{"id":2311,"date":"2025-09-23T13:15:02","date_gmt":"2025-09-23T13:15:02","guid":{"rendered":"https:\/\/www.cmarix.com\/qanda\/?p=2311"},"modified":"2026-02-05T11:59:10","modified_gmt":"2026-02-05T11:59:10","slug":"secure-micro-frontends-auth-authorization-in-angular","status":"publish","type":"post","link":"https:\/\/www.cmarix.com\/qanda\/secure-micro-frontends-auth-authorization-in-angular\/","title":{"rendered":"How do you Handle Authentication and Authorization in a Micro Frontend Architecture?"},"content":{"rendered":"\n

Handling security is one of the most critical and challenging aspects of a micro frontend architecture. The core principle of micro frontends is isolation, but authentication (AuthN – who you are) and authorization (AuthZ – what you’re allowed to do) are inherently cross-cutting concerns that must be managed centrally.<\/p>\n\n\n\n

The most robust, secure, and widely-adopted pattern is Centralized Authentication in the Shell Application. In this model, the host (or shell) application is solely responsible for the entire authentication lifecycle. The micro frontends are “dumb” in this regard; they do not manage tokens or login flows but simply consume the authentication state provided by the shell.<\/p>\n\n\n\n

Core Principles of the Centralized Model<\/h2>\n\n\n\n
    \n
  1. Single Point of Login:<\/strong> The user always authenticates through the shell application. The login form, redirection to an IdP (Identity Provider like Auth0, Okta, or Azure AD), and token reception are all handled exclusively by the shell.<\/li>\n\n\n\n
  2. Shell as Token Custodian:<\/strong> The shell securely stores the authentication token (e.g., a JSON Web Token – JWT). It is responsible for storing it (e.g., in a secure, HttpOnly cookie or browser storage) and managing its lifecycle (e.g., refresh tokens). The raw token should never be passed directly to the micro frontends.<\/strong><\/li>\n\n\n\n
  3. Authentication State, Not Tokens:<\/strong> The shell shares the state<\/em> of authentication (e.g., “user is logged in,” “user’s name is Alice,” “user has ‘admin’ role”) with the micro frontends, not the token itself.<\/li>\n\n\n\n
  4. Centralized API Interception:<\/strong> The shell intercepts all outgoing HTTP requests made from any<\/em> micro frontend. If a request is destined for a protected API, the shell attaches the authentication token before sending it. This is the most crucial piece of the puzzle.<\/li>\n\n\n\n
  5. Centralized Route Protection:<\/strong> The shell is responsible for guarding routes, including the routes that load entire micro frontends. It can prevent a user from even loading a micro frontend if they are not authenticated or authorized.<\/li>\n<\/ol>\n\n\n\n

    Practical Example: Implementing Centralized Auth<\/strong><\/p>\n\n\n\n

    Let’s build a practical solution with a shell app and a dashboard-mfe.<\/p>\n\n\n\n

