Duende.BFF (Backend for Frontend Pattern) Update

Back in March we posted our thoughts on the ongoing browser changes and how we think browser-based applications should be secured going forward.

We also introduced Duende.BFF which is a pre-packaged solution for building BFF hosts using ASP.NET Core. In essence Duende.BFF has all the building blocks you need in one place to satisfy the needs of a BFF-style architecture:

  • OpenID Connect & OAuth 2 client library
  • Session management including server-side session storage
  • Primitives for starting, stopping and querying sessions
  • Support for back-channel logout notifications
  • Built-in token management, e.g. server-side token storage, token refresh
  • SameSite and anti-forgery protection for API endpoints
  • HTTP forwarder for remote APIs

In the meantime we helped a number of our customers re-factoring their web applications to the BFF pattern. The feedback during this process helped us to continuously improve the library - thanks!

We just pushed rc.4 - which we think will be the last pre-release. We made some important changes that I quickly want to discuss.

When we started out, we embedded Microsoft YARP as our HTTP forwarding mechanism. YARP is a pretty powerful library, but we decided that we will separate the HTTP forwarding part from our core BFF library, because

  • YARP is still in preview and Microsoft wants to wait with RTM until it is proven to work in one of their pilot projects. That’s fine, but also means that it might changed before it is released
  • Not everybody needs HTTP forwarding
  • If you need HTTP forwarding, you have a couple of options including our built-in approach, but also others
  • We didn’t want to wrap YARP’s features but provide a simplified API. If you need advanced features like load balancing, service discovery, session affinity, you should be able to use YARP directly (without losing the BFF benefits)

Long story short - we split our packages in the core Duende.BFF and Duende.BFF.Yarp for our YARP integration.

By doing so you now have the choice of using our YARP wrapper or use YARP directly while still taking advantage of our BFF features like anti-forgery protection and token management.

We updated our samples and documentation to reflect these changes and expect to release 1.0 of our core library in the coming days.

Feedback welcome!