Lack of Docs for OAuth + Custom Backend + SPA
-
I'm working on implementing the OAuth auth code grant flow with a custom backend and a SPA frontend with Jwt access & refresh tokens:
https://fusionauth.io/articles/login-authentication-workflows/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookiesThe above doc diagrams and describes the flow in pretty good detail, but haven't found much practical guidance on actual implementation. Surprising, considering this is a pretty much becoming the industry standard -- and it's even listed as a "Recommended" approach for SPAs.
I did find this, which I'm able to adapt easily enough (especially combined with the SPA Getting Started guides):
https://github.com/FusionAuth/fusionauth-javascript-sdk-expressBut I still would have expected to see multiple reference implementations for this scenario, and probably a few Getting Started guides. Can't help but wonder if there is a document or repository I'm missing?
-
@qwandery I was just having this discussion yesterday in this thread and also internally.
I think what we are missing for a FusionAuth guide is a SPA with multiple custom backend API implementations.
and possibly
Multiple SPA Applications hitting multiple backend API implementations.
We have both of these examples individually.
and in meta frameworks that create their own API's
but what I think we are missing is a full picture. For sure noted and have it on our backlog to create!
-
@qwandery @Alex-Patterson I think it is also very beneficial to focus on some implementation details such as how our
logoutendpoint should not validate JWT token otherwise user might receive a 401 JSON response.In my case I was validating it in my backend app (NestJS) so I thought it should be OK but now that I am looking in the rearview mirror I think I can see why I should not have done that
.Ah BTW, here I am using NextJS (standalone) + NestJS. So it is not SPA.