Token-Mediating Backend: An alternative to the BFF architecture

The Token-Mediating Backend (TMB) authentication architecture for OAuth 2 applications is a variation of the Backend-for-Frontend (BFF) model, where the access tokens are stored in the frontend, allowing the browser to directly call resource servers without routing through the backend. Although TMB is less secure than BFF due to the vulnerability of access tokens to exfiltration by malicious JavaScript and cross-site scripting (XSS) attacks, it is more secure than the Browser-Based OAuth Client (BBOC) architecture. TMB is particularly suitable for applications requiring real-time performance or facing infrastructure constraints, as it reduces latency by bypassing backend routing. The security of TMB can be enhanced by implementing Demonstrating Proof of Possession (DPoP), which binds the token to a cryptographic key, thereby requiring both the token and a signature for requests. Despite its vulnerabilities, TMB can be a viable option when combined with DPoP for applications that cannot fully utilize BFF due to specific constraints, while FusionAuth provides support for integrating DPoP to improve security measures.