Aladaia — Admin SPA
Validates the OIDC code+PKCE flow against the
aladaia-admin-web client and checks for
/aladaia-staff group membership.
Initializing…
Identity
preferred_username—
email—
tenant_id—
groups—
iss—
aud—
sub—
exp—
Access token (parsed)
…
Access token (raw — copy into jwt.io to verify the signature)
…
Call api.aladaia.localhost (slice 3a — through Traefik + forward-auth)
Sends GET https://api.aladaia.localhost/whoami with the admin SPA's bearer JWT.
Staff users carry no tenant_id, so forward-auth returns no X-Auth-Backend
(a real admin endpoint would route differently — slice 5+).
…