The New Curity Token Handler Addresses Single Page Application Security

We are excited to introduce the token handler feature, now available in the Curity Identity Server starting from version 9.3.

This feature provides robust website-level access security for single-page applications (SPAs). With the Curity Token Handler, a ready-to-deploy Backend for Frontend (BFF) authentication solution, organizations can enjoy the benefits of SPAs, such as enhanced user experiences and rapid deployment, all while maintaining strong protection against cyber threats.

“SPAs elevate digital customer experiences and can be launched quickly, but secure browser-based authentication is difficult to achieve. By managing API access verification from the users’ browser and simplifying implementation, the Curity Token Handler addresses the security and development resource obstacles that have slowed SPA adoption” - Curity CTO, Jacob Ideskog.

An alternative to websites, single page applications have been gaining traction in recent years. SPAs store readily accessible information in the browser instead of pulling data from a backend database. As a result, these lightweight web applications provide a way to deliver easy-to-navigate, responsive online services such as banking and social media communities. However, security has been an ongoing concern because identity and access management must occur in the user’s browser outside of the organization’s firewall-protected network.

The Curity Token Handler enables user authentication in the SPA without requiring a network-protected backend data system for identity verification. It uses secure cookies combined with an OAuth proxy that resides on an API gateway for token verification at the application level. Following OAuth Best Current Practices for browser-based applications, the Token Handler separates web and API concerns to eliminate dependence on a backend connection and retain the full benefits of a secure SPA architecture.

Additionally, the Curity Token Handler is designed for simplified deployment enabling developers to achieve security without delaying application time-to-launch. It also delivers plug-and-play compatibility with popular API gateways, including Azure API Management, Google Apigee, AWS, Kong and NGINX.

The Curity Token Handler is a complementary addition to the company’s flagship product, the Curity Identity Server, and part of the Curity Technology Solutions™.