Many single-page applications (SPAs) handle authentication directly in the browser, storing tokens in localStorage, sessionStorage, or cookies. This makes them vulnerable to cross-site scripting (XSS) and cross-site request forgery (CSRF).

This session introduces the Backend-for-Frontend (BFF) pattern, a more secure and simpler approach to SPA authentication. We will explore how to remove tokens from the browser, use secure session cookies , and move authentication logic to the backend.

You will learn:
* The real risks of browser-based token storage
* How the BFF pattern works and why it is safer
* How to build SPAs that stay secure
* How major platforms and organizations are adopting this model

This talk is for developers working with OpenID Connect and OAuth who want a modern and secure approach to SPA authentication.
We will show live code examples built using ASP.NET Core.

Done once in a user-group in the past. for ASP.NET Core, but most is generic and applicable to developers on all platforms. Consist of mostly presentation and some live demonstrations at the end.