Hi all, I’m creating a website that interfaces with our existing backend APIs for an application. I would love to use hilla for it but as I’ve been researching it I’m seeing a hurdle with authentication that I can’t tell if I can jump or not.
Some Context
Our application is a set of microservices that sit behind a gateway. Every request to a service (other than the auth service) will be authenticated by validating a jwt supplied via either the authorization header or a cookie.
The auth service has traditional username and password but also has support for signing in with Azure AD.
My plan for the auth flow with the hills app is the following:
- user supplies username and presses sign in with SSO button
- hilla endpoint makes a call to the auth service
- auth service responds with a redirect to the correct AD url (we are using accounts across multiple tenants which is why the auth service needs to supply the SSO link)
- user signs in and AD calls the auth service’s callback endpoint
- auth service creates a jwt and returns a redirect back to the hilla app with the cookie attached
My main concern which I couldn’t really find an answer to online is once the jwt is stored as a cookie how can I access it from the hilla endpoints? It’s the endpoints that will be making calls to the other services so they need to supply this cookie with every request.
Additionally if you see anything wrong with this plan I’d welcome feedback on how to improve it 
Thanks
