BFF Extensibility
Duende.BFF is designed to be extended at multiple layers. Most production applications will use the defaults, but each area has well-defined extension points for when you need to go beyond the defaults.
Extensibility Points
Section titled “Extensibility Points”| Area | What You Can Customize | Detail Page |
|---|---|---|
| Management Endpoints | Login, logout, user info, back-channel logout, diagnostics, silent login processing | Management Endpoints |
| Session Store | Where server-side session data is persisted (custom database, cache, etc.) | Session Management |
| HTTP Forwarder | Custom HTTP clients, request/response transformations for proxied calls | HTTP Forwarder |
| Token Management | Token storage backend, per-route token retrieval (delegation, impersonation) | Token Management |
Management Endpoints
Section titled “Management Endpoints”Each BFF management endpoint has a corresponding interface that you can implement to customize its behavior. In v4, the pattern is to map a custom route at the same path and call the default endpoint implementation, allowing you to add logic before and after default processing.
| Endpoint | Default Path | Interface (v4) | Interface (v3) | Detail |
|---|---|---|---|---|
| Login | /bff/login | ILoginEndpoint | ILoginService | Login Extensibility |
| Logout | /bff/logout | ILogoutEndpoint | ILogoutService | Logout Extensibility |
| User | /bff/user | IUserEndpoint | IUserService | User Extensibility |
| Silent Login | /bff/silent-login | ISilentLoginEndpoint | ISilentLoginService | Silent Login Extensibility |
| Back-Channel Logout | /bff/backchannel | IBackchannelLogoutEndpoint | IBackchannelLogoutService | Back-Channel Logout Extensibility |
| Diagnostics | /bff/diagnostics | IDiagnosticsEndpoint | IDiagnosticsService | Diagnostics Extensibility |
General Pattern (v4)
Section titled “General Pattern (v4)”All management endpoint customizations in v4 follow the same pattern:
var bffOptions = app.Services.GetRequiredService<IOptions<BffOptions>>().Value;
app.MapGet(bffOptions.LoginPath, async (HttpContext context, CancellationToken ct) =>{ // Custom logic before the default processing var endpoint = context.RequestServices.GetRequiredService<ILoginEndpoint>(); await endpoint.ProcessRequestAsync(context, ct); // Custom logic after the default processing});Session Store
Section titled “Session Store”By default, BFF uses either an in-memory store or Entity Framework Core for server-side sessions. To use a different storage backend (Redis, custom database, etc.), implement IUserSessionStore:
builder.Services.AddBff() .AddServerSideSessions<MyCustomSessionStore>();See Session Management Extensibility for the full interface and implementation guidance.
HTTP Forwarder
Section titled “HTTP Forwarder”When using MapRemoteBffApiEndpoint, BFF uses a default HTTP client and a default set of request/response transformations. You can customize:
- The HTTP client — implement
IForwarderHttpClientFactoryto use a proxy, custom certificates, etc. - Request/response transformations — add custom headers, modify paths, or replace the default transformer entirely.
See HTTP Forwarder Extensibility for details.
Token Management
Section titled “Token Management”BFF’s token management (powered by Duende.AccessTokenManagement) can be extended in two ways:
- Custom token store — implement
IUserTokenStoreto store tokens outside of the session cookie or server-side session. - Per-route token retrieval — implement
IAccessTokenRetrieverfor scenarios like token exchange or impersonation, where different API routes need different tokens.
app.MapRemoteBffApiEndpoint("/api/delegated", new Uri("https://api.example.com")) .WithAccessToken(RequiredTokenType.User) .WithAccessTokenRetriever<DelegationTokenRetriever>();See Token Management Extensibility for details.