We have a few backend services that our frontend SPAs fetch data from. Right now, the SPAs use JS libraries to authenticate with the Auth server (Azure AD) which returns a JWT which is validated by my backend services before responding to the requests. We also have a couple of native mobile apps and they too are using platform specific libraries for auth. This works fine for now.
But slowly the number of our SPAs are increasing and it is becoming a pain to write and maintain the same auth code in all the applications. Moreover, we are also looking to deploy our apps on-premise for some of our clients who might have separate auth needs (say Auth0 or Okta). This is also true for our native mobile apps.
As such, I was thinking of removing authentication handling from our SPAs and proxy all requests through a reverse proxy like NGINX which can also authenticate requests by redirecting them to a sign-in page.
But, I don't know if this will help us in doing something similar in a native mobile app. As far as I understand, since the client is not requesting a page everytime it loads (like an SPA does), I am not sure where exactly the popup(or maybe redirection?) should happen in a mobile app. Or is that even possible? Is using platform specific auth SDKs the only way in a mobile app? If so, is there a way (or a library) that is not auth provider specific and I can switch out auth easily?
-
It might be possible, but I can think of some potential problems you should consider. Use of a reverse proxy basically behaves like a MITM attack. You will likely have certificate validation problems.Kind Contributor– Kind Contributor2021年12月25日 11:53:16 +00:00Commented Dec 25, 2021 at 11:53
1 Answer 1
You could look into using an API Gateway instead of NGINX for auth - they're designed for these kind of scenarios
- They handle auth centrally for all your services
- Support multiple identity providers simultaneously (you can configure Azure AD token validation and remove auth validation from downstream services, just use the claims within the token)
- Many include built-in analytics and monitoring, controls (rate limits etc)
- Can transform requests/responses on the fly
For free options, check out:
- Kong Community Edition (open source)
- AWS API Gateway has a free tier
Azure has its own API gateway as well (APIM)
Even the free versions typically support the OAuth/OIDC flows you'd need for both browser and mobile clients.
I've found gateway-based approach to having backend services cleaner than trying to make NGINX or any other reverse proxy handle auth scenarios (we had tried a custom implementation on Zuul and eventually moved away from it, it simplified development on downstream services as well)