Sheet 03 · Identity

Authenticate

Identity is brokered server-side. The browser only holds an opaque, httpOnly session cookie — tokens never touch JavaScript.

flow · Authorization Code + PKCE · server-side BFF
Operator · sign-in

Checking session…

Spec · OIDC BFF

Server-side wiring

1
Issuer
Configured via OIDC_ISSUER (server env)
2
Client
Confidential client · OIDC_CLIENT_ID / OIDC_CLIENT_SECRET
3
Redirect URI
/api/auth/callback (server route)
4
Session
httpOnly · encrypted · SameSite=Lax · 7d
5
Gate
Request middleware redirects unauth HTML to /api/auth/login
Title
Identity · OIDC BFF · rev B
Sheet
03 / 04
Rev
B
Scale
1:1