feat: SSR compatibility PoC for journey-client and oidc-client

[ryanbas21]

Summary

This is a complete proof of concept — not finished work. It demonstrates the changes needed to make journey-client and oidc-client work in server-side rendering environments (SvelteKit, Next.js, etc.).

Problem

• @forgerock/storage eagerly references sessionStorage/localStorage globals, crashing on import in Node.js
• createAuthorizeUrl couples PKCE generation with sessionStorage, preventing server-side authorize URL creation
• window.location.assign() in redirect() has no server guard

Changes

Storage (@forgerock/storage)

• Replace eager browser global references with lazy globalThis access via getBrowserStorage()
• SSR callers use existing type: 'custom' with a no-op adapter — no new types needed

Journey Client (@forgerock/journey-client)

• Add optional storage config to JourneyClientConfig (defaults to sessionStorage)
• Guard redirect() with typeof window check
• Export createJourneyObject for client-side step reconstitution after SSR

OIDC / PKCE (@forgerock/sdk-oidc, @forgerock/oidc-client)

• Decouple PKCE generation from storage — createAuthorizeUrl now returns { url, verifier, state } instead of writing to sessionStorage
• Callers persist PKCE values however they choose (cookies, server session, etc.)
• token.exchange() accepts optional pkceValues parameter to skip sessionStorage lookup
• Browser background flow still uses sessionStorage internally (unchanged behavior)

SvelteKit PoC (e2e/svelte-app)

• Demonstrates full end-to-end flow against the AM mock API:
  1. Server-side journey start() → SSR-rendered login form
  2. Client-side credential submission via next()
  3. Server-side PKCE authorize URL generation with cookie-based verifier persistence
  4. Server-side token exchange → tokens received

Test plan

• nx run storage:test — 21 tests pass
• nx run journey-client:test — 193 tests pass
• nx run sdk-oidc:test — 26 tests pass
• nx run oidc-client:test — 21 tests pass
• nx run davinci-client:test — 226 tests pass
• SvelteKit PoC: start am-mock-api:serve + vite dev in e2e/svelte-app, verify SSR rendering and token exchange

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3088dc6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4fe3fd10-77ba-44df-abce-ebfee8d1d9bc

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ssr-jc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}