Don't Trust the Browser: Secure SPAs with BFF

OpenIdConnect and OAuth are the industry standards to protect both frontend and backends applications with tokens. Sending tokens to the browser is like trusting a bunch of lions to keep a cow safe. So why do we do it in our Single Page Applications using the implicit flow for example?

Don't.

BFF or Backend For Frontend solves this problem. Come and find out how this works using ASP.NET Core on the server and React on the browser side. If you're not into ASP.NET Core: come anyways because the concepts are applicable to any technology.