frontend-handbook
frontend-handbook copied to clipboard
infinum
Initial SSO chapter
The goal of this chapter is to explain how to work with auth (right now the focus is on sso). Once we have libs for this, we could also add more specifics for them.
I'm not convinced MSAL is a good solution:
- I don't like having a special case solution for a single provider, especially if we only need the login part
- We often work with other providers, so it's not like it's solving most of our problems
- Does it have a good SSR support? Looking at the NextJS example, it seems like it's doing everyting on th client?
- The point of this chapter: I'm not sure that the MSAL library is handling tokens in the recommended ways - from the looks of it, it is saving them to localStorage, which might be good enough for some cases, but is vulnerable to XSS attacks.
Is there some FE lib that we are ok with using for standard OIDC flows?
I can speak for Angular that, if using AD, MSAL makes most sense. For other providers, we can use angular-auth-oidc-client. We used angular-auth-oidc-client on CEERIS and there it was actually done as you describe here. We didn't have BFF explicitly, but our Rails backend handled the redirect from SSO provider and then set cookies for frontend and redirected back to frontend SPA. CEERIS is SPA, not SSR, but I think that current setup on CEERIS would work with SSR as well.
We could probably do the same with MSAL, but I am not 100% sure.
Note: Based on some examples, angular-auth-oidc-client also supports AD, at least to some extent.
angular-auth-oidc-client is another example of a lib using localStorage to store sensitive credentials.
The CEERIS approach is good, but it might not be possible or practical to do this in other cases (e.g. with microservices).
Basically, there is only one client side way to do this securely, and that is with service workers. I didn't find a good lib for this, but I'm working on something for that).