Duende.BFF 4.2.0 (original) (raw)
Backend for Frontend (BFF) Security Framework
Securing SPAs and Blazor WASM applications once and for all.
Welcome to the official GitHub repository for the Duende Backend for Frontend (BFF) Security Framework!
Overview
Duende.BFF is a framework for building services that solve security and identity problems in browser based applications such as SPAs and Blazor WASM applications. It is used to create a backend host that is paired with a frontend application. This backend is called the Backend For Frontend (BFF) host, and is responsible for all of the OAuth and OIDC protocol interactions. Moving the protocol handling out of JavaScript provides important security benefits and works around changes in browser privacy rules that increasingly disrupt OAuth and OIDC protocol flows in browser based applications. The Duende.BFF library makes it easy to build and secure BFF hosts by providing session and token management, API endpoint protection, and logout notifications.
Extensibility
Duende.BFF can be extended with:
- custom logic at the session management endpoints
- custom logic and configuration for HTTP forwarding to external API endpoints
- custom data storage for server-side sessions and access/refresh tokens
Advanced Security Features
Duende.BFF supports a wide range of security scenarios for modern applications:
- Mutual TLS
- Proof-of-Possession
- JWT secured authorization requests
- JWT-based client authentication.
Getting Started
If you're ready to dive into development, check out our Quickstart Tutorial for step-by-step guidance.
For more in-depth documentation, visit our documentation portal.
Running the Hosts.AppHost project
The Hosts.AppHost project is an Aspnet Aspire project that launches all dependencies. For example, it starts an identity server and various ways that the BFF can be configured. Use this to test if the functionality is still working.
There's also an integration test project covering this. This project can run in 3 modes:
- Directly. Then the test fixture will launch an aspire test host. It will run all tests against the aspire test host.
- With manually run aspire host. The advantage of this is that you can keep your aspire host running and only iterate on your tests. This is more efficient for writing the tests. It also leaves the door open to re-using these tests to run them against a deployed in stance somewhere in the future. Downside is that you cannot debug both your tests and host at the same time because visual studio compiles them in the same location.
- With NCrunch. It turns out that NCrunch doesn't support building aspire projects. Iterating over the tests using ncrunch is the fastest way to get feedback. However, to make this work, conditional compilation is used.
Starting the host can be done via the UI (set as startup project using 'HTTPS' as the launch profile). It can also be started from the command line (which makes iterating over the tests faster) Running it with configuration release means you can compile / modify the tests while keeping the dev server running.
dotnet run -p samples/Hosts.AppHost --Configuration Release
Licensing
Duende.BFF is source-available, but requires a paid license for production use.
- Development and Testing: You are free to use and explore the code for development, testing, or personal projects without a license.
- Production: A license is required for production environments.
- Free Community Edition: A free Community Edition license is available for qualifying companies and non-profit organizations. Learn more here.
Reporting Issues and Getting Support
- For bug reports or feature requests, use our developer community forum.
- For security-related concerns, please contact us privately at: security@duendesoftware.com.
| Product | Compatible and additional computed target framework versions. |
|---|---|
| .NET | net10.0 is compatible. net10.0-android was computed. net10.0-browser was computed. net10.0-ios was computed. net10.0-maccatalyst was computed. net10.0-macos was computed. net10.0-tvos was computed. net10.0-windows was computed. |
net10.0
- Duende.AccessTokenManagement.OpenIdConnect (>= 4.1.1)
- Microsoft.Extensions.Caching.Hybrid (>= 10.0.0)
NuGet packages (6)
Showing the top 5 NuGet packages that depend on Duende.BFF:
| Package | Downloads |
|---|---|
| Duende.BFF.Yarp Backend for frontend (BFF) host for ASP.NET Core (YARP integration) | 2.9M |
| Duende.BFF.EntityFramework Entity Framework Core support for backend for frontend (BFF) host for ASP.NET Core | 996.9K |
| Elvia.Elvid.Bff.UserClient Package Description | 62.2K |
| Duende.BFF.Blazor Package Description | 40.1K |
| Vertiq.Features.Duende A highly modular framework for writing Blazor applications with a hassle-free, vertical-sliced architecture - Easy. Flexible. Focused. | 31.8K |
GitHub repositories (5)
Showing the top 5 popular GitHub repositories that depend on Duende.BFF:
| Repository | Stars |
|---|---|
| thangchung/clean-architecture-dotnet 🕸 Yet Another .NET Clean Architecture, but for Microservices project. It uses Minimal Clean Architecture with DDD-lite, CQRS-lite, and just enough Cloud-native patterns apply on the simple eCommerce sample and run on Tye with Dapr extension 🍻 | 1.3K |
| mehdihadeli/food-delivery-microservices 🍔 A practical and cloud-native food delivery microservices, built with .Net Aspire, .Net 9, MassTransit, Domain-Driven Design, CQRS, Vertical Slice Architecture, Event-Driven Architecture, and the latest technologies. | 995 |
| damikun/trouble-training FullStack DDD/CQRS with GraphQL workshop including distributed tracing and monitoring. This shows the configuration from React frontend to .Net backend. | 480 |
| ardalis/WebApiBestPractices Resources related to my Pluralsight course on this topic. | 171 |
| youssefbennour/AspNetCore.Starter A modular-monolith ASP.NET Core starter inspired by Evolutionary-architecture | 115 |
Include prerelease
Include vulnerable
Include deprecated
| Version | Downloads | Last Updated |
|---|---|---|
| 4.2.0 | 1,434 | 6/10/2026 |
| 4.2.0-preview.1 | 70 | 5/28/2026 |
| 4.1.2 | 122,113 | 3/13/2026 |
| 4.1.1 | 105,519 | 2/18/2026 |
| 4.1.1-rc.1 | 89 | 2/9/2026 |
| 4.1.0 | 25,635 | 1/29/2026 |
| 4.0.3 | 875 | 1/29/2026 |
| 4.0.2 | 40,252 | 1/13/2026 |
| 4.0.1 | 20,940 | 12/12/2025 |
| 4.0.0 | 26,815 | 12/2/2025 |
| 4.0.0-rc.4 | 1,556 | 11/12/2025 |
| 4.0.0-rc.3 | 2,940 | 10/17/2025 |
| 4.0.0-rc.2 | 4,097 | 9/26/2025 |
| 4.0.0-rc.1 | 7,019 | 7/24/2025 |
| 4.0.0-preview3 | 790 | 7/16/2025 |
| 4.0.0-preview2 | 1,394 | 6/13/2025 |
| 3.1.0 | 120,921 | 12/2/2025 |
| 3.1.0-rc.1 | 324 | 11/12/2025 |
| 3.1.0-preview.2 | 169 | 10/17/2025 |
| 3.1.0-preview.1 | 176 | 10/16/2025 |