Securing SPAs and Blazor WASM applications once and for all.
Welcome to the official GitHub repository for the Duende Backend for Frontend (BFF) Security Framework!
Duende.BFF is a framework for building services that solve security and identity problems in browser based applications such as SPAs and Blazor WASM applications. It is used to create a backend host that is paired with a frontend application. This backend is called the Backend For Frontend (BFF) host, and is responsible for all of the OAuth and OIDC protocol interactions. Moving the protocol handling out of JavaScript provides important security benefits and works around changes in browser privacy rules that increasingly disrupt OAuth and OIDC protocol flows in browser based applications. The Duende.BFF library makes it easy to build and secure BFF hosts by providing session and token management, API endpoint protection, and logout notifications.
Duende.BFF can be extended with:
- custom logic at the session management endpoints
- custom logic and configuration for HTTP forwarding to external API endpoints
- custom data storage for server-side sessions and access/refresh tokens
Duende.BFF supports a wide range of security scenarios for modern applications:
- Mutual TLS
- Proof-of-Possession
- JWT secured authorization requests
- JWT-based client authentication.
If you're ready to dive into development, check out our Quickstart Tutorial for step-by-step guidance.
For more in-depth documentation, visit our documentation portal.
Duende.BFF is source-available, but requires a paid license for production use.
- Development and Testing: You are free to use and explore the code for development, testing, or personal projects without a license.
- Production: A license is required for production environments.
- Free Community Edition: A free Community Edition license is available for qualifying companies and non-profit organizations. Learn more here.
- For bug reports or feature requests, open an issue on GitHub: Submit an Issue.
- For security-related concerns, please contact us privately at: [email protected].
