Show HN: Front end-Only-Authorization – A new web standard

&gt; The &quot;trick&quot; is that it&#x27;s frontend-only in the same sense that Serverless has no servers.<p>Looks like it&#x27;s some kind of authorization proxy.

Seems more of a generic authorization proxy rather than anything frontend related. Useful but &quot;front-end only&quot; doesn&#x27;t seem to to accurate

So first impression: isn&#x27;t the FoAz proxy simply the backend? I apologize it that seems like a dumb question, I never used oauth or jwt.

This isn&#x27;t a new idea. This exact proxy pattern already exists with things like AWS API Gateway Lambda Authorizers.<p>This is still quite a useful architecture as it allows the backend to be implemented without concern for authentication or authorization. You just have to make absolutely sure that nobody can reach the backend except via the proxy.<p>The one downside is that it limits authorization to simple yes&#x2F;no. The user may proceed with this API call, or they may not. There are occasions where you may want to allow the API call, but alter the results based on authorization.<p>For example, a user wants to list objects, which you want to allow, but you only want the list to contain objects the user is permitted to view. In this case you can&#x27;t completely avoid implementing authorization on the backend. The proxy has to tell the backend the user&#x27;s identity, and the backend has to implement some logic based on that.

&gt; It sure sounds like it, but no - it works, it&#x27;s easy, and it&#x27;s super safe. The &quot;trick&quot; is that it&#x27;s frontend-only in the same sense that Serverless has no servers. There is a backend component which actually enforces the access, you just don&#x27;t have to build it - FoAz is a generic backend component leveraging policy as code together with a reverse-proxy, and secrets management services to produce a one size fits all backend authorization.<p>Phew. I was about to blow a gasket.<p>So, this approach works, but generally either you build a lot of knowledge of apps&#x27; resources (URI local-parts and q-params semantics) or you have very coarse-grained authz or you restructure your applications so that a minimal authz language can represent a lot of what you&#x27;re doing using only URI local-parts.

If you don&#x27;t own the authorization backend, how can an application guarantee data safety and ownership?

IMHO the best way to do authorization if your application otherwise works completely in the frontend:<p>Rent a tiny VM for $5&#x2F;month and set up a small &quot;enter your email, you&#x27;ll get a magic link&quot; application you write in Python or PHP.<p>And proxy whatever API access you want to restrict to authorized users through a simple Python or PHP script which can just be a few lines of code. It looks up the cookie set by the magic link, checks if it is allowed to access the endpoint and if yes proxies the request.

Hi HackerNews, Or from permit.io here, happy to discuss and answer questions here about the concept of FoAz and its RFC.

OAuth can already work without a backend...