I am building an internal monolith exposing a bunch of gRPC services that I am planning to put to use as the core of my system (i.e. containing all business logic).<p>More, the client is interested in a having a Web application as the entry point to the system, but also showed interest in a JSON API in the future. So, I thought BFF could be the way with a server-rendered Web “frontend” (using cookies) and in a later time a JSON API frontend (using API tokens) where the client requires programmatic access.<p>The question: where do I do user authentication and authorization? The internal monolith is pretty much an unrestricted API at present as it is only supposed to be used internally. I want to have a clear separation of concerns so I have quite mixed feelings about putting the authn/authz logic in there. In frontend, OTOH, I would be duplicating a lot of code and it would potentially open it up to bugs given that I'd have to update both frontends in case I change the logic.<p>TLDR: Should it live in the frontend or backend?