You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/auth-flows/README.md
-32Lines changed: 0 additions & 32 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -73,35 +73,3 @@ All Auth0 Management API calls are abstracted through the Auth Service, which co
73
73
3.**Email Verification**: Flow E validates the email in `id_token_pwdless` matches the requested email before linking
74
74
4.**Token Scoping**: Each access token is scoped to specific audiences and permissions
75
75
5.**Abstraction Layer**: Management API calls go through Auth Service, not directly from client
76
-
77
-
## Architecture Changes (December 2025)
78
-
79
-
### Consolidation to Regular Web Clients
80
-
81
-
Based on the PoC implementation in `poc/2025-12-Express-Two-Audiences`, the authentication architecture has been updated to remove the SPA client and consolidate to regular web applications:
82
-
83
-
**Previous Architecture:**
84
-
- LFX One Client (Regular Web) - Main login
85
-
- LFX One Profile Client (SPA) - Management API access and social linking
86
-
- LFX One Passwordless Client (Regular Web) - Email verification
87
-
88
-
**Updated Architecture:**
89
-
- LFX One Client (Regular Web) - Main login for LFX v2 API access
90
-
- LFX One Profile Client (Regular Web) - All Management API operations, social linking, and passwordless flows
91
-
92
-
### Dual Authentication Pattern
93
-
94
-
The new architecture implements a dual authentication pattern:
95
-
96
-
1.**Primary Authentication**: Users first authenticate with the LFX One Client to establish their session and get LFX v2 API access
97
-
2.**Secondary Authentication**: When Management API access is needed, users authenticate again with the LFX One Management Client to get audience-specific tokens
98
-
99
-
This pattern provides better security isolation and allows for different scopes and permissions for different purposes while maintaining a unified user experience.
100
-
101
-
### Benefits
102
-
103
-
-**Simplified Architecture**: Fewer clients to manage and configure
104
-
-**Better Security**: Clear separation between different token audiences
105
-
-**Consistent UX**: All flows use server-side redirects instead of mixed SPA/popup patterns
106
-
-**Easier Deployment**: No client-side secret management or CORS concerns
0 commit comments