Merge pull request #820 from DuendeSoftware/ev/bff/v4

BFF V4 docs

Author: maartenba

src/content/docs/accesstokenmanagement/advanced/client-credentials.mdx

@@ -55,7 +55,8 @@ You can add token client definitions to your host while configuring the DotNet s
             client.Resource = "urn:invoices";
     });`}/>
     </TabItem>
-</Tabs>    
+</Tabs>
+
 You can set the following options:
 
 * `TokenEndpoint` - URL of the OAuth token endpoint where this token client requests tokens from

src/content/docs/bff/architecture/index.md

@@ -22,51 +22,63 @@ functions:
 * Server-side Token Management
 * Blazor support with unified authentication state management across rendering modes.
 
+## Authentication Flow
+
+The following diagram shows how the BFF protects browser-based applications:
+
 ![BFF Security Framework Architecture Overview](../images/bff_application_architecture.svg)
 
+
+* **Authentication flows**: The server handles the authentication flows. There are specific endpoints for login / logout. While the browser is involved with these authentication flows, because the user is redirected to and from the identity provider, the browser-based application will never see the authentication tokens. These are exchanged for a code on the server only. 
+* **Cookies**: After successful authentication, a cookie is added. This cookie protects all subsequent calls to the APIs. When using this type of authentication, **CSRF protection** is very important. 
+* **Access to APIs**: The BFF can expose embedded APIs (which are hosted by the BFF itself) or proxy calls to remote APIs (which is more common in a microservice environment). While proxying, it will exchange the authentication cookie for an access token. 
+* **Session Management**: The BFF can manage the users session. This can either be cookie-based session management or storage-based session management. 
+
+
+## Internals
 Duende.BFF builds on widely used tools and frameworks, including ASP.NET Core's OpenID Connect and cookie authentication
-handlers, YARP, and Duende.AccessTokenManagement. Duende.BFF combines these tools and adds additional security and
+handlers, YARP, and [Duende.AccessTokenManagement](/accesstokenmanagement/index.mdx). Duende.BFF combines these tools and adds additional security and
 application features that are useful with a BFF architecture so that you can focus on providing application logic
 instead of security logic:
 
 ![Duende BFF Security Framework - components](../images/bff_blocs.svg)
 
-## ASP.NET OpenID Connect Handler
+### ASP.NET OpenID Connect Handler
 
 Duende.BFF uses ASP.NET's OpenID Connect handler for OIDC and OAuth protocol processing. As long-term users of and
 contributors to this library, we think it is a well implemented and flexible implementation of the protocols.
 
-## ASP.NET Cookie Handler
+### ASP.NET Cookie Handler
 
-Duende.BFF uses ASP.NET's Cookie handler for session management. The Cookie handler provides a claims-based identity to
+Duende.BFF uses ASP.NET's Cookie handler for session management. The cookie handler provides a claims-based identity to
 the application persisted in a digitally signed and encrypted cookie that is protected with modern cookie security
 features, including the Secure, HttpOnly and SameSite attributes. The handler also provides absolute and sliding session
 support, and has a flexible extensibility model, which Duende.BFF uses to
 implement [server-side session management](/bff/fundamentals/session/server-side-sessions/)
 and [back-channel logout support](/bff/fundamentals/session/management/back-channel-logout/).
 
-## Duende.AccessTokenManagement
+### Duende.AccessTokenManagement
 
 Duende.BFF uses the Duende.AccessTokenManagement library for access token management and storage. This includes storage
 and retrieval of tokens, refreshing tokens as needed, and revoking tokens on logout. The library provides integration
 with the ASP.NET HTTP client to automatically attach tokens to outgoing HTTP requests, and its underlying management
 actions can also be programmatically invoked through an imperative API.
 
-## API Endpoints
+### API Endpoints
 
 In the BFF architecture, the frontend makes API calls to backend services via the BFF host exclusively. Typically, the
 BFF acts as a reverse proxy to [remote APIs](/bff/fundamentals/apis/remote), providing session and token management.
 Implementing local APIs within the BFF host is also [possible](/bff/fundamentals/apis/local). Regardless, requests to
 APIs are authenticated with the session cookie and need to be secured with an anti-forgery protection header.
 
-## YARP
+### YARP
 
 Duende.BFF proxies requests to remote APIs using Microsoft's YARP (Yet Another Reverse Proxy). You can set up YARP using
 a simplified developer-centric configuration API provided by Duende.BFF, or if you have more complex requirements, you
 can use the full YARP configuration system directly. If you are using YARP directly, Duende.BFF
 provides [YARP integration](/bff/fundamentals/apis/yarp) to add BFF security and identity features.
 
-## UI Assets
+### UI Assets
 
 The BFF host typically serves at least some of the UI assets of the frontend, which can be HTML/JS/CSS, WASM, and/or
 server-rendered content. Serving the UI assets, or at least the index page of the UI from the same origin as the backend
@@ -78,7 +90,7 @@ SameSite cookie attribute prevents the frontend from sending the authentication
 It is also possible to separate the BFF and UI and host them separately. See [here](/bff/architecture/ui-hosting) for
 more discussion of UI hosting architecture.
 
