BFF v4 architecture and fundamentals

Author: Erwinvandervalk

src/content/docs/bff/architecture/multi-frontend.md

@@ -62,4 +62,39 @@ After your application's logic is executed, there are two middlewares registered
 
 6. `ProxyIndexMiddleware` - If configured, this proxy the `index.html` to start the browser based app.  
 
+If you don't want this automatic mapping of BFF middleware, you can turn it off using `BffOptions.AutomaticallyRegisterBffMiddleware`. Please note then you're responsible for manually adding the middlewares:
+
+```csharp
+var app = builder.Build();
+
+app.UseBffFrontendSelection();
+app.UseBffPathMapping();
+app.UseBffOpenIdCallbacks();
+
+// Todo: your custom middleware goes here:
+app.UseRouting(); 
+app.UseBff();
+
+// Only add this if you want to proxy to remote api's. 
+app.UseBffRemoteRoutes();
+
+app.MapBffManagementEndpoints();
+app.UseBffIndexPages();
+
+app.Run();
+```
+
+## Authentication architecture
+
+When you use multiple frontends, you can't rely on [manual authentication configuration](../fundamentals/session/handlers.mdx#manually-configuring-authentication). This is because each frontend requires it's own scheme, and potentially it's own OpenID Connect and Cookie configuration. 
+
+The BFF registers a dynamic authentication scheme, which automatically configures the OpenID Connect and Cookie Scheme's on behalf of the frontends. It does this using a custom `AuthenticationSchemeProvider` called `BffAuthenticationSchemeProvider` to return appropriate authentication schemes for each frontend. 
+
+The BFF will register two schemes:
+* 'duende-bff-oidc'. 
+* 'duende-bff-cookie'. 
+
+Then, if there are no default authentication schemes registered, it will register 'duende_bff_cookie' schemes as the `AuthenticationOptions.DefaultScheme`, and 'duende_bff_oidc' as the `AuthenticationOptions.DefaultAuthenticateScheme` and `AuthenticationOptions.DefaultSignOutScheme`. This will ensure that calls to `Authenticate()` or `Signout()` will use the appropriate schemes. 
+
+If you're using multiple frontends, then the BFF will create dynamic schemes with the following signature: 'duende_bff_oidc_[frontendname]' and 'duende_bff_cookie_[frontendname]'. This ensures that every frontend can use it's own OpenID Connect and Cookie settings. 
 

src/content/docs/bff/fundamentals/multi-frontend/configuration.mdx

@@ -1,12 +1,13 @@
 ---
-title: "BFF Configuration"
+title: "BFF multi-frontend Configuration"
 description: Documentation for managing BFF configuration
 sidebar:
   order: 3
   label: "Configuration"
 
