Introducing the next era of Duende IdentityServer.

Read our CEO’s announcement
Start for Free

Duende.BFF (Backend for Frontend Pattern) Update

Two blue circles

Back in March we posted our thoughts on the ongoing browser
changes and how we think browser-based applications should be secured going forward.

We also introduced Duende.BFF which is a pre-packaged solution for building BFF
hosts using ASP.NET Core. In essence Duende.BFF has all the building blocks you need in one place to satisfy the needs
of a BFF-style architecture:

  • OpenID Connect & OAuth 2 client library
  • Session management including server-side session storage
  • Primitives for starting, stopping and querying sessions
  • Support for back-channel logout notifications
  • Built-in token management, e.g. server-side token storage, token refresh
  • SameSite and anti-forgery protection for API endpoints
  • HTTP forwarder for remote APIs

In the meantime we helped a number of our customers re-factoring their web applications to the BFF pattern. The feedback
during this process helped us to continuously improve the library - thanks!

We just pushed rc.4 - which we think will be the last
pre-release. We made some important changes that I quickly want to discuss.

When we started out, we embedded Microsoft YARP as our HTTP forwarding
mechanism. YARP is a pretty powerful library, but we decided that we will separate the HTTP forwarding part from our
core BFF library, because

  • YARP is still in preview and Microsoft wants to wait with RTM until it is proven to work in one of their pilot
    projects. That's fine, but also means that it might changed before it is released
  • Not everybody needs HTTP forwarding
  • If you need HTTP forwarding, you have a couple of options including our built-in approach, but also others
  • We didn't want to wrap YARP's features but provide a simplified API. If you need advanced features like load
    balancing, service discovery, session affinity, you should be able to use YARP directly (without losing the BFF
    benefits)

Long story short - we split our packages in the core Duende.BFF and Duende.BFF.Yarp for our YARP integration.

By doing so you now have the choice of using our YARP wrapper or use YARP directly while still taking advantage of our
BFF features like anti-forgery protection and token management.

We updated our samples
and documentation to reflect these changes and
expect to release 1.0 of our core library in the coming days.

Feedback welcome!