-## Blazor Support
+### Blazor Support
 
 Blazor based applications have unique challenges when it comes to authentication state. It's possible to mix various
 rendering models in a single application. Auto mode even starts off server rendered, then transitions to WASM when the

src/content/docs/bff/architecture/multi-frontend.md

@@ -29,7 +29,7 @@ The Duende BFF V4 library doesn't ship with an abstraction to store or read fron
 
 ## A Typical Example
 
-Consider an enterprise that hosts multiple browser based applications. Each of these applications is developed by a separate team and as such, has it's own deployment schedule. 
+Consider an enterprise that hosts multiple browser based applications. Each of these applications is developed by a separate team and as such, has its own deployment schedule. 
 
 There are some internal-facing applications that are exclusively used by internal employees. These internal employees are all present in Microsoft Entra ID, so these internal-facing applications should directly authenticate against Microsoft Entra ID. These applications also use several internal APIs, that due to the sensitivity, should not be accessible by external users. However, they also use some of the more common APIs. These apps are only accessible via an internal DNS name, such as `https://app1.internal.example.com`. 
 
@@ -60,6 +60,41 @@ After your application's logic is executed, there are two middlewares registered
 
 5. `MapRemoteRoutesMiddleware` - This will handle any configured remote routes. Note, it will not handle plain YARP calls, only routes that are specifically added to a frontend.
 
-6. `ProxyIndexMiddleware` - If configured, this proxy the `index.html` to start the browser based app.  
+6. `ProxyIndexMiddleware` - If configured, this proxies the `index.html` to start the browser based app.  
 
+If you don't want this automatic mapping of BFF middleware, you can turn it off using `BffOptions.AutomaticallyRegisterBffMiddleware`. When doing so, you'll need to manually register and add the middlewares:
+
+```csharp
+var app = builder.Build();
+
+app.UseBffFrontendSelection();
+app.UseBffPathMapping();
+app.UseBffOpenIdCallbacks();
+
+// TODO: your custom middleware goes here
+app.UseRouting(); 
+app.UseBff();
+
+// NOTE: Only add this if you want to proxy remote APIs. 
+app.UseBffRemoteRoutes();
+
+app.MapBffManagementEndpoints();
+app.UseBffIndexPages();
+
+app.Run();
+```
+
+## Authentication Architecture
+
+When you use multiple frontends, you can't rely on [manual authentication configuration](../fundamentals/session/handlers.mdx#manually-configuring-authentication). This is because each frontend requires its own scheme, and potentially its own OpenID Connect and Cookie configuration. 
+
+The BFF registers a dynamic authentication scheme, which automatically configures the OpenID Connect and Cookie Scheme's on behalf of the frontends. It does this using a custom `AuthenticationSchemeProvider` called `BffAuthenticationSchemeProvider` to return appropriate authentication schemes for each frontend. 
+
+The BFF will register two schemes:
+* `duende-bff-oidc`
+* `duende-bff-cookie`
+
+Then, if there are no default authentication schemes registered, it will register 'duende_bff_cookie' schemes as the `AuthenticationOptions.DefaultScheme`, and 'duende_bff_oidc' as the `AuthenticationOptions.DefaultAuthenticateScheme` and `AuthenticationOptions.DefaultSignOutScheme`. This will ensure that calls to `Authenticate()` or `Signout()` will use the appropriate schemes. 
+
+If you're using multiple frontends, then the BFF will create dynamic schemes with the following signature: `duende_bff_oidc_[frontendname]` and `duende_bff_cookie_[frontendname]`. This ensures that every frontend can use its own OpenID Connect and Cookie settings. 
 

src/content/docs/bff/architecture/ui-hosting.md

@@ -102,4 +102,8 @@ a number of [deployment options](https://angular.io/guide/deployment) that allow
 assets.
 
 The added complexity of this technique is justified when there is a requirement to host the front end on a different
-site (typically a CDN) from the BFF.
+site (typically a CDN) from the BFF.
+
+:::note
+BFF V4 has built-in support for proxying the index.html from a CDN. 
+:::

src/content/docs/bff/extensibility/http-forwarder.md

@@ -17,7 +17,8 @@ You can customize the HTTP forwarder behavior in two ways
 * provide a customized HTTP client for outgoing calls
 * provide custom request/response transformation
 
-### Custom HTTP clients
+## Custom HTTP Clients
+
 By default, Duende.BFF will create and cache an HTTP client per configured route or local path.
 
