Search code examples
reactjsexpressauthenticationoauth-2.0openid-connect

OpenID Connect /Node /React


There is a lot of examples how to implement OpenID Connect auth. in Node - code grant (+ client password). There is a lot of examples how to implement OpenID in React (SPA) - code grant with PKCE

Even I know that PKCE it's rather secure, however I feel bad to relegate authentication solely on client side. Every React SPA has backend (at least it should be hosted somewhere).

I want to have server side in Node (Express) to securely save client password and make all heavy lifting with Identity Server and React for front-end.

As I already said there is a lot of examples of "Node (Express) with template engines" for authentication. But I want to use React as "template engine".

So, I am looking for full and correct implementation of it. Meanwhile I cannot find it. Can anybody help me with it - to find an example?


Solution

  • The 2 common types of solution are summarized here:

    • Plug in a client side library like OIDC client to do the heavy lifting, so that you don't write much security code yourself. This library runs a number of security checks before accepting tokens. It used to be popular but is now less satisfactory due to third party cookie restrictions preventing some parts of the flow from working reliably.

    • Use a backend for frontend solution that results in your SPA getting an HttpOnly cookie. This provides stronger security and is preferred, but requires a more complex flow. You can either use a web backend library like openid-client to issue cookies or you can use a utility API that runs in the same parent site as the SPA.