    Step 1: Create the Central AuthService in the Shell<\/h3>\n\n\n\n

    This service will manage everything related to authentication.<\/p>\n\n\n\n

    \/\/ shell\/src\/app\/auth\/auth.service.ts\nimport { Injectable } from '@angular\/core';\nimport { BehaviorSubject, Observable, of } from 'rxjs';\nimport { tap } from 'rxjs\/operators';\n\nexport interface UserProfile {\n  name: string;\n  roles: string[];\n}\n\n@Injectable({\n  providedIn: 'root',\n})\nexport class AuthService {\n  \/\/ Use BehaviorSubject to hold and broadcast the current auth state\n  private isAuthenticatedSubject = new BehaviorSubject<boolean>(false);\n  public isAuthenticated$ = this.isAuthenticatedSubject.asObservable();\n\n  private userProfileSubject = new BehaviorSubject<UserProfile | null>(null);\n  public userProfile$ = this.userProfileSubject.asObservable();\n\n  constructor() {\n    \/\/ In a real app, you'd check for an existing token here\n  }\n\n  \/\/ Simulate a login\n  login(username: string, password: string): Observable<boolean> {\n    \/\/ In a real app, this would be an HttpClient call to your auth server\n    return of(true).pipe(\n      tap(() => {\n        const token = 'fake-jwt-token-from-server';\n        localStorage.setItem('authToken', token); \/\/ Use secure storage in a real app!\n\n        const user: UserProfile = {\n          name: 'Alice',\n          roles: ['admin', 'editor'],\n        };\n\n        this.isAuthenticatedSubject.next(true);\n        this.userProfileSubject.next(user);\n      })\n    );\n  }\n\n  logout(): void {\n    localStorage.removeItem('authToken');\n    this.isAuthenticatedSubject.next(false);\n    this.userProfileSubject.next(null);\n  }\n\n  getToken(): string | null {\n    return localStorage.getItem('authToken');\n  }\n}<\/code><\/pre>\n\n\n\n
    Step 2: Create a Central HttpInterceptor in the Shell<\/h3>\n\n\n\n
    This is the magic component that attaches the token to outgoing requests from anywhere<\/em> in the application, including the loaded micro frontends.<\/p>\n\n\n\n
    \/\/ shell\/src\/app\/auth\/auth.interceptor.ts\nimport { Injectable } from '@angular\/core';\nimport {\n  HttpRequest,\n  HttpHandler,\n  HttpEvent,\n  HttpInterceptor\n} from '@angular\/common\/http';\nimport { Observable } from 'rxjs';\nimport { AuthService } from '.\/auth.service';\n\n@Injectable()\nexport class AuthInterceptor implements HttpInterceptor {\n\n  constructor(private authService: AuthService) {}\n\n  intercept(request: HttpRequest<unknown>, next: HttpHandler): Observable<HttpEvent<unknown>> {\n    const token = this.authService.getToken();\n    const isApiUrl = request.url.startsWith('\/api\/'); \/\/ Only attach token to your API calls\n\n    if (token && isApiUrl) {\n      request = request.clone({\n        setHeaders: {\n          Authorization: `Bearer ${token}`\n        }\n      });\n    }\n\n    return next.handle(request);\n  }\n}<\/code><\/pre>\n\n\n\n
    Step 3: Create a Central AuthGuard in the Shell<\/h3>\n\n\n\n
    This guard will protect the route that loads our micro frontend.<\/p>\n\n\n\n
    \/\/ shell\/src\/app\/auth\/auth.guard.ts\nimport { Injectable } from '@angular\/core';\nimport { CanLoad, Router } from '@angular\/router';\nimport { Observable } from 'rxjs';\nimport { map, take } from 'rxjs\/operators';\nimport { AuthService } from '.\/auth.service';\n\n@Injectable({\n  providedIn: 'root',\n})\nexport class AuthGuard implements CanLoad {\n  constructor(private authService: AuthService, private router: Router) {}\n\n  canLoad(): Observable<boolean> {\n    return this.authService.isAuthenticated$.pipe(\n      take(1),\n      map(isAuthenticated => {\n        if (!isAuthenticated) {\n          this.router.navigate(['\/login']);\n          return false;\n        }\n        return true;\n      })\n    );\n  }\n}<\/code><\/pre>\n\n\n\n
    Step 4: Wire Everything Together in the Shell<\/h3>\n\n\n\n
    Update the shell’s app.module.ts and app-routing.module.ts.<\/p>\n\n\n\n
