Mobile Client

[billcunnien]

Good morning,

I thought I read in the documentation at some point in time, that BFF supported a mobile client (Android, iOS). Currently, it does not appear that BFF v3 or v4 support a mobile client for this pattern. It would be a tremendous thing to have all of our digital clients funnel their authentication/authorization requests through BFF to IS, and have BFF provide the remote API proxy for these same clients. What a joy that would be! If we could get that access token working only between the BFF and the remote API (we run it), then we could pull that remote API down into our network for even more protection and not expose it to the public in any way. Token exposure would essentially end.

Is it possible to get a mobile client working with BFF?

Thanks!
Bill

[wcabus]

Unfortunately, no. The BFF pattern is only intended to be used for securing client-side browser applications, by hosting them on a server-side web application which acts as a secure proxy for any API calls needed, as well as providing endpoints to retrieve the current user etc.

Since a mobile client runs on a user's device, there's no way it could be served by a BFF host.
We do have an open-source OpenID Connect client library which implements RFC 8252 - OAuth 2.0 for native applications. This library can be used to secure mobile apps, for example, a MAUI app.

If you happen to recall where you read this, or which part of the documentation hinted at supporting mobile clients, please let us know 🙂

[billcunnien]

It is most likely I am confusing the capabilities of Identity Server (which can support mobile devices) with BFF (which is browser based). Thanks for the response.