Skip to article frontmatterSkip to article content
Site not loading correctly?

This may be due to an incorrect BASE_URL configuration. See the MyST Documentation for reference.

auth_bff

OAuth 2 / OpenID Connect Backend-For-Frontend. It mediates between browser SPAs and an identity provider (Keycloak, Google, …), running the authorization-code flow with PKCE so the SPA never handles raw tokens: tokens are kept server-side and the browser only gets an httpOnly cookie (SEC-04/06/07/09 compliant).

Architecture

C_AUTH_BFF_YUNO (default service)
    __bff_side__ : gate of per-connection C_AUTH_BFF instances

The yuno (C_AUTH_BFF_YUNO) hosts a __bff_side__ gate; each client connection gets its own C_AUTH_BFF gobj that drives the OIDC round-trip with the IdP. The protocol/flow details live in the Auth, permissions, TLS chapter.

Commands

CommandDescription
view-bff-statusSnapshot of every C_AUTH_BFF instance: queues, pending tasks, active IdP round-trip
helpCommand help

Deep dive

See Auth, permissions, TLS for the full OIDC / auth_bff flow, C_AUTHZ, the cookie model and cert-sync.

Yuneta Simplified
Authentication
Yuneta Simplified
Data & Infrastructure