    \/\/ shell\/src\/app\/app.module.ts\nimport { HTTP_INTERCEPTORS, HttpClientModule } from '@angular\/common\/http';\nimport { AuthInterceptor } from '.\/auth\/auth.interceptor';\n\/\/ ...other imports\n\n@NgModule({\n  imports: [\n    BrowserModule,\n    HttpClientModule, \/\/ Ensure HttpClientModule is imported\n    \/\/ ...\n  ],\n  providers: [\n    { provide: HTTP_INTERCEPTORS, useClass: AuthInterceptor, multi: true },\n  ],\n  bootstrap: [AppComponent],\n})\nexport class AppModule {}\n\n\/\/ shell\/src\/app\/app-routing.module.ts\nimport { Routes } from '@angular\/router';\nimport { AuthGuard } from '.\/auth\/auth.guard';\nimport { LoginComponent } from '.\/login\/login.component'; \/\/ A simple login component\n\nexport const routes: Routes = [\n  { path: 'login', component: LoginComponent },\n  {\n    path: 'dashboard',\n    canLoad: [AuthGuard], \/\/ Protect this route\n    loadChildren: () =>\n      import('dashboard-mfe\/Module').then((m) => m.DashboardModule),\n  },\n  \/\/ ... other routes\n];<\/code><\/pre>\n\n\n\n
    Step 5: Sharing the Auth State with the Micro Frontend<\/h3>\n\n\n\n
    The micro frontend doesn’t need the login() method or the token. It just needs the isAuthenticated$ and userProfile$ observables. We’ll use a public, shared API for this.<\/p>\n\n\n\n
    1. Define a Shared Service Type<\/h4>\n\n\n\n
      <\/ol>\n\n\n\n
      \/\/ shell\/src\/app\/auth\/shared-auth.service.ts\nimport { Observable } from 'rxjs';\nimport { UserProfile } from '.\/auth.service';\n\nexport abstract class SharedAuthService {\n  abstract isAuthenticated$: Observable<boolean>;\n  abstract userProfile$: Observable<UserProfile | null>;\n}<\/code><\/pre>\n\n\n\n
      2. Update AuthService to Implement It<\/h4>\n\n\n\n
      \/\/ shell\/src\/app\/auth\/auth.service.ts\nimport { SharedAuthService } from '.\/shared-auth.service';\n\/\/ ...\n@Injectable({ providedIn: 'root' })\nexport class AuthService extends SharedAuthService {\n  \/\/ ... same content as before\n}<\/code><\/pre>\n\n\n\n
      3. Configure Webpack in the Shell<\/h4>\n\n\n\n
        <\/ol>\n\n\n\n
        Use @angular-architects\/module-federation’s share helper to share the running instance of the AuthService.<\/p>\n\n\n\n
        \/\/ shell\/webpack.config.js\nconst { share, withModuleFederationPlugin } = require('@angular-architects\/module-federation\/webpack');\n\nmodule.exports = withModuleFederationPlugin({\n  \/\/ ... remotes config\n\n  shared: share({\n    \/\/ ... share Angular dependencies\n\n    \/\/ Share the AuthService instance from the shell's injector\n    '@app\/auth': {\n      singleton: true,\n      strictVersion: true,\n      requiredVersion: 'auto',\n      \/\/ The key part: this tells remotes to get the instance\n      \/\/ from the shell's DI container instead of creating a new one.\n      provider: '.\/src\/app\/auth\/auth.service.ts',\n    },\n  }),\n});<\/code><\/pre>\n\n\n\n
        Step 6: Consume the Shared State in the Micro Frontend<\/h3>\n\n\n\n
        Now, the dashboard-mfe can use this shared service to tailor its UI and make API calls.<\/p>\n\n\n\n
        \/\/ dashboard-mfe\/src\/app\/dashboard\/dashboard.component.ts\nimport { Component } from '@angular\/core';\nimport { HttpClient } from '@angular\/common\/http';\nimport { Observable } from 'rxjs';\n\/\/ This import works because of the webpack config. It imports the abstract class for type safety.\nimport { SharedAuthService } from '@app\/auth';\n\n@Component({\n\u00a0 selector: 'app-dashboard',\n\u00a0 template: `\n\u00a0 \u00a0 <h2>Welcome to the Dashboard MFE<\/h2>\n\u00a0 \u00a0 <ng-container *ngIf=\"authService.isAuthenticated$ | async\">\n\u00a0 \u00a0 \u00a0 <p *ngIf=\"authService.userProfile$ | async as user\">\n\u00a0 \u00a0 \u00a0 \u00a0 Hello, {{ user.name }}!\n\u00a0 \u00a0 \u00a0 \u00a0 <!-- Fine-grained authorization inside the MFE -->\n\u00a0 \u00a0 \u00a0 \u00a0 <button *ngIf=\"user.roles.includes('admin')\" (click)=\"loadAdminData()\">\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Load Admin Data\n\u00a0 \u00a0 \u00a0 \u00a0 <\/button>\n\u00a0 \u00a0 \u00a0 <\/p>\n\u00a0 \u00a0 \u00a0 <pre>{{ data$ | async | json }}<\/pre>\n\u00a0 \u00a0 <\/ng-container>\n\u00a0 `,\n})\nexport class DashboardComponent {\n\u00a0 data$: Observable<any> | undefined;\n\n\u00a0 \/\/ Inject the shared service using the abstract class as the token\n\u00a0 constructor(public authService: SharedAuthService, private http: HttpClient) {}\n\n\u00a0 loadAdminData() {\n\u00a0 \u00a0 \/\/ When this call is made, the shell's interceptor will AUTOMATICALLY\n\u00a0 \u00a0 \/\/ attach the 'Authorization: Bearer ...' header. The MFE is completely\n\u00a0 \u00a0 \/\/ unaware of the token.\n\u00a0 \u00a0 this.data$ = this.http.get('\/api\/admin\/data');\n\u00a0 }\n}<\/code><\/pre>\n\n\n\n
        Authorization: Fine-Grained Control<\/h2>\n\n\n\n
        The pattern extends beautifully to authorization:<\/strong><\/p>\n\n\n\n