hmm, interesting set up! have u considered a jwt token instead of only a session cookie? bff could make a signed jwt post-auth0 login with user info. angular decodes that token to verify auth status. what are ur thoughts?
In your BFF OAuth2 setup, Angular can verify user authentication through a combination of techniques. One effective approach is implementing a secure API endpoint on your Spring server specifically for authentication status. Angular can make an HTTP request to this endpoint upon landing, which checks the session cookie and validates it against the Redis session.
If the session is valid and contains Auth0 tokens, the server can respond with a success status and potentially some user info. Angular then uses this response to set its internal authentication state. To maintain security, ensure this endpoint is protected and returns minimal necessary information.
For ongoing validation, you could implement an HTTP interceptor in Angular to check authentication status before each API call, refreshing as needed. This server-validated mechanism prevents the client from directly accessing sensitive token data.
hey, ive dealt with this b4. u could add a /auth-status endpoint on ur spring server. when angular loads, hit that endpoint. server checks the cookie & redis session, confirms if tokens r there. if good, send back a simple ‘authenticated’ flag. angular can use that to set its auth state. ez peezy!