Correct BFF qs code for BFF v4, add warnings around SPAs without a backend. (#989)

* Correct BFF qs code for BFF v4, add warnings around SPAs without a backend.

* Update src/content/docs/identityserver/quickstarts/javascript-clients/js-without-backend.md

Co-authored-by: Maarten Balliauw <maarten.balliauw@duendesoftware.com>

---------

Co-authored-by: roland <roland@duendesoftware.com>
Co-authored-by: Maarten Balliauw <maarten.balliauw@duendesoftware.com>

Author: 3 people

src/content/docs/identityserver/quickstarts/javascript-clients/index.md

@@ -26,8 +26,8 @@ protocol interactions on the client-side, including driving user authentication
 and token requests, session and token management, and token storage. This leads
 to more complex JavaScript, cross-browser incompatibilities, and a considerably
 higher attack surface. Since this style inherently needs to store security
-sensitive artifacts (like tokens) in JavaScript reachable locations, this style
-is not recommended. **Consequently, we don't offer a quickstart for this style**.
+sensitive artifacts (like tokens) in JavaScript reachable locations, **this style
+is not recommended**. 
 
 As the ["OAuth 2.0 for Browser-Based Apps" IETF/OAuth working group BCP
 document](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps)

src/content/docs/identityserver/quickstarts/javascript-clients/js-with-backend.mdx

@@ -126,7 +126,7 @@ Add the following to `src/JavaScriptClient/Program.cs`:
             options.GetClaimsFromUserInfoEndpoint = true;
             options.MapInboundClaims = false;
         }
-        .ConfigureCookies()
+        .ConfigureCookies(options => options.Cookie.SameSite = SameSiteMode.Strict)
         .AddRemoteApis();
 
     var app = builder.Build();
@@ -464,7 +464,7 @@ API in the ASP.NET Core routing system. Add the code below to the endpoint confi
       .AsBffApiEndpoint();
 
   app.MapRemoteBffApiEndpoint("/remote", new Uri("https://localhost:6001"))
-      .WithAccessToken(Duende.Bff.AccessTokenManagement.RequiredTokenType.User);
+      .WithAccessToken(RequiredTokenType.User);
 ```
 
 The call to the `AsBffApiEndpoint()` fluent helper method adds BFF support to

src/content/docs/identityserver/quickstarts/javascript-clients/js-without-backend.md

@@ -26,9 +26,9 @@ Connect/OAuth protocol interactions occur from the JavaScript code running in
 the browser. Also, invoking the API will be performed directly from the
 JavaScript in the browser.
 
-This design adds complexity (and thus security concerns) to your application, so
-consider if the ["BFF" pattern](/identityserver/quickstarts/javascript-clients/js-with-backend.mdx) might be a better
-choice.
+**This design has security concerns. It is no longer recommended.** See [overview](index.md) 
+for details.
+The current best practice uses the [BFF pattern](js-with-backend.mdx).
 
 In this quickstart the user will log in to IdentityServer, invoke an API with an
 access token issued by IdentityServer, and logout of IdentityServer. All of this
@@ -37,7 +37,7 @@ will be driven from the JavaScript running in the browser.
 ## New Project For The JavaScript Client
 
 Create a new project for the JavaScript application. Beyond being able to serve
-your application's html and javascript, there are no requirements on the
+your application's HTML and javascript, there are no requirements on the
 backend. You could use anything from an empty ASP.NET Core application to a
 Node.js application. This quickstart will use an ASP.NET Core application.