 ---
-It's possible to configure the BFF via IConfiguration. 
+It's possible to configure frontends for the BFF via IConfiguration. This enables dynamic loading / changing of frontends, 
+including their OpenID Connect configuration and BFF Configuration. 
 
 ```csharp {6}
 

src/content/docs/bff/fundamentals/multi-frontend/index.mdx

@@ -25,6 +25,74 @@ To overcome this issue, a single BFF instance can support multiple frontends. Ea
 Adding additional frontends to the BFF has very little impact on the performance on the BFF itself, but keep in mind
 that the traffic for all the frontends is proxied through the bff. 
 
+## Authentication configuration
+
+
+When you use multiple frontends, you can't rely on [manual authentication configuration](../fundamentals/session/handlers.mdx#manually-configuring-authentication).
+This is because each frontend requires it's own scheme, and potentially it's own OpenID Connect and Cookie configuration. 
+
+Instead, you should rely on [automatic authentication configuration](../fundamentals/session/handlers.mdx#automatic-authentication-configuration).
+
+Below is an example on how to configure multiple frontends. 
+
+```csharp
+var bffBuilder = builder.Services
+    .AddBff();
+
+bffBuilder
+    .ConfigureOpenIdConnect(options =>
+    {
+        // These are the default values for all frontends.
+        options.Authority = "https://demo.duendesoftware.com";
+        options.ClientId = "interactive.confidential";
+        options.ClientSecret = "secret";
+        options.ResponseType = "code";
+        options.ResponseMode = "query";
+
+        options.GetClaimsFromUserInfoEndpoint = true;
+        options.SaveTokens = true;
+        options.MapInboundClaims = false;
+
+        options.Scope.Clear();
+        options.Scope.Add("openid");
+        options.Scope.Add("profile");
+        options.Scope.Add("api");
+        options.Scope.Add("offline_access");
+
+        options.TokenValidationParameters.NameClaimType = "name";
+        options.TokenValidationParameters.RoleClaimType = "role";
+    });
+
+    .AddFrontends(
+
+        // This frontend will use the default authentication options
+        new BffFrontend(BffFrontendName.Parse("default-frontend")),
+
+        // This frontend uses most of the same authentication options,
+        new BffFrontend(BffFrontendName.Parse("with-path"))
+            .MappedToPath(LocalPath.Parse("/with-path")),
+            .WithOpenIdConnectOptions(opt =>
+            {
+               // but overrides the clientid and client secret.
+                opt.ClientId = "different-client-id";
+                opt.ClientSecret = "different secret";
+            })
+            .WithCookieOptions(opt => 
+            {
+               // and overrides the cookie options to use 'lax' cookies. 
+               opt.Cookie.SameSite = SameSiteMode.Lax;
+            });
+
+```
+
+The order in which configuration is applied is
+1. programmatic default options (if any)
+2. default options from configuration (if any)
+3. frontend specific options (if any)
+
+Each frontend can have custom OpenID Connect configuration and Cookie Configuration. This can both be configured programmatically 
+as via [Configuration](./configuration.mdx). 
+
 ## Frontend selection
 
 Each request to a frontend has to be uniquely defined by either it's path, it's origin or a combination of the two. 

src/content/docs/bff/fundamentals/session/handlers.md renamed to src/content/docs/bff/fundamentals/session/handlers.mdx

@@ -11,6 +11,58 @@ redirect_from:
   - /identityserver/v6/bff/session/handlers/
   - /identityserver/v7/bff/session/handlers/
 ---
+import { Badge } from "@astrojs/starlight/components";
+import { Code } from "@astrojs/starlight/components";
+import { Tabs, TabItem } from "@astrojs/starlight/components";
+
+To configure authentication in the BFF, you'll need to configure both the OpenID Connect 
+login flow and the cookie handlers. 
+
+## Automatic authentication configuration <Badge text="V4" />
+
+In V4, a simplified mechanism for wiring up authentication has been introduced. The main purpose for the BFF
+is to handle the OpenID Connect login flow and to protect the api's using Cookies. In V3, you explicitly had 
+to configure the aspnet core authentication system to enable this, but in V4, this is now simplified.
+
+A call `BffBuilder.ConfigureOpenIdConnect()` will make sure that:
+1. The authentication pipeline is configured with the appropriate authentication schemes. 
+2. The OpenID Connect pipeline is configured with default values. 
+3. The CookieHandler is configured using recommended practices. This can be tweaked by calling `BffBuilder.ConfigureCookies()`
+
+Below is an example on how to configure the BFF's authentication pipeline. 
+
+```csharp
+
+services.AddBff()
+    .ConfigureOpenIdConnect(options =>
+    {
+        options.Authority = "https://demo.duendesoftware.com";
+        options.ClientId = "interactive.confidential";
+        options.ClientSecret = "secret";
+        options.ResponseType = "code";
+        options.ResponseMode = "query";
+
+        options.GetClaimsFromUserInfoEndpoint = true;
+        options.SaveTokens = true;
+        options.MapInboundClaims = false;
+
+        options.Scope.Clear();
+        options.Scope.Add("openid");
+        options.Scope.Add("profile");
+        options.Scope.Add("api");
+        options.Scope.Add("offline_access");
+
+        options.TokenValidationParameters.NameClaimType = "name";
+        options.TokenValidationParameters.RoleClaimType = "role";
+    });
+```
+
+Each frontend can have custom OpenID Connect configuration and Cookie Configuration. This can both be configured programmatically 
+as via [Configuration](../multi-frontend/configuration.mdx). 
+
+
+## Manually configuring authentication
+
 
 You typically use the following two ASP.NET Core authentication handlers to implement remote authentication:
 
@@ -43,7 +95,7 @@ builder.Services.AddAuthentication(options =>
 
 Now let's look at some more details!
 
-## The OpenID Connect Authentication Handler
+### The OpenID Connect Authentication Handler
 
 The OpenID Connect (OIDC) handler connects the application to the authentication / access token system.
 
@@ -93,7 +145,7 @@ builder.Services.AddAuthentication().AddOpenIdConnect("oidc", options =>
 ```
 The OIDC handler will use the default sign-in handler (the cookie handler) to establish a session after successful validation of the OIDC response.
 
-## The Cookie Handler
+### The Cookie Handler
 
 The cookie handler is responsible for establishing the session and manage authentication session related data.
 

src/content/docs/bff/fundamentals/session/server-side-sessions.md renamed to src/content/docs/bff/fundamentals/session/server-side-sessions.mdx

@@ -10,6 +10,9 @@ redirect_from:
   - /identityserver/v6/bff/session/server_side_sessions/
   - /identityserver/v7/bff/session/server_side_sessions/
 ---
+import { Badge } from "@astrojs/starlight/components";
+import { Code } from "@astrojs/starlight/components";
+import { Tabs, TabItem } from "@astrojs/starlight/components";
 
 By default, ASP.NET Core's cookie handler will store all user session data in a protected cookie. This works very well unless cookie size or revocation becomes an issue.
 
