Hello guys!
Could someone please help me understand what is the correct approach for мicrofrontend applications?
Lets assume that we have an SPA shell application which is a container for microfrontends. Shell App is responsible for user authentication. After that, user should be able to open any microfrontend within the shell app without any authentication requests, though, having proper authorization (roles, groups, scopes) within those microfrontends.
I see two possible ways here:
- shell app obtains ‘universal’ token, which allows access to all the microfrontends, including multivalued ‘aud’ field and all relevant roles, groups and scopes. Then, SPA can pass that token to each microfrontend being accessed using javascript.
- each microfrontend being accesses within SPA obtains own tokens in a way that is transparent to the user. There should not be any redirects visible to the user.
Which way is correct? Is it possible to configure?
Thank you.