At 36:40 , you said that the APIs are often "external." But it seems that many people use the BFF architecture (not in the security sense of the term) for their SPAs, such as angular frontend, spring boot backend or react frontend, node backend, and so on. And often there is an internal database where the direct contact with that databse is delegated to the backend. So often people set up their backend as a RESTful api for only their frontend to call. Often those api calls are just pushing and pulling data from the database. A CRUD app. And then there may be some 3rd party apis which the backend calls. In regard to the BFF security pattern, I can't find much information on what we are supposed to do with our own internal api which already exists on the backend (the ones for interfacing with the database). In my current SPA (angular frontend and spring boot backend), the frontend is the oauth client and sends the auth token to the backend to call its own api (using OIDC for login). How does the BFF security pattern change this part? I can see how it works with 3rd party apis (in that case, I have a backend, so just run the oauth flow in the existing backend when I need to call a 3rd party api). But how do I now secure my backend's own api? Do I now need an additional server (so two backends) or a gateway?
If you are trying to secure your backend and require the use of an API key this might be best. If you are just basing it on purly the JWT you could base it on the issuer, audience, and any claims you need to guarantee the call is safe. You can see more on how to accomplish Authorization and Securing your Application fusionauth.io/docs/get-started/core-concepts/authentication-authorization#authorization-and-securing-your-application
Also very good teaching style. Well done! 👏🏻🙏🏻
Glad you liked it!
Thank you so much! Very valuable info.
Glad it was helpful!
At 36:40 , you said that the APIs are often "external." But it seems that many people use the BFF architecture (not in the security sense of the term) for their SPAs, such as angular frontend, spring boot backend or react frontend, node backend, and so on. And often there is an internal database where the direct contact with that databse is delegated to the backend. So often people set up their backend as a RESTful api for only their frontend to call. Often those api calls are just pushing and pulling data from the database. A CRUD app. And then there may be some 3rd party apis which the backend calls.
In regard to the BFF security pattern, I can't find much information on what we are supposed to do with our own internal api which already exists on the backend (the ones for interfacing with the database). In my current SPA (angular frontend and spring boot backend), the frontend is the oauth client and sends the auth token to the backend to call its own api (using OIDC for login). How does the BFF security pattern change this part? I can see how it works with 3rd party apis (in that case, I have a backend, so just run the oauth flow in the existing backend when I need to call a 3rd party api). But how do I now secure my backend's own api? Do I now need an additional server (so two backends) or a gateway?
If you are trying to secure your backend and require the use of an API key this might be best. If you are just basing it on purly the JWT you could base it on the issuer, audience, and any claims you need to guarantee the call is safe.
You can see more on how to accomplish Authorization and Securing your Application
fusionauth.io/docs/get-started/core-concepts/authentication-authorization#authorization-and-securing-your-application