 This invoker is set up like this:
@@ -32,64 +33,112 @@ var client = new HttpMessageInvoker(new SocketsHttpHandler
 });
 ```
 
-If you want to customize the HTTP client for specific paths, you can either implement the *IHttpMessageInvokerFactory* interface or derive from the *DefaultHttpMessageInvokerFactory*, e.g.:
+If you want to customize the HTTP client you can implement the `IForwarderHttpClientFactory` interface, e.g.:
 
 ```cs
-public class MyInvokerFactory : DefaultHttpMessageInvokerFactory
+public class MyInvokerFactory : IForwarderHttpClientFactory
 {
-    public override HttpMessageInvoker CreateClient(string localPath)
+    public HttpMessageInvoker CreateClient(ForwarderHttpClientContext context)
     {
-        if (localPath == "/foo")
+        return Clients.GetOrAdd(localPath, (key) =>
         {
-            return Clients.GetOrAdd(localPath, (key) =>
+            return new HttpMessageInvoker(new SocketsHttpHandler
             {
-                return new HttpMessageInvoker(new SocketsHttpHandler
-                {
-                    // this API needs a proxy
-                    UseProxy = true,
-                    Proxy = new WebProxy("https://myproxy"),
-                    
-                    AllowAutoRedirect = false,
-                    AutomaticDecompression = DecompressionMethods.None,
-                    UseCookies = false
-                });
+                // this API needs a proxy
+                UseProxy = true,
+                Proxy = new WebProxy("https://myproxy"),
+                
+                AllowAutoRedirect = false,
+                AutomaticDecompression = DecompressionMethods.None,
+                UseCookies = false
             });
-        }
-        
-        return base.CreateClient(localPath);
+        });
     }
 }
 ```
 
 ...and override our registration:
 
 ```cs
-services.AddSingleton<IHttpMessageInvokerFactory, MyInvokerFactory>();
+services.AddSingleton<IForwarderHttpClientFactory, MyInvokerFactory>();
 ```
 
-### Custom Transformations
-In the standard configuration, BFF uses the YARP default behavior for forwarding HTTP requests. In addition, we
+## Custom Transformations When Using Direct Forwarding
 
-* remove the sensitive session cookie
-* add the current access token
+The method MapRemoteBffApiEndpoint uses default transformations that:
+* removes the cookie header from the forwarded request
+* removes local path from the forwarded request
+* Adds the access token to the original request
 
-If you want to modify this behavior you can either implement *IHttpTransformerFactory* from scratch: 
+If you wish to change or extend this behavior, you can do this for a single mapped endpoint
+or for all mapped API endpoints. 
 
-```cs
-public interface IHttpTransformerFactory
+### Changing The Transformer For A Single Mapped Endpoint
+
+This code block shows an example how of you can extend the default transformers with an additional custom
+transform. 
+
+```csharp
+app.MapRemoteBffApiEndpoint("/local", new Uri("https://target/"), context => {
+
+    // If you want to extend the existing behavior, then you must call the default builder:
+    DefaultBffYarpTransformerBuilders.DirectProxyWithAccessToken("/local", context);
+
+    // You can also add custom transformers, such as this one that adds an additional header
+    context.AddRequestHeader("custom", "with value");
+
+});
+```
+
+The default transform builder performs these transforms:
+
+```csharp
+context.AddRequestHeaderRemove("Cookie");
+context.AddPathRemovePrefix(localPath);
+context.AddBffAccessToken(localPath);
+```
+
+For more information, also see the [YARP documentation on transforms](https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/yarp/transforms?view=aspnetcore-9.0)
+
+### Changing The Default Transformer
+
+You can change the default transformer builder delegate by registering one in the services collection:
+
+```csharp
+BffYarpTransformBuilder builder = (localPath, context) => {
+
+    // If you want to extend the existing behavior, then you must call the default builder:
+    DefaultBffYarpTransformerBuilders.DirectProxyWithAccessToken(localpath, context);
+
+    // You can also add custom transformers, such as this one that adds an additional header
+    context.AddResponseHeader("added-by-custom-default-transform", "some-value");
+
+};
+
+services.AddSingleton<BffYarpTransformBuilder>(builder);
+```
+
+## Changing The Forwarder Request Configuration
+
+You an also modify the forwarder request configuration, either globally or per mapped path.
+This can be useful if you want to tweak things like activity timeouts. 
+
+```csharp
+// Register a forwarder config globally: 
+services.AddSingleton(new ForwarderRequestConfig()
 {
-    /// <summary>
-    /// Creates a HTTP transformer based on the local path
-    /// </summary>
-    /// <param name="localPath">Local path the remote API is mapped to</param>
-    /// <param name="accessToken">The access token to attach to the request (if present)</param>
-    /// <returns></returns>
-    HttpTransformer CreateTransformer(string localPath, string accessToken = null);
-}
+    ActivityTimeout = TimeSpan.FromMilliseconds(100)
+});
+
+// Or modify one on a per mapped route basis:
+app.MapRemoteBffApiEndpoint("/local", new Uri("https://target/"),
+    requestConfig: new ForwarderRequestConfig()
+    {
+        // 100 ms timeout, which is not too short that the normal process might fail,
+        // but not too long that the test will take forever
+        ActivityTimeout = TimeSpan.FromMilliseconds(100)
+    });
 ```
 
-...or derive from the *DefaultHttpTransformerFactory*.
 
-:::note
-The transformations are based on YARP's transform library and are extensible. See [here](https://microsoft.github.io/reverse-proxy/articles/transforms.html) for a full list of built-in transforms.
-:::
+