Adding support for websockets into BFF

[fox555pt]

It would be great to have out-of-the-box support for WebSockets (wss:// over HTTPS) in the Duende BFF framework. This enhancement would ensure full coverage for frontend applications that rely not only on REST APIs but also on persistent WebSocket connections to interact with backend systems.

[Erwinvandervalk]

Thanks for your comment.

Supporting websockets using the BFF currently is possible but with quite a number of caveats. It really depends on your application architecture. I'll see if we can create a sample (perhaps with a blog post) on this in the near future.

First of all, I'm assuming you're proxying web sockets to an external websocket server, such as Hot Chocolate. Here are some of the things to keep in mind.

CSRF Protection Limitations

Standard CSRF protection mechanisms in BFF rely on custom HTTP headers. However, WebSocket connections can't include arbitrary headers during the initial handshake, which makes traditional CSRF defenses ineffective.

Token Expiry Handling

Exchanging the BFF session cookie for an OAuth access token isn't a problem initially. The challenge arises when the token expires. In the BFF model, one way to handle this is to terminate the WebSocket connection, forcing the frontend to reconnect and trigger re-authentication.

Note, your backend server needs to accept oauth tokens as part of a message payload.

Cookie Expiry and Renewal

If WebSockets are the only communication channel between the frontend and backend, renewing the BFF session cookie becomes problematic. WebSocket connections can’t update cookies, so you’d need an additional mechanism—such as a periodic HTTP request—to keep the session alive or refresh the cookie. This only works if you’re using server-side sessions, as the server can prolong the session on activity.

[fox555pt]

Hi @Erwinvandervalk, thank you for your feedback and insights.
A sample and blog post on this topic would be great. I’m looking forward to seeing it in one of your upcoming updates.