merge(thalos-bff): integrate thalos-bff-edge-hardening

2026-02-25 14:42:02 -06:00 · 2026-02-25 14:42:02 -06:00 · 5f4189da8e
commit 5f4189da8e
parent 9012d28b38 cc221eab1a
24 changed files with 426 additions and 36 deletions
--- a/docs/architecture/bff-identity-boundary.md
+++ b/docs/architecture/bff-identity-boundary.md
@ -0,0 +1,16 @@
+# Thalos BFF Identity Boundary
+
+## Purpose
+Keep thalos-bff as an edge adapter layer that consumes thalos-service and adopted identity capability contracts.
+
+## BFF Responsibilities
+- Edge contract handling
+- Service client adaptation
+- Correlation/tracing propagation
+- Single active edge protocol policy enforcement (`rest`)
+- Provider metadata propagation (`InternalJwt`, `AzureAd`, `Google`)
+
+## Prohibited
+- Direct DAL access
+- Identity policy decision ownership
+- Identity persistence concerns
--- a/docs/migration/building-block-identity-adoption-plan.md
+++ b/docs/migration/building-block-identity-adoption-plan.md
@ -0,0 +1,13 @@
+# Building Block Identity Adoption Plan
+
+## Goal
+Align BFF contract usage with building-block-identity contract surface without changing behavior.
+
+## Steps
+1. Map current BFF identity contract types to capability contract types.
+2. Keep compatibility bridge active during migration window.
+3. Validate edge payload behavior and service compatibility.
+
+## Guardrails
+- BFF remains service-facing.
+- No identity decision logic moves into BFF.
--- a/docs/migration/edge-compatibility-checks.md
+++ b/docs/migration/edge-compatibility-checks.md
@ -0,0 +1,6 @@
+# Edge Compatibility Checks
+
+## Checks
+- Existing edge request/response behavior remains stable.
+- Correlation and trace metadata pass-through remains stable.
+- Service contract compatibility is preserved after identity contract adoption.
--- a/src/Thalos.Bff.Application/Adapters/IIdentityEdgeContractAdapter.cs
+++ b/src/Thalos.Bff.Application/Adapters/IIdentityEdgeContractAdapter.cs
@ -1,6 +1,6 @@
-using Thalos.Bff.Application.Contracts;
 using Thalos.Bff.Contracts.Api;
-using Thalos.Service.Identity.Abstractions.Contracts;
+using BuildingBlock.Identity.Contracts.Requests;
+using BuildingBlock.Identity.Contracts.Responses;

 namespace Thalos.Bff.Application.Adapters;

--- a/src/Thalos.Bff.Application/Adapters/IThalosServiceClient.cs
+++ b/src/Thalos.Bff.Application/Adapters/IThalosServiceClient.cs
@ -1,5 +1,5 @@
-using Thalos.Bff.Application.Contracts;
-using Thalos.Service.Identity.Abstractions.Contracts;
+using BuildingBlock.Identity.Contracts.Requests;
+using BuildingBlock.Identity.Contracts.Responses;

 namespace Thalos.Bff.Application.Adapters;

