Had a 45 minute conversation with someone from devops this week trying to convince them that I don't need an API server and Front end server since my application is just an app that outputs HTML and uses HTML forms with a maximum of about 2 simultaneous users ever. He couldn't fathom this "architecture" and I ultimately lost the battle ... I must have a front end server for static content, as they don't know how to set up just a backend. He even argued that I must ship JavaScript because oauth won't work without it. I got tired and gave in... I'll just ship a "front end" with a static redirect to the "backend" domain.
Probably because it's an "Ops" team that controls the keys and uses infrastructure as code rather than devevloper and operations combined as a mentality.
And the ops team has preconfigured systems for single page applications but not MPAs.
Yeah, basically this. Not really preconfigured though, from what I can tell (and how long it's taking) but more like they have precedent for an implementation that has passed security audits.
I was surprised myself. I think it is because my org doesn't typically need to provision servers with oauth authenticated endpoints. I think they've done it only once before and for some reason standardized the first way as the way.
I just need to ship this tiny tool very quickly (initial server request to delivery is about 5 weeks, but I didn't know they were complicating things this much until about 3 weeks after the initial request), otherwise I wouldn't just give in here.
