generated from eblume/project-template
Erich Blume
a0be0f1085
Document the PKCE 'Login with Authentik' flow, the hub /config zero-config discovery, and the redirect-URI prerequisite on the Authentik heph provider. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
554 B
554 B
heph-pwa: added a Login with Authentik button — a proper browser OIDC sign-in (Authorization Code + PKCE) that replaces the manual bearer-token paste. The hub exposes an unauthenticated GET /config ({issuer, client_id}) so the app is zero-config when served from the hub; the PWA discovers the IdP endpoints, runs the PKCE redirect, exchanges the code for a token, and silently refreshes it (offline_access). The manual token field remains as a fallback. Requires the PWA origin registered as a redirect URI on the Authentik heph provider.