identity_gateway : A lightweight Identity Gateway that centrally handles login callback from any selected IDPs (Keycloak, Auth0, etc) and emits user login events to downstream microservices.
- Handles login callbacks from any OIDC compliant Idp (eg, Keycloak, Auth0, etc)
- Exposes /me endpoint w standard claims info (user_id, roles, tenant_d, etc.)
- Emits user login events w standard claims info?
- Frontend (https://ui.app2.com/login) redirect Keycloack/Auth0 to login (https://idp.app0.com)
- Once Login, Redirects to identity_gateway/gateway/callback (https://idpgateway.app1.com)
- identity_gateway
- Exchanges code for tokens
- Verifies token
- Extracts normalized claims
- Emits event w standard identity claims
- Set refresh token cookie
- Redirect to frontend (https://ui.app2/com/ready)
- Frontend (https://ui.app2.com/ready) immediately fetches access token via
await fetch("https://idpgateway/app1/refresh", {
method: "POST",
credentials: "include"
})
if (response.ok) {
const { access_token } = await response.json();
storeInMemory(access_token)
} else {
...
}- Identity gateway replies with { access_token: "...", sub: "...", token_type: ".."}
- Frontend stores access token in mem or localStorage?
- Any context (e.g https://order.app3.com) on demand calls /me to get standard identity claims like
{ "sub": "abc123", "email": "abc@email.com", "tenant_id": "tenant-abc", "roles": ["customer"] }