Brian Demers
The “secure enough” bit is always the hardest question, (but IMHO, it’s the right question to ask). In the end it’s really up to your use-case; if you are building a finance related application, it’s probably not secure enough, but if you are build a note-taking app, it might be fine.
The good news is your Spring Boot microservices likely wouldn’t need to change either way. If you want to handle auth on the backend you could use something like Spring Cloud Gateway, to handle the login/redirects for you.
We have a few Spring Cloud Gateway posts too.
https://developer.okta.com/…
Taking a step back though, what type of app are you building?
Ezequiel Cabrera
Hi Brian, the app is mainly kind of a CRUD type at the moment: two types of users (business / individuals) are able to create differentiated profiles in which to upload a showcase of their work and contact/background information, then a home/feed where they can discover each other.
Brian Demers
If you are going the microservices route, you will have multiple services and you will probably need to stick them behind some sort of gateway, and that may lend itself to handling auth anyway.
Ezequiel Cabrera
That is, delegating the communication with Okta to the gateway, correct?
Brian Demers
Yup! It’s really hard to give specific advice without knowing a lot of details, but take a look at this post: https://developer.okta.com/…
Joe Grandja, from the Spring Sec team has a great related video too!
https://www.youtube.com/wat…
Ezequiel Cabrera
Amazing, thank you so much!
Yes, I understand, if I’ve learned something these last months is that this is a pretty case-specific matter.
Ezequiel Cabrera
There’s another thing I’m kind of stuck with, maybe I’m missing something: if I implement an API Gateway, with say Spring Boot, would you know how should I communicate with it from the React SPA? Given that I don’t want to handle tokens there. Is that realistic? not having the access token in the frontend, ever?
Brian Demers
Using a session cookie should work for most cases, that way the access token is only ever on the backend.