@@ -47,34 +50,76 @@ builder.Services.AddBff()
 Most datastores that you might use with Entity Framework use a schema to define the structure of their data. *Duende.BFF.EntityFramework* doesn't make any assumptions about the underlying datastore, how (or indeed even if) it defines its schema, or how schema changes are managed by your organization. For these reasons, Duende does not directly support database creation, schema changes, or data migration by publishing database scripts. You are expected to manage your database in the way your organization sees fit. Using EF migrations is one possible approach to that, which Duende facilitates by publishing entity classes in each version of *Duende.BFF.EntityFramework*. An example project that uses those entities to create migrations is [here](https://github.com/DuendeSoftware/products/tree/main/bff/migrations/UserSessionDb).
 
 ## Session Store Cleanup
-
 Added in v1.2.0.
 
 Abandoned sessions will remain in the store unless something removes the stale entries.
-If you wish to have such sessions cleaned up periodically, then you can configure the *EnableSessionCleanup* and *SessionCleanupInterval* options:
 
-```csharp
-builder.Services.AddBff(options => {
-        options.EnableSessionCleanup = true;
-        options.SessionCleanupInterval = TimeSpan.FromMinutes(5);
-    })
-    .AddServerSideSessions();
-```
+{/* prettier-ignore */}
+<Tabs syncKey="bffVersion">
+  {/* prettier-ignore */}
+  <TabItem label="V4">
+
+    If you wish to have such sessions cleaned up periodically, then you can add the session cleanup host and configure the *SessionCleanupInterval* options:
+
+    ```csharp
+    builder.Services.AddBff(options => {
+            options.SessionCleanupInterval = TimeSpan.FromMinutes(5);
+        })
+        .AddServerSideSessions();
+    ```
+
+    This requires an implementation of [*IUserSessionStoreCleanup*](/bff/extensibility/sessions#user-session-store-cleanup) in the ASP.NET Core service provider.
+
+    If using Entity Framework Core, then the *IUserSessionStoreCleanup* implementation is provided for you when you use *AddEntityFrameworkServerSideSessions*.
+    You can then add the `SessionCleanupBackgroundProcess`:
+
+    ```csharp
+    var cn = _configuration.GetConnectionString("db");
+            
+    builder.Services.AddBff()
+        .AddEntityFrameworkServerSideSessions(options => 
+        {
+            options.UseSqlServer(cn);        
+        })
+        .AddSessionCleanupBackgroundProcess();
+    ```
+    :::note
+    In V4, we changed how you enable session cleanup. We no longer automatically register the session cleanup hosted service. This has to be done manually.
+    In a loadbalanced environment, you can choose to run the cleanup job on all instances the BFF. However, you can also decide to 
+    spin up a separate host that's responsible for background jobs such as this cleanup job. 
+    :::
+
+  </TabItem>
+  <TabItem label="V3">
+  
+    If you wish to have such sessions cleaned up periodically, then you can configure the *EnableSessionCleanup* and *SessionCleanupInterval* options:
+
+    ```csharp
+    builder.Services.AddBff(options => {
+            options.EnableSessionCleanup = true;
+            options.SessionCleanupInterval = TimeSpan.FromMinutes(5);
+        })
+        .AddServerSideSessions();
+    ```
+
+    This requires an implementation of [*IUserSessionStoreCleanup*](/bff/extensibility/sessions#user-session-store-cleanup) in the ASP.NET Core service provider.
+
+    If using Entity Framework Core, then the *IUserSessionStoreCleanup* implementation is provided for you when you use *AddEntityFrameworkServerSideSessions*.
+    Just enable session cleanup:
+
+    ```csharp
+    var cn = _configuration.GetConnectionString("db");
+            
+    builder.Services.AddBff(options =>
+        {
+            options.EnableSessionCleanup = true;
+        })
+        .AddEntityFrameworkServerSideSessions(options => 
+        {
+            options.UseSqlServer(cn);        
+        });
+    ```
+
+  </TabItem>
+</Tabs>
 
-This requires an implementation of [*IUserSessionStoreCleanup*](/bff/extensibility/sessions#user-session-store-cleanup) in the ASP.NET Core service provider.
-
-If using Entity Framework Core, then the *IUserSessionStoreCleanup* implementation is provided for you when you use *AddEntityFrameworkServerSideSessions*.
-Just enable session cleanup:
-
-```csharp
-var cn = _configuration.GetConnectionString("db");
-        
-builder.Services.AddBff(options =>
-    {
-        options.EnableSessionCleanup = true;
-    })
-    .AddEntityFrameworkServerSideSessions(options => 
-    {
-        options.UseSqlServer(cn);        
-    });
-```