FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Lack of Docs for OAuth + Custom Backend + SPA

    Scheduled Pinned Locked Moved
    General Discussion
    3
    3
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qwandery
      last edited by

      I'm working on implementing the OAuth auth code grant flow with a custom backend and a SPA frontend with Jwt access & refresh tokens:
      https://fusionauth.io/articles/login-authentication-workflows/spa/oauth-authorization-code-grant-jwts-refresh-tokens-cookies

      The above doc diagrams and describes the flow in pretty good detail, but haven't found much practical guidance on actual implementation. Surprising, considering this is a pretty much becoming the industry standard -- and it's even listed as a "Recommended" approach for SPAs.

      I did find this, which I'm able to adapt easily enough (especially combined with the SPA Getting Started guides):
      https://github.com/FusionAuth/fusionauth-javascript-sdk-express

      But I still would have expected to see multiple reference implementations for this scenario, and probably a few Getting Started guides. Can't help but wonder if there is a document or repository I'm missing?

      A K 2 Replies Last reply Reply Quote 0
      • A
        Alex Patterson @qwandery
        last edited by

        @qwandery I was just having this discussion yesterday in this thread and also internally.

        I think what we are missing for a FusionAuth guide is a SPA with multiple custom backend API implementations.

        and possibly

        Multiple SPA Applications hitting multiple backend API implementations.

        We have both of these examples individually.

        Angular Quickstart

        Express API

        and in meta frameworks that create their own API's

        Next.js

        but what I think we are missing is a full picture. For sure noted and have it on our backlog to create!

        1 Reply Last reply Reply Quote 0
        • K
          kasir-barati @qwandery
          last edited by

          @qwandery @Alex-Patterson I think it is also very beneficial to focus on some implementation details such as how our logout endpoint should not validate JWT token otherwise user might receive a 401 JSON response.

          In my case I was validating it in my backend app (NestJS) so I thought it should be OK but now that I am looking in the rearview mirror I think I can see why I should not have done that 😓.

          Ah BTW, here I am using NextJS (standalone) + NestJS. So it is not SPA.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post