Authentication has a flow that redirects to the auth server, and returns with a code that has to be exchanged for a token. The Role Guard assumes the existence of a token, meaning it is not possible to redirect to a protected page as it cannot exchange the code for a token before access is denied.
Longer tern, auth should probably rely on Cerbos or similar, and use a more sophisticated authentication service.
For the shorter term, I propose making login required for all pages and removing the role guard. That way pages are protected, we eliminate the in-between page with a forced manual login, and the code -> token exchange is possible.
This makes it a straightforward change to later introduce more flexibility.
Auth right now does not properly prevent access.
Authentication has a flow that redirects to the auth server, and returns with a code that has to be exchanged for a token. The Role Guard assumes the existence of a token, meaning it is not possible to redirect to a protected page as it cannot exchange the code for a token before access is denied.
Longer tern, auth should probably rely on Cerbos or similar, and use a more sophisticated authentication service.
For the shorter term, I propose making login required for all pages and removing the role guard. That way pages are protected, we eliminate the in-between page with a forced manual login, and the code -> token exchange is possible.
This makes it a straightforward change to later introduce more flexibility.