AuthGeek Demo
Demo 3 — Gateway + Identity Provider

Every User Starts
as a Machine

Anonymous visitors aren't ungated — they're machine-credentialed. Walk through the full progressive identity journey: from your first anonymous request to a fully correlated OIDC session. Watch the gateway handle every transition.

APISIX Keycloak OAuth2 client_credentials PKCE + OIDC OPA

This is not a "token merge." OAuth2 doesn't have that concept. What you're watching is a correlation event — the gateway threads a signed session_id through the OIDC redirect, then links it to your user_sub on callback. The machine credential and the user credential are separate — and that's the honest story.

Current State

You just arrived

Browser → APISIX

No cookie, no token. The gateway sees an unauthenticated visitor hitting /register.

Step
1/8

Read the deep dive

Why this pattern exists, how the security constraints work, and why the gateway is the right layer for it.

Read: "Every User Starts as a Machine"