Docs/Add Hardware-Backed Sign-In to Your Application/ BFF Pattern (Express)
View as .md

BFF Pattern (Express)

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

The Backend-for-Frontend (BFF) pattern keeps all OAuth tokens on the server. The browser never sees access tokens or ID tokens — it authenticates via HttpOnly, SameSite=Strict session cookies instead. Key configuration:

  • Client secret required (confidential client, since tokens are server-side)
  • PKCE is automatic with openid-client
  • Set httpOnly: true, sameSite: 'strict', and secure: true (in production) on session cookies
  • Proxy a /api/me endpoint so the frontend never handles tokens directly
  • The hardware attestation claim (hardware_verified) is decoded server-side from the access token JWT

Example

spa/bff-express — Complete working example with Express BFF server, openid-client, PKCE, and proxied UserInfo endpoint.