What do you think about authorization logic on BFF,authentication is performed by IDP and client gets a token with roles in a scope, and permissions are implemented in bff vs gateway.
I think that is perfectly fine, especially if you don't have the gateway. At times a BFF could also be used to maintain a session. There is a nice blog post written by Okta auth0.com/blog/backend-for-frontend-pattern-with-auth0-and-dotnet/ (ignore the fact it refers to ASP.net and have a look at the sequence diagram). I'd personally also impose authorization in the downstream microservices. I generally do that by relaying a JWT so each microservice knows exactly who or what is generating the request and what are its allowed scopes.
What do you think about authorization logic on BFF,authentication is performed by IDP and client gets a token with roles in a scope, and permissions are implemented in bff vs gateway.
I think that is perfectly fine, especially if you don't have the gateway. At times a BFF could also be used to maintain a session. There is a nice blog post written by Okta auth0.com/blog/backend-for-frontend-pattern-with-auth0-and-dotnet/ (ignore the fact it refers to ASP.net and have a look at the sequence diagram).
I'd personally also impose authorization in the downstream microservices. I generally do that by relaying a JWT so each microservice knows exactly who or what is generating the request and what are its allowed scopes.
a lot of theory video for BFF there is no practice videos ?
What aspect of the BFF would you like to be put into practice? If I can help, I'll be happy to do a video about it.
@@MarcoLenzo just a simple example using js tools
Muito obrigada!
Obrigado 🙏