1. POST credentials: The login form POSTs to a server action. The server verifies credentials and signs two JWTs: a short-lived ID token (5 min) and a long-lived refresh token (7 days).
2. Tokens in URL redirect: The server redirects to your destination with ?id_token=…&refresh_token=… in the query string. This mimics a hosted IdP callback.
3. Middleware ingestion: Next.js middleware intercepts the redirect, verifies both tokens, sets them as httpOnly cookies, then strips the params and completes the redirect. They never land in browser history.
4. Proactive refresh: On every request, the middleware checks the ID token expiry. If < 60s remain, it silently issues a new ID token using the refresh token — no round-trip required.