--- a/src/Thalos.Bff.Application/Adapters/IdentityEdgeContractAdapter.cs
+++ b/src/Thalos.Bff.Application/Adapters/IdentityEdgeContractAdapter.cs
@ -0,0 +1,52 @@
+using Thalos.Bff.Contracts.Api;
+using BuildingBlock.Identity.Contracts.Requests;
+using BuildingBlock.Identity.Contracts.Responses;
+
+namespace Thalos.Bff.Application.Adapters;
+
+/// <summary>
+/// Default adapter implementation for identity edge API and service contracts.
+/// </summary>
+public sealed class IdentityEdgeContractAdapter : IIdentityEdgeContractAdapter
+{
+    /// <inheritdoc />
+    public EvaluateIdentityPolicyRequest ToPolicyRequest(IssueTokenApiRequest request, string permissionCode)
+    {
+        return new EvaluateIdentityPolicyRequest(
+            request.SubjectId,
+            request.TenantId,
+            permissionCode,
+            request.Provider);
+    }
+
+    /// <inheritdoc />
+    public IssueIdentityTokenRequest ToIssueTokenRequest(IssueTokenApiRequest request)
+    {
+        return new IssueIdentityTokenRequest(
+            request.SubjectId,
+            request.TenantId,
+            request.Provider,
+            request.ExternalToken);
+    }
+
+    /// <inheritdoc />
+    public IssueTokenApiResponse ToIssueTokenApiResponse(IssueIdentityTokenResponse response)
+    {
+        return new IssueTokenApiResponse(response.Token, response.ExpiresInSeconds);
+    }
+
+    /// <inheritdoc />
+    public RefreshIdentitySessionRequest ToRefreshSessionRequest(RefreshSessionApiRequest request)
+    {
+        return new RefreshIdentitySessionRequest(
+            request.RefreshToken,
+            request.CorrelationId,
+            request.Provider);
+    }
+
+    /// <inheritdoc />
+    public RefreshSessionApiResponse ToRefreshSessionApiResponse(RefreshIdentitySessionResponse response)
+    {
+        return new RefreshSessionApiResponse(response.Token, response.ExpiresInSeconds);
+    }
+}
--- a/src/Thalos.Bff.Application/Adapters/IdentityEdgeGrpcContractAdapter.cs
+++ b/src/Thalos.Bff.Application/Adapters/IdentityEdgeGrpcContractAdapter.cs
@ -0,0 +1,42 @@
+using Thalos.Bff.Application.Grpc;
+using Thalos.Bff.Contracts.Api;
+
+namespace Thalos.Bff.Application.Adapters;
+
+/// <summary>
+/// Default adapter implementation for identity edge gRPC contract translation.
+/// </summary>
+public sealed class IdentityEdgeGrpcContractAdapter : IIdentityEdgeGrpcContractAdapter
+{
+    /// <inheritdoc />
+    public IssueIdentityTokenGrpcContract ToGrpc(IssueTokenApiRequest request)
+    {
+        return new IssueIdentityTokenGrpcContract(
+            request.SubjectId,
+            request.TenantId,
+            request.CorrelationId,
+            request.Provider.ToString(),
+            request.ExternalToken);
+    }
+
+    /// <inheritdoc />
+    public IssueTokenApiRequest FromGrpc(IssueIdentityTokenGrpcContract contract)
+    {
+        return new IssueTokenApiRequest(
+            contract.SubjectId,
+            contract.TenantId,
+            contract.CorrelationId,
+            ParseProvider(contract.Provider),
+            contract.ExternalToken);
+    }
+
+    private static BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider ParseProvider(string provider)
+    {
+        return Enum.TryParse<BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider>(
+            provider,
+            true,
+            out var parsedProvider)
+            ? parsedProvider
+            : BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt;
+    }
+}
--- a/src/Thalos.Bff.Application/Contracts/RefreshIdentitySessionRequest.cs
+++ b/src/Thalos.Bff.Application/Contracts/RefreshIdentitySessionRequest.cs
@ -1,8 +0,0 @@
-namespace Thalos.Bff.Application.Contracts;
-
-/// <summary>
-/// Transport-neutral internal request contract for refresh session flow.
-/// </summary>
-/// <param name="RefreshToken">Refresh token value.</param>
-/// <param name="CorrelationId">Request correlation identifier.</param>
-public sealed record RefreshIdentitySessionRequest(string RefreshToken, string CorrelationId);
--- a/src/Thalos.Bff.Application/Contracts/RefreshIdentitySessionResponse.cs
+++ b/src/Thalos.Bff.Application/Contracts/RefreshIdentitySessionResponse.cs
@ -1,8 +0,0 @@
-namespace Thalos.Bff.Application.Contracts;
-
-/// <summary>
-/// Transport-neutral internal response contract for refresh session flow.
-/// </summary>
-/// <param name="Token">Refreshed token value.</param>
-/// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
-public sealed record RefreshIdentitySessionResponse(string Token, int ExpiresInSeconds);
--- a/src/Thalos.Bff.Application/DependencyInjection/ThalosBffApplicationServiceCollectionExtensions.cs
+++ b/src/Thalos.Bff.Application/DependencyInjection/ThalosBffApplicationServiceCollectionExtensions.cs
@ -0,0 +1,30 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Thalos.Bff.Application.Adapters;
+using Thalos.Bff.Application.Handlers;
+using Thalos.Bff.Application.Security;
+
+namespace Thalos.Bff.Application.DependencyInjection;
+
+/// <summary>
+/// Registers application-layer runtime wiring for thalos-bff.
+/// </summary>
+public static class ThalosBffApplicationServiceCollectionExtensions
+{
+    /// <summary>
+    /// Adds thalos-bff application handlers and adapter implementations.
+    /// </summary>
+    /// <param name="services">Service collection.</param>
+    /// <returns>Service collection for fluent chaining.</returns>
+    public static IServiceCollection AddThalosBffApplicationRuntime(this IServiceCollection services)
+    {
+        services.TryAddSingleton<IIdentityEdgeContractAdapter, IdentityEdgeContractAdapter>();
+        services.TryAddSingleton<IIdentityEdgeGrpcContractAdapter, IdentityEdgeGrpcContractAdapter>();
+        services.TryAddSingleton<IPermissionGuard, IdentityPermissionGuard>();
+
+        services.TryAddScoped<IIssueTokenHandler, IssueTokenHandler>();
+        services.TryAddScoped<IRefreshSessionHandler, RefreshSessionHandler>();
+
+        return services;
+    }
+}
--- a/src/Thalos.Bff.Application/Grpc/IssueIdentityTokenGrpcContract.cs
+++ b/src/Thalos.Bff.Application/Grpc/IssueIdentityTokenGrpcContract.cs
@ -6,4 +6,11 @@ namespace Thalos.Bff.Application.Grpc;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant identifier.</param>
 /// <param name="CorrelationId">Request correlation identifier.</param>
-public sealed record IssueIdentityTokenGrpcContract(string SubjectId, string TenantId, string CorrelationId);
+/// <param name="Provider">Identity provider.</param>
+/// <param name="ExternalToken">External provider token when applicable.</param>
+public sealed record IssueIdentityTokenGrpcContract(
+    string SubjectId,
+    string TenantId,
+    string CorrelationId,
+    string Provider = "InternalJwt",
+    string ExternalToken = "");
--- a/src/Thalos.Bff.Application/Security/IPermissionGuard.cs
+++ b/src/Thalos.Bff.Application/Security/IPermissionGuard.cs
@ -1,4 +1,4 @@
-using Thalos.Service.Identity.Abstractions.Contracts;
+using BuildingBlock.Identity.Contracts.Responses;

