the issue of the birthday celebrants. They need to be redirected to /birthday.aspx on their birthday. To tackle complex scenario's you'll need to write some custom middleware.</p> <p>The OidcProxy.Net processes every sign-in using a class called DefaultAuthenticationCallbackHandler. This class is extendable, which allows implementing the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">public</span> <span class="k">class</span> <span class="nc">BirthdayAuthenticationCallbackHandler</span> <span class="p">:</span> <span class="n">DefaultAuthenticationCallbackHandler</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">BirthdayAuthenticationCallbackHandler</span><span class="p">(</span><span class="n">ILogger</span><span class="p">&lt;</span><span class="n">DefaultAuthenticationCallbackHandler</span><span class="p">&gt;</span> <span class="n">logger</span><span class="p">)</span> <span class="p">:</span> <span class="k">base</span><span class="p">(</span><span class="n">logger</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="k">public</span> <span class="k">override</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IResult</span><span class="p">&gt;</span> <span class="nf">OnAuthenticated</span><span class="p">(</span><span class="n">HttpContext</span> <span class="n">context</span><span class="p">,</span> <span class="n">JwtPayload</span><span class="p">?</span> <span class="n">payload</span><span class="p">,</span> <span class="kt">string</span> <span class="n">defaultLandingPage</span><span class="p">,</span> <span class="kt">string</span><span class="p">?</span> <span class="n">userPreferredLandingPage</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">birthday</span> <span class="p">=</span> <span class="n">payload</span> <span class="p">.</span><span class="nf">Where</span><span class="p">(</span><span class="n">claim</span> <span class="p">=&gt;</span> <span class="n">claim</span><span class="p">.</span><span class="n">Key</span> <span class="p">==</span> <span class="s">"birthday"</span><span class="p">)</span> <span class="p">.</span><span class="nf">Select</span><span class="p">(</span><span class="k">value</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">DateTime</span><span class="p">.</span><span class="nf">TryParse</span><span class="p">(</span><span class="k">value</span><span class="p">.</span><span class="nf">ToString</span><span class="p">(),</span> <span class="k">out</span> <span class="kt">var</span> <span class="n">birthday</span><span class="p">);</span> <span class="k">return</span> <span class="n">birthday</span><span class="p">;</span> <span class="p">})</span> <span class="p">.</span><span class="nf">FirstOrDefault</span><span class="p">();</span> <span class="n">IResult</span> <span class="n">landingPage</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="n">birthday</span><span class="p">.</span><span class="n">Day</span> <span class="p">==</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">Now</span><span class="p">.</span><span class="n">Day</span> <span class="p">&amp;&amp;</span> <span class="n">birthday</span><span class="p">.</span><span class="n">Month</span> <span class="p">==</span> <span class="n">DateTime</span><span class="p">.</span><span class="n">Now</span><span class="p">.</span><span class="n">Month</span><span class="p">)</span> <span class="p">{</span> <span class="n">landingPage</span> <span class="p">=</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Redirect</span><span class="p">(</span><span class="s">"birthday.aspx"</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="n">landingPage</span> <span class="p">=</span> <span class="n">Results</span><span class="p">.</span><span class="nf">Redirect</span><span class="p">(</span><span class="s">"welcome.aspx"</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="n">Task</span><span class="p">.</span><span class="nf">FromResult</span><span class="p">(</span><span class="n">landingPage</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The BirthdayAuthenticationCallbackHandler can be configured by adding the following code program.cs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddOidcProxy</span><span class="p">(</span><span class="n">config</span><span class="p">,</span> <span class="n">o</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">o</span><span class="p">.</span><span class="n">AddAuthenticationCallbackHandler</span><span class="p">&lt;</span><span class="n">BirthdayAuthenticationCallbackHandler</span><span class="p">&gt;();</span> <span class="p">});</span> </code></pre> </div> <p>Implementing all of the above fulfills the requirements mentioned earlier in the article.</p> <h2> Why landing-page != redirect_uri </h2> <p>OidcProxy.Net makes a distinct difference between the concept redirect_url and their landingpage-concept. That's because they serve a different purpose. </p> <ul> <li>The landingpage is used to redirect a user to a page after signing in successfully.</li> <li>The redirect_url is used for token exchange and is an explicit part of the OAuth2 protocol.</li> </ul> <p>OidcProxy.Net uses a special endpoint, the <code>/.auth/login/callback</code> endpoint to receive information from the Identity Provider. This endpoint needs to be whitelisted on the Identity Provider. </p> <p>Landingpages should not be whitelisted on the Identity Provider.</p> <h2> Summary </h2> <p>Adhering to the latest OAuth-best-practices means token-exchange should take place on the server-side. However, this poses challenges in case of complex post-authentication logic.<br> These challenges can be overcome by utilising a NuGet package called OidcProxy.Net in your ASP.NET Core webapp. It has three main features which make complex redirection possible:</p> <ul> <li>The <code>landingpage</code> setting inappsettings.json</li> <li>Specifying the <code>landingpage</code> when invoking the login endpoint (<code>/.auth/login?landingpage=/admin.aspx</code>)</li> <li>Configuring a custom implementation of the <code>DefaultAuthenticationCallbackHandler</code> class.