An OAuth code sample to extend the initial code sample with the following behaviors:
- The SPA uses the traditional OpenID connect flow, with session management features.
- The API combines claims-based authorization with finer-grained business permissions.
- The SPA and API use both OAuth user attributes and business user attributes.
The SPA is a simple UI with some basic navigation between views, to render fictional investment resources.
To run the code sample locally you must configure some infrastructure before you run the code.
Configure custom development domains by adding these DNS entries to your hosts file:
127.0.0.1 localhost www.authsamples-dev.com api.authsamples-dev.comInstall OpenSSL 3+ if required, create a secrets folder, then create development certificates:
export SECRETS_FOLDER="$HOME/secrets"
mkdir -p "$SECRETS_FOLDER"
./certs/create.shFinally, configure Browser SSL Trust for the SSL root certificate at this location:
./certs/authsamples-dev.ca.crt
Ensure that Node.js 20+ is installed, then build and run the SPA and API:
./build.sh && ./run.shThe system browser runs and you can sign in with my AWS test credentials:
- User:
[email protected] - Password:
GuestPassword1
You can then test all lifecycle operations, including token refresh, multi tab browsing and logout.
- See the Updated SPA and API Code Sample blog post a walkthrough and the key technical points
The initial SPA uses OAuth tokens in JavaScript code, to demonstrate a productive SPA architecture.
In 2021 the best practice is to keep tokens out of the browser, to limit the impact of XSS exploits.
See the Final SPA Code Sample for a more secure implementation.
- The SPA and its views use plain TypeScript code.
- The API uses Node.js and TypeScript.
- Express is used as the HTTP server for both the API and the SPA's web static content.
- The SPA uses the oidc-client-ts library to implement OpenID Connect.
- The API uses the jose library to validate JWT access tokens.
- AWS Cognito is the default authorization server for the SPA and API.