 namespace Thalos.Bff.Application.Security;

--- a/src/Thalos.Bff.Application/Security/IdentityPermissionGuard.cs
+++ b/src/Thalos.Bff.Application/Security/IdentityPermissionGuard.cs
@ -0,0 +1,15 @@
+using BuildingBlock.Identity.Contracts.Responses;
+
+namespace Thalos.Bff.Application.Security;
+
+/// <summary>
+/// Default permission guard backed by thalos-service policy evaluation responses.
+/// </summary>
+public sealed class IdentityPermissionGuard : IPermissionGuard
+{
+    /// <inheritdoc />
+    public bool CanAccess(EvaluateIdentityPolicyResponse policyResponse)
+    {
+        return policyResponse.IsAllowed;
+    }
+}
--- a/src/Thalos.Bff.Application/Thalos.Bff.Application.csproj
+++ b/src/Thalos.Bff.Application/Thalos.Bff.Application.csproj
@ -5,7 +5,8 @@
    <Nullable>enable</Nullable>
  </PropertyGroup>
  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
    <ProjectReference Include="..\Thalos.Bff.Contracts\Thalos.Bff.Contracts.csproj" />
-    <ProjectReference Include="..\..\..\thalos-service\src\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
+    <ProjectReference Include="..\..\..\building-block-identity\src\BuildingBlock.Identity.Contracts\BuildingBlock.Identity.Contracts.csproj" />
  </ItemGroup>
 </Project>
--- a/src/Thalos.Bff.Contracts/Api/IssueTokenApiRequest.cs
+++ b/src/Thalos.Bff.Contracts/Api/IssueTokenApiRequest.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.Bff.Contracts.Api;

