login flow
š¬Self-hostedšAuthenticationāUnsolvedāQuestionšļøArchitecture
can someone look into my login flow for email+password?
the docs kinda explain that we need to do the finilize oidc exchange steps at the frontend, but claude said i can do that at the backend too. is this secure, performant and good?
Email/Password Login Flow (Server-Side Token Exchange)
Frontend
POST /_internal/auth/login with { email, password, redirectUri }
Receives { access_token, id_token, refresh_token }
Stores tokens in oidc-client-ts UserManager ā navigates to app
GET /v1/auth/me with Bearer token
Backend (LoginUser controller ā ExchangeSessionForTokens)
Step 1: CreateSession (gRPC)
ā sessionSvc.CreateSession({ loginName, password })
ā sessionId, sessionToken
Step 2: Get authRequest ID (HTTP, no-redirect)
ā GET {issuer}/oauth/v2/authorize?client_id=X&redirect_uri=Y&response_type=code&code_challenge=Z&code_challenge_method=S256&prompt=login
ā 302 Location: .../auth/login?authRequest={ID}
ā parse authRequest ID from Location header
the docs kinda explain that we need to do the finilize oidc exchange steps at the frontend, but claude said i can do that at the backend too. is this secure, performant and good?
Email/Password Login Flow (Server-Side Token Exchange)
Frontend
POST /_internal/auth/login with { email, password, redirectUri }
Receives { access_token, id_token, refresh_token }
Stores tokens in oidc-client-ts UserManager ā navigates to app
GET /v1/auth/me with Bearer token
Backend (LoginUser controller ā ExchangeSessionForTokens)
Step 1: CreateSession (gRPC)
ā sessionSvc.CreateSession({ loginName, password })
ā sessionId, sessionToken
Step 2: Get authRequest ID (HTTP, no-redirect)
ā GET {issuer}/oauth/v2/authorize?client_id=X&redirect_uri=Y&response_type=code&code_challenge=Z&code_challenge_method=S256&prompt=login
ā 302 Location: .../auth/login?authRequest={ID}
ā parse authRequest ID from Location header
