I’m writing a system in which I want my web app to authenticate users with Key Cloak using the authorization code flow, so I want to create a back end server that will receive the authorization code and then exchange it for the access token + refresh token (the back end server will have a secret etc.) this service will be used by multiple clients (REST / GUI) so I can avoid code/logic duplication to some extent.
I have a few questions about this:
- I couldn’t find an example for the authorization code flow which actually demonstrated using a web app and a back end server. Is there any example that suits my needs? Is there any library/adapter best suited for this? The web app is written in Angular 2 and the back end is currently a spring boot project.
- The project I’m working on has a micro service architecture, and the idea we have is to store the tokens in the client, and with every request we send the access token. The client will need to recognize that the token is about to expire and then refresh the token. I wanted to store the tokens in HTTP-only cookies, but I’m not sure how to prevent sending the refresh token along as well each time. Is there a best practice that you can suggest?