 /// <summary>
@ -6,4 +8,11 @@ namespace Thalos.Bff.Contracts.Api;
 /// <param name="SubjectId">Identity subject identifier.</param>
 /// <param name="TenantId">Tenant identifier.</param>
 /// <param name="CorrelationId">Request correlation identifier.</param>
-public sealed record IssueTokenApiRequest(string SubjectId, string TenantId, string CorrelationId = "");
+/// <param name="Provider">Identity auth provider.</param>
+/// <param name="ExternalToken">External provider token when applicable.</param>
+public sealed record IssueTokenApiRequest(
+    string SubjectId,
+    string TenantId,
+    string CorrelationId = "",
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
+    string ExternalToken = "");
--- a/src/Thalos.Bff.Contracts/Api/RefreshSessionApiRequest.cs
+++ b/src/Thalos.Bff.Contracts/Api/RefreshSessionApiRequest.cs
@ -1,3 +1,5 @@
+using BuildingBlock.Identity.Contracts.Conventions;
+
 namespace Thalos.Bff.Contracts.Api;

 /// <summary>
@ -5,4 +7,8 @@ namespace Thalos.Bff.Contracts.Api;
 /// </summary>
 /// <param name="RefreshToken">Refresh token value.</param>
 /// <param name="CorrelationId">Request correlation identifier.</param>
-public sealed record RefreshSessionApiRequest(string RefreshToken, string CorrelationId = "");
+/// <param name="Provider">Identity auth provider.</param>
+public sealed record RefreshSessionApiRequest(
+    string RefreshToken,
+    string CorrelationId = "",
+    IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
--- a/src/Thalos.Bff.Contracts/Conventions/ThalosBffPackageContract.cs
+++ b/src/Thalos.Bff.Contracts/Conventions/ThalosBffPackageContract.cs
@ -11,5 +11,5 @@ public sealed class ThalosBffPackageContract : IBlueprintPackageContract
    public BlueprintPackageDescriptor Descriptor { get; } = new(
        "Thalos.Bff.Contracts",
        PackageVersionPolicy.Minor,
-        ["Core.Blueprint.Common", "Thalos.Service.Identity.Abstractions"]);
+        ["Core.Blueprint.Common", "BuildingBlock.Identity.Contracts"]);
 }
--- a/src/Thalos.Bff.Contracts/Thalos.Bff.Contracts.csproj
+++ b/src/Thalos.Bff.Contracts/Thalos.Bff.Contracts.csproj
@ -6,5 +6,6 @@
  </PropertyGroup>
  <ItemGroup>
    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
+    <ProjectReference Include="..\..\..\building-block-identity\src\BuildingBlock.Identity.Contracts\BuildingBlock.Identity.Contracts.csproj" />
  </ItemGroup>
 </Project>
--- a/src/Thalos.Bff.Rest/Adapters/ThalosServiceGrpcClientAdapter.cs
+++ b/src/Thalos.Bff.Rest/Adapters/ThalosServiceGrpcClientAdapter.cs
@ -0,0 +1,111 @@
+using Grpc.Core;
+using Microsoft.Extensions.Primitives;
+using Thalos.Bff.Application.Adapters;
+using Thalos.Service.Grpc;
+using BuildingBlock.Identity.Contracts.Requests;
+using BuildingBlock.Identity.Contracts.Responses;
+
+namespace Thalos.Bff.Rest.Adapters;
+
+/// <summary>
+/// gRPC-backed adapter for downstream thalos-service calls.
+/// </summary>
+public sealed class ThalosServiceGrpcClientAdapter(
+    IdentityRuntime.IdentityRuntimeClient grpcClient,
+    IHttpContextAccessor httpContextAccessor,
+    IConfiguration configuration) : IThalosServiceClient
+{
+    private const string CorrelationHeaderName = "x-correlation-id";
+    private readonly string refreshTenantId = configuration["ThalosService:RefreshTenantId"] ?? "refresh";
+
+    /// <inheritdoc />
+    public async Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
+    {
+        var correlationId = ResolveCorrelationId();
+        var grpcRequest = new IssueIdentityTokenGrpcRequest
+        {
+            SubjectId = request.SubjectId,
+            TenantId = request.TenantId,
+            Provider = request.Provider.ToString(),
