XPlatform Auth — Test Console

Development

ℹ️ BFF Auth Flow (server-managed session)

  1. Click Sign In with Entra — browser navigates to GET /auth/login
  2. Auth service redirects browser to Entra External ID /authorize
  3. User authenticates on Entra — Entra redirects back to GET /auth/callback
  4. Auth service exchanges code server-side, sets an HttpOnly Secure cookie
  5. Browser lands on / — this page calls GET /auth/me using the cookie
  6. No tokens are ever stored or sent from JavaScript
Authentication Status

Not signed in. Session is managed server-side via an HttpOnly Secure SameSite=Lax cookie.

🔐 Sign In with Entra
API Endpoints
GET
/health
GET
/auth/me 🍪
GET
/api/me 🔑
POST
/auth/token 🍪→🎫
GET
/.well-known/jwks.json 🔓
🍪 = Cookie session (BFF)
🔑 = Bearer token (service-to-service)
🍪→🎫 = Session cookie exchanged for a first-party JWT (Model 2)
🔓 = Public JWKS — no auth required
API Base: http://localhost:5000
Response
Run an API test to see the response