I would like to add my reasons about the "Why are developers creating BFF for their frontends to communicate with an AS", with the objective to verify if they are valid.
I need the client app. to be authenticated at the AS (to determine if it is a first-party app., for example). If we decide to implement our client as a frontend SPA , then we have no other option except through a BFF, as PKCE does not help for authentication. Or is it considered a bad practice to do that? Regards, Stoycho.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
