Sheet 03 · Identity
Authenticate
Identity is brokered server-side. The browser only holds an opaque, httpOnly session cookie — tokens never touch JavaScript.
flow · Authorization Code + PKCE · server-side BFF
Operator · sign-in
Checking session…
Spec · OIDC BFF
Server-side wiring
1
Issuer
Configured via OIDC_ISSUER (server env)
2
Client
Confidential client · OIDC_CLIENT_ID / OIDC_CLIENT_SECRET
3
Redirect URI
/api/auth/callback (server route)
4
Session
httpOnly · encrypted · SameSite=Lax · 7d
5
Gate
Request middleware redirects unauth HTML to /api/auth/login
Title
Identity · OIDC BFF · rev B
Sheet
03 / 04
Rev
B
Scale
1:1