Skip to content

blog: architecture driven auth part 3 (BBOC)#3967

Open
sixhobbits wants to merge 9 commits intoFusionAuth:mainfrom
ritza-co:architecture-driven-auth-bboc
Open

blog: architecture driven auth part 3 (BBOC)#3967
sixhobbits wants to merge 9 commits intoFusionAuth:mainfrom
ritza-co:architecture-driven-auth-bboc

Conversation

@sixhobbits
Copy link
Collaborator

@sixhobbits sixhobbits commented Oct 29, 2025

No description provided.

@sixhobbits sixhobbits requested review from a team as code owners October 29, 2025 10:10
kmaida
kmaida reviewed Jan 5, 2026
View reviewed changes
Copy link
Contributor

@kmaida kmaida left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm no longer a CODEOWNER, so someone from FusionAuth DevRel will need to approve final changes.

astro/src/content/blog/browser-based-oauth-client-security-architecture.mdx Outdated

- Cannot use client secrets in token exchange requests.
- Must rely entirely on PKCE (Proof Key for Code Exchange) for request validation.
- Cannot authenticate to the authorization server in the traditional sense.
Copy link
Contributor

@kmaida kmaida Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not really sure what's meant by this. It's true, but it's not really explained enough to make sense here as a list item.

astro/src/content/blog/browser-based-oauth-client-security-architecture.mdx Outdated

### Migration to TMB

Backend endpoints handle OAuth flows using PKCE and store refresh tokens in server-side sessions while returning short-lived access tokens to the frontend. The frontend implements in-memory token storage with automatic refresh logic that calls the backend token endpoint when tokens near expiration. With TMB, much of the frontend OAuth logic remains similar to BBOC, and the migration focuses on moving token exchange and storage to the backend. The frontend remains complex due to direct API calls requiring access token management.
Copy link
Contributor

@kmaida kmaida Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a link to the TMB article?

astro/src/content/blog/browser-based-oauth-client-security-architecture.mdx
- **Content Security Policy (CSP):** Implement strong, nonce-based CSP to block XSS attacks and restrict script execution.
- **Subresource Integrity (SRI):** Use SRI for all third-party scripts to prevent supply chain attacks from compromising your application.
- **Rate limiting:** Apply aggressive rate limiting on authentication endpoints to slow brute force and token theft attempts.
- **Demonstrating Proof of Possession (DPoP):** Implement DPoP to bind tokens to specific clients, preventing token replay by attackers.
Copy link
Contributor

@kmaida kmaida Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...and/or mTLS. I know that's a whole nother topic, but I don't think it needs to be fully explained here. A mention and link to learn more would suffice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kmaida kmaida kmaida left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@sixhobbits @kmaida @nielthiart @rideam @bethh0rn @LewisDwyer