Session flow (frontend PKCE with Zitadel vs backend)
⚙️Configuration🏬Self-hosted🔍Authentication❓Question🏗️Architecture
Hi,
What we have:
- Frontend does PKCE code exchange directly with Zitadel
- Tokens land in sessionStorage (JS-accessible → XSS can steal them)
- Frontend sends Authorization: Bearer header
- Token refresh is client-side
- Idle detection is client-side hack
What BFF pattern gives:
- Backend does code exchange → tokens never touch browser
- Backend stores tokens in Valkey → session ID in httpOnly cookie
- Frontend sends cookie automatically (no JS involvement)
- Token refresh server-side → no automaticSilentRenew needed
- Session sliding is a backend concern → heartbeat endpoint
- XSS can't steal tokens (httpOnly = invisible to JS)
I let claude audit my current flow and thats what I got. Should I change to the backend for frontend flow?
Currently I have the PKCE code exchange through my backend with rate limiting etc. but claude says thats not that good..
Any opinion on that?
What we have:
- Frontend does PKCE code exchange directly with Zitadel
- Tokens land in sessionStorage (JS-accessible → XSS can steal them)
- Frontend sends Authorization: Bearer header
- Token refresh is client-side
- Idle detection is client-side hack
What BFF pattern gives:
- Backend does code exchange → tokens never touch browser
- Backend stores tokens in Valkey → session ID in httpOnly cookie
- Frontend sends cookie automatically (no JS involvement)
- Token refresh server-side → no automaticSilentRenew needed
- Session sliding is a backend concern → heartbeat endpoint
- XSS can't steal tokens (httpOnly = invisible to JS)
I let claude audit my current flow and thats what I got. Should I change to the backend for frontend flow?
Currently I have the PKCE code exchange through my backend with rate limiting etc. but claude says thats not that good..
Any opinion on that?