</li> </ul> webdev dotnet bff authentication A guide to building a simple ASP.NET Core BFF with a React APP Albert Starreveld Wed, 21 Jun 2023 13:09:34 +0000 https://forem.com/appie2go/ultimate-guide-to-building-your-first-aspnet-core-bff-with-a-react-app-4oeh https://forem.com/appie2go/ultimate-guide-to-building-your-first-aspnet-core-bff-with-a-react-app-4oeh <p>Implementing authentication in a BFF with a React app is deemed to be complicated. Especially because proper documentation or examples are hard to find. </p> <p>Implementing authentication a BFF with a react app is actually pretty straight forward. Read this article and learn how to build a BFF that hosts a React APP with ASP.NET Core.</p> <h2> Understanding the BFF Pattern </h2> <p>The purpose of the BFF (Backend for Frontend) pattern is to minimize the number of HTTP calls made by the front-end to the underlying microservices. Because, as the term "micro" suggests, there might be quite a few.</p> <p>The BFF runs on the server-side, and the front-end interacts with it through its API. The BFF invokes multiple downstream APIs, it consolidates the responses from these APIs into a single response, allowing the front-end to retrieve all the required data in a single request.</p> <p>From an infrastructure perspective, this is a representation of the BFF pattern:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faihd8jydi4u4yhz115vn.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Faihd8jydi4u4yhz115vn.png" alt="Image description" width="800" height="622"></a></p> <p>If authentication is necessary, this pattern presents certain difficulties. Recently, the development community discourages using tokens in the front-end because that is not deemed safe enough anymore.</p> <p>Instead, tokens are to be used server-side only. This means anything with tokens should move to the BFF. This means:</p> <ul> <li>The site and the BFF must be on the same domain</li> <li>The BFF must manage the users' session</li> </ul> <p>The following steps describe how to implement this:</p> <h2> Implementing the BFF Security Pattern </h2> <p>As I stated earlier, fortunately, implementing the BFF pattern with ASP.NET Core isn't hard. A lot of boilerplate projects are available out of the box. To set up an ASP.NET Core project that hosts a React app, just type the following command in your CMD or Terminal:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet new react </code></pre> </div> <p>This will scaffold an ASP.NET Core App with a react app:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumk7s2rcnjmqq5itujaz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fumk7s2rcnjmqq5itujaz.png" alt="Image description" width="800" height="782"></a></p> <p>The pre-built application includes an API that generates weather forecasts. However, when it comes to a BFF implementation, the server-side should refrain from performing any calculations and instead focus on forwarding all requests to downstream services. So, the first thing to do is to remove the controllers in the projects.</p> <h2> Implementing the Authentication Gateway </h2> <p>Implementing an authentication gateway is as easy as creating an ASP.NET Core app that hosts a React App.</p> <p>Just add the following package to connect to any OpenId Connect compliant Identity Provider:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>dotnet add package GoCloudNative.Bff.Authentication.OpenIdConnect </code></pre> </div> <p>Register this component in the ASP.NET Core pipeline, modify the <code>Program.cs</code> to be similar to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">GoCloudNative.Bff.Authentication.ModuleInitializers</span><span class="p">;</span> <span class="k">using</span> <span class="nn">GoCloudNative.Bff.Authentication.OpenIdConnect</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllersWithViews</span><span class="p">();</span> <span class="c1">// !! Register the authentication gateway here</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSecurityBff</span><span class="p">(</span><span class="n">o</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">o</span><span class="p">.</span><span class="nf">ConfigureOpenIdConnect</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetSection</span><span class="p">(</span><span class="s">"OIDC"</span><span class="p">));</span> <span class="n">o</span><span class="p">.</span><span class="nf">LoadYarpFromConfig</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetSection</span><span class="p">(</span><span class="s">"ReverseProxy"</span><span class="p">));</span> <span class="p">});</span> <span class="c1">// !!</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="k">if</span> <span class="p">(!</span><span class="n">app</span><span class="p">.</span><span class="n">Environment</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHsts</span><span class="p">();</span> <span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHttpsRedirection</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseStaticFiles</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseRouting</span><span class="p">();</span> <span class="c1">// !! Register the authentication gateway here too</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSecurityBff</span><span class="p">();</span> <span class="c1">// And remove this</span> <span class="c1">// app.MapControllerRoute(</span> <span class="c1">// name: "default",</span> <span class="c1">// pattern: "{controller}/{action=Index}/{id?