Implementing the BFF Security Pattern with IdentityServer4 and OidcProxy.Net

To make your web application more secure, it is recommended to migrate token handling to the server-side rather than the client-side. Unfortunately, to many organisations, this may seem rather complex. But it doesn’t have to be.

Complete the following three steps to implement the BFF Security Pattern with IdentityServer4:

1. Configure IdentityServer.
2. Create an aspnetcore API
3. Build a BFF

Step 1.) Configure IdentityServer4

The GoCloudNatibe.Bff only supports the Authorization Code Flow with Proof Key for Client Exchange. That’s why it is important to configure IdentityServer in a specific way. Configure the Client as follows:

public static readonly Client Client = new Client
    {
        // Set the ClientId and the ClientSecret
        ClientId = "bff",
        ClientSecrets =
        {
            new Secret("secret".Sha256())
        }, 
       // Configure the Authorization Code flow with PKCE
        AllowedGrantTypes = GrantTypes.Code,
        RequirePkce = true,
        // Configure the access token lifetime (1h by default)
        AccessTokenLifetime = 3600,
        // Make sure IdentityServer may redirect to the bff
        RedirectUris = { "https://localhost:8443/account/login/callback" }, 
        FrontChannelLogoutUri = "https://localhost:8443/",
        PostLogoutRedirectUris = {…