Ask HN: Where does authentication happen in BFF?
I am building an internal monolith exposing a bunch of gRPC services that I am planning to put to use as the core of my system (i.e. containing all business logic).
More, the client is interested in a having a Web application as the entry point to the system, but also showed interest in a JSON API in the future. So, I thought BFF could be the way with a server-rendered Web “frontend” (using cookies) and in a later time a JSON API frontend (using API tokens) where the client requires programmatic access.
The question: where do I do user authentication and authorization? The internal monolith is pretty much an unrestricted API at present as it is only supposed to be used internally. I want to have a clear separation of concerns so I have quite mixed feelings about putting the authn/authz logic in there. In frontend, OTOH, I would be duplicating a lot of code and it would potentially open it up to bugs given that I'd have to update both frontends in case I change the logic.
TLDR: Should it live in the frontend or backend?
No comments yet.