Today, we are excited to announce the release of Duende BFF Security Framework v4 (BFFv4), an essential update that fundamentally simplifies how .NET developers secure multi-frontend applications while dramatically increasing system observability.
For .NET developers, Duende provides an identity infrastructure solution offering an SDK for flexible, standards-compliant identity and access control. Duende’s solutions enable customization of implementations built on OpenID Connect and OAuth 2.0. As highlighted in the BFFv4 live stream, in alignment with the Internet Engineering Task Force’s (IETF) best current practice document, storing OAuth tokens in the browser is a significant security risk, exposing your application to various injection and supply-chain attacks. The backend for frontend (BFF) pattern moves the OAuth flow and token management to the secure server side, using HTTP-only cookies to manage the user session, drastically reducing the attack surface.
With BFFv4, we continue our mission: secure, standards-based identity—all simplified for developers.
🚀 Single BFF to Secure Your Multi-App Enterprise
Organizations often deploy dozens of frontend apps - React, Angular, Vue.js, and Blazor WASM - each requiring its own secure backend for frontend. The coupling of the frontend and backend results in redundant deployments, configuration sprawl, and significant operational overhead. Unlike competitors, where multi-frontend is often a complex configuration, Duende's BFF v4.0 delivers a flexible, scalable foundation for managing tokens on the server as a first-class capability.
BFFv4: Secure, Consolidation, and Flexible Deployment
With BFF v4.0's multi-frontend support, enterprises can finally unify identity for multiple frontends from a single, secure BFF deployment. If you have dozens of applications in your enterprise, you normally have to deploy the same number of BFFs - dozens! With BFFv4 multi-frontend support, you can simply deploy one BFF.
- Server-side Resilience: BFFv4 enhances security by storing tokens server-side, using HTTP-only, encrypted cookies to prevent XSS token theft, and enabling resilient back-channel logout.
- Consolidate to Reduce Overhead: A single BFF instance can securely serve multiple React, Angular, Blazor, or Vue applications. This powerful feature eliminates the need for redundant security deployments, drastically cutting operational overhead and allowing your teams to focus on core business logic.
- Flexible Deployment Options: With multi-frontend support, you can now dynamically add or remove frontends without redeploying the BFF, reducing infrastructure cost and complexity.
With BFFv4 and Duende’s licensing, you pick whatever works for your requirements and future needs, including configuring whether frontends share or isolate identity solutions.
To illustrate the difference, let’s review the image above. Depicted is the BFF Starter Edition, allowing for up to 3 front-ends whichever way you choose to deploy your application. BFFv3 provides "a" backend for a "single" frontend, where "frontend" refers to the browser-based component of an application. With the introduction of BFF v4, the multi-frontend feature enables hosting multiple logical backends for browser-based applications on a single physical BFF host. BFFv4 also still supports the v3 deployment model, which may be better for your larger applications. Please see our BFF product page for more details on pricing and packaging.
🔭 OpenTelemetry: End-to-End Observability Unlocked
Without visibility into token flows, session lifecycles, and API proxying, it's a massive challenge to troubleshoot identity problems. BFF v4 solves this diagnostics challenge by introducing OpenTelemetry integration and support, giving teams end-to-end visibility across authentication and proxy traffic.
- Real-time Visibility: Teams can see token flows, session lifecycles, and API proxying.
- Faster Troubleshooting and Auditing: With this end-to-end observability, developers can perform faster root-cause analysis for login, token, and API issues. Security teams can also simplify compliance and security audits by having a record of the entire authentication journey.
🛠️ Enhanced Developer Experience and Time to Value
In addition to the headline features, BFF v4.0 includes essential improvements focused on developer experience, giving developers greater choice and control around configuration and deployment while also improving customers' time to value.
- Simplified Configuration (Faster to Get Started): Traditionally, setting up a new BFF involves configuring several components, where mistakes are easily made. V4 automatically applies the recommended setup while still allowing granular control, making BFF more straightforward to add and configure.
- Support for All Major Frontends: During development, your BFFv4 implementation seamlessly integrates with and supports all major browser-based frontend technologies, including React, Angular, Vue.js, and Blazor WASM, ensuring compatibility regardless of your team's tech stack.
- Support for OIDC Login Prompts: Developers often have to juggle enforcing strict re-authentication policies and frustrating users with a nagging experience. BFF v4.0 eliminates that compromise with configurable login prompts, supporting high-assurance workflows (such as financial transactions or health data access) without degrading everyday user experience. This allows you to tune security and user experience together.
- Granular Anti-Forgery Checks: We've provided more fine-grained control over which API endpoints require anti-forgery checks, supporting advanced scenarios like split-host deployments and specific protocols (e.g., WebSockets).
Get Started Today!
Duende IdentityServer BFF v4 is available now.
Upgrade to BFF v4.0 today to: have a choice to consolidate your multi-frontend applications into a single, scalable deployment; unlock end-to-end visibility with OpenTelemetry integration; and benefit from enhanced security and a streamlined developer experience. Ready to secure your frontends the right way? You can find the latest package on NuGet.
Detailed release notes and our source code are also available on GitHub. We look forward to your feedback on this release. Feel free to comment on this post or join the discussion in our community forum. Thank you for your continued support.