}");</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapFallbackToFile</span><span class="p">(</span><span class="s">"index.html"</span><span class="p">);</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>And, assuming you are using two microservices (as illustrated in the diagram in the beginning of the article), use the following appsettings.json:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Logging"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"LogLevel"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Default"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Information"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Microsoft.AspNetCore"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Warning"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Oidc"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ClientId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{yourClientId}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ClientSecret"</span><span class="p">:</span><span class="w"> </span><span class="s2">"{yourClientSecret}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Authority"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://{yourAuthority}"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Scopes"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"openid"</span><span class="p">,</span><span class="w"> </span><span class="s2">"profile"</span><span class="p">,</span><span class="w"> </span><span class="s2">"offline_access"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"AllowedHosts"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ReverseProxy"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Routes"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"api1"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ClusterId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/{*any}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"api2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ClusterId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"api2"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Match"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Path"</span><span class="p">:</span><span class="w"> </span><span class="s2">"/api/bar/{*any}"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Clusters"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"api1"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Destinations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"api1"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8081/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"api2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Destinations"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"api2"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Address"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8082/"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This code modifies the default ASP.NET Core React project:</p> <ul> <li>By adding the SecurityBff and configuring OpenId Connect, users can now authenticate.</li> <li>By loading the reverse-proxy config, all requests to endpoints that start with /api are forwarded to downstream services. The forwarded requests are enriched with the bearer token that was issued by the Identity Provider when the user has logged in.</li> </ul> <p>Nontheless, by default, all requests are handled by the React app. To get the BFF to work, all requests to "/api" and to "/account" need to be handled by the ASP.NET Core app. Therefor, we need to modify the <code>setupProxy.js</code> file that is located in <code>ClientApp/src</code>. Register the api- and the account endpoints there:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">createProxyMiddleware</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">http-proxy-middleware</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">env</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">process</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">target</span> <span class="o">=</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ASPNETCORE_HTTPS_PORT</span> <span class="p">?</span> <span class="s2">`https://localhost:</span><span class="p">${</span><span class="nx">env</span><span class="p">.</span><span class="nx">ASPNETCORE_HTTPS_PORT</span><span class="p">}</span><span class="s2">`</span> <span class="p">:</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ASPNETCORE_URLS</span> <span class="p">?</span> <span class="nx">env</span><span class="p">.</span><span class="nx">ASPNETCORE_URLS</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">;</span><span class="dl">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">http://localhost:51710</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="p">[</span> <span class="dl">"</span><span class="s2">/api</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">/account</span><span class="dl">"</span> <span class="p">];</span> <span class="kd">const</span> <span class="nx">onError</span> <span class="o">=</span> <span class="p">(</span><span class="nx">err</span><span class="p">,</span> <span class="nx">req</span><span class="p">,</span> <span class="nx">resp</span><span class="p">,</span> <span class="nx">target</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">err</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nf">function </span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">appProxy</span> <span class="o">=</span> <span class="nf">createProxyMiddleware</span><span class="p">(</span><span class="nx">context</span><span class="p">,</span> <span class="p">{</span> <span class="na">target</span><span class="p">:</span> <span class="nx">target</span><span class="p">,</span> <span class="na">onError</span><span class="p">:</span> <span class="nx">onError</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Connection</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Keep-Alive</span><span class="dl">'</span> <span class="p">}</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">appProxy</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>And that's it. Check out the code here: <a href="https://github.com/appie2go/dotnet-spa-and-bff-react" rel="noopener noreferrer">https://github.com/appie2go/dotnet-spa-and-bff-react</a></p> <h2> Logging in </h2> <p>Those are all the steps you need to do to create a BFF that hosts a React App. When you start the app, by default, users are not authenticated. To authenticate, navigate the user to <code>/account/login</code>. To see who's logged in, execute a GET request to the <code>/account/me</code> endpoint. To sign-out, navigate the user to <code>/account/end-session</code>.</p> <h2> Sources </h2> <ul> <li><a href="https://bff.gocloudnative.org/integration-manuals/quickstarts/identityserver4/quickstart/" rel="noopener noreferrer">https://bff.gocloudnative.org/integration-manuals/quickstarts/identityserver4/quickstart/</a></li> </ul>