Authagonal.Bff 0.9.1

dotnet add package Authagonal.Bff --version 0.9.1
                    
NuGet\Install-Package Authagonal.Bff -Version 0.9.1
                    
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="Authagonal.Bff" Version="0.9.1" />
                    
For projects that support PackageReference, copy this XML node into the project file to reference the package.
<PackageVersion Include="Authagonal.Bff" Version="0.9.1" />
                    
Directory.Packages.props
<PackageReference Include="Authagonal.Bff" />
                    
Project file
For projects that support Central Package Management (CPM), copy this XML node into the solution Directory.Packages.props file to version the package.
paket add Authagonal.Bff --version 0.9.1
                    
#r "nuget: Authagonal.Bff, 0.9.1"
                    
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
#:package Authagonal.Bff@0.9.1
                    
#:package directive can be used in C# file-based apps starting in .NET 10 preview 4. Copy this into a .cs file before any lines of code to reference the package.
#addin nuget:?package=Authagonal.Bff&version=0.9.1
                    
Install as a Cake Addin
#tool nuget:?package=Authagonal.Bff&version=0.9.1
                    
Install as a Cake Tool

Authagonal.Bff

Backend-for-Frontend (BFF) for SPAs that authenticate with Authagonal.

Your React/Vue/Angular app should never hold access or refresh tokens: anything in JS-reachable storage is exposed to XSS. This package is a confidential OIDC client you host on your own backend. It runs the authorization-code + PKCE flow server-side, keeps the tokens in a server-side session, and gives the browser nothing but an httpOnly session cookie. This is the pattern the IETF OAuth 2.0 for Browser-Based Apps BCP recommends.

Install

dotnet add package Authagonal.Bff

Wire it up

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthagonalBff(o =>
{
    o.Authority    = "https://acme-admin.authagonal.io"; // your tenant auth host
    o.ClientId     = builder.Configuration["Bff:ClientId"]!;
    o.ClientSecret = builder.Configuration["Bff:ClientSecret"]!;
    o.Scope        = ["openid", "profile", "email", "offline_access"]; // offline_access enables refresh
    o.PostLogoutRedirectUri = "https://app.acme.com/";
});

var app = builder.Build();

app.UseForwardedHeaders();  // required if you run behind a reverse proxy / ingress
app.MapAuthagonalBff();
app.MapFallbackToFile("index.html"); // your SPA

app.Run();

Register a BFF client in the Authagonal portal (confidential + PKCE + offline_access) with:

  • redirect URI https://app.acme.com/bff/callback
  • post-logout redirect URI https://app.acme.com/

Endpoints (mounted under /bff by default)

Route Purpose
GET /bff/login?returnUrl=/ Start login; redirects to Authagonal.
GET /bff/callback OIDC redirect URI (handled for you).
GET /bff/user { isAuthenticated, claims, sessionExpiresAt }. Requires the anti-forgery header.
GET\|POST /bff/logout Ends the session locally + at Authagonal.

From the browser

Every non-navigation call must carry a static anti-forgery header (defends against CSRF alongside SameSite=Lax):

const me = await fetch("/bff/user", { headers: { "X-Authagonal-Bff": "1" } }).then(r => r.json());
if (!me.isAuthenticated) window.location.href = "/bff/login?returnUrl=" + encodeURIComponent(location.pathname);

To log in / out, navigate (don't fetch): location.href = "/bff/login" / "/bff/logout".

Sessions & scaling

Sessions are stored via IDistributedCache. In-memory is the default; register a real distributed cache (e.g. Redis) before AddAuthagonalBff when you run more than one instance:

builder.Services.AddStackExchangeRedisCache(o => o.Configuration = "...");

Extension points (the hosted seam)

Swap any of these to move the BFF onto other infrastructure:

  • IBffSessionStore — where sessions live (default: IDistributedCache).
  • ICookieProtector — cookie payload encryption (default: ASP.NET Data Protection).
  • ITokenClient — talking to Authagonal's token/revocation endpoints.

See docs/bff.md in the authagonal-cloud repo for the full protocol contract.

Product Compatible and additional computed target framework versions.
.NET net9.0 is compatible.  net9.0-android was computed.  net9.0-browser was computed.  net9.0-ios was computed.  net9.0-maccatalyst was computed.  net9.0-macos was computed.  net9.0-tvos was computed.  net9.0-windows was computed.  net10.0 is compatible.  net10.0-android was computed.  net10.0-browser was computed.  net10.0-ios was computed.  net10.0-maccatalyst was computed.  net10.0-macos was computed.  net10.0-tvos was computed.  net10.0-windows was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last Updated
0.9.1 37 7/18/2026
0.9.0 35 7/18/2026
0.8.2 34 7/18/2026
0.8.1 44 7/18/2026
0.8.0 36 7/18/2026