Member-only story

OAuth2 BFF for SPAs — Stop Putting Tokens in localStorage

--

Press enter or click to view image in full size

Imagine you build a React app and it stores the access token in localStorage. A simple XSS exploit—a malicious script injected through a compromised third-party library or an unvalidated user input—reads the token and sends it to an attacker's server.

Game over.

The attacker now has full access to your user's account until the token expires.

This is the problem with treating Single Page Applications (SPAs) as OAuth2 “public clients.” Browsers are hostile environments.

Tokens stored in localStorage or sessionStorage are readable by any JavaScript running on the page. Even httpOnly cookies aren't enough when the SPA itself calls the token endpoint—the authorization code and client credentials are still exposed in browser memory.

The Backend for Frontend (BFF) pattern solves this by moving OAuth2 entirely server-side.

If you need more details of the BFF pattern check this blog