+            ExternalToken = request.ExternalToken
+        };
+
+        var grpcResponse = await grpcClient.IssueIdentityTokenAsync(
+            grpcRequest,
+            headers: CreateHeaders(correlationId));
+
+        return new IssueIdentityTokenResponse(grpcResponse.Token, grpcResponse.ExpiresInSeconds);
+    }
+
+    /// <inheritdoc />
+    public async Task<EvaluateIdentityPolicyResponse> EvaluatePolicyAsync(EvaluateIdentityPolicyRequest request)
+    {
+        var correlationId = ResolveCorrelationId();
+        var grpcRequest = new EvaluateIdentityPolicyGrpcRequest
+        {
+            SubjectId = request.SubjectId,
+            TenantId = request.TenantId,
+            PermissionCode = request.PermissionCode,
+            Provider = request.Provider.ToString()
+        };
+
+        var grpcResponse = await grpcClient.EvaluateIdentityPolicyAsync(
+            grpcRequest,
+            headers: CreateHeaders(correlationId));
+
+        return new EvaluateIdentityPolicyResponse(
+            grpcResponse.SubjectId,
+            grpcResponse.PermissionCode,
+            grpcResponse.IsAllowed);
+    }
+
+    /// <inheritdoc />
+    public async Task<RefreshIdentitySessionResponse> RefreshSessionAsync(RefreshIdentitySessionRequest request)
+    {
+        var correlationId = ResolveCorrelationId(request.CorrelationId);
+        var grpcRequest = new IssueIdentityTokenGrpcRequest
+        {
+            SubjectId = request.RefreshToken,
+            TenantId = refreshTenantId,
+            Provider = request.Provider.ToString()
+        };
+
+        var grpcResponse = await grpcClient.IssueIdentityTokenAsync(
+            grpcRequest,
+            headers: CreateHeaders(correlationId));
+
+        return new RefreshIdentitySessionResponse(grpcResponse.Token, grpcResponse.ExpiresInSeconds);
+    }
+
+    private string ResolveCorrelationId(string? preferred = null)
+    {
+        if (!string.IsNullOrWhiteSpace(preferred))
+        {
+            return preferred;
+        }
+
+        var context = httpContextAccessor.HttpContext;
+        if (context?.Items.TryGetValue(CorrelationHeaderName, out var itemValue) == true &&
+            itemValue is string itemCorrelationId &&
+            !string.IsNullOrWhiteSpace(itemCorrelationId))
+        {
+            return itemCorrelationId;
+        }
+
+        if (context?.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) == true &&
+            !StringValues.IsNullOrEmpty(headerValue))
+        {
+            return headerValue.ToString();
+        }
+
+        return context?.TraceIdentifier ?? $"corr-{Guid.NewGuid():N}";
+    }
+
+    private static Metadata CreateHeaders(string correlationId)
+    {
+        return new Metadata
+        {
+            { CorrelationHeaderName, correlationId }
+        };
+    }
+}
--- a/src/Thalos.Bff.Rest/Program.cs
+++ b/src/Thalos.Bff.Rest/Program.cs
@ -1,18 +1,99 @@
+using Core.Blueprint.Common.DependencyInjection;
+using Microsoft.Extensions.Primitives;
+using Thalos.Bff.Application.Adapters;
+using Thalos.Bff.Application.DependencyInjection;
+using Thalos.Bff.Application.Handlers;
 using Thalos.Bff.Contracts.Api;
+using Thalos.Bff.Rest.Adapters;
+using Thalos.Bff.Rest.Endpoints;
+using Thalos.Service.Grpc;
+
+const string CorrelationHeaderName = "x-correlation-id";

 var builder = WebApplication.CreateBuilder(args);
+var edgeProtocol = builder.Configuration["ThalosBff:EdgeProtocol"] ?? "rest";
+if (!string.Equals(edgeProtocol, "rest", StringComparison.OrdinalIgnoreCase))
+{
+    throw new InvalidOperationException(
+        $"Thalos BFF supports one active edge protocol per deployment. Configured: '{edgeProtocol}'. Expected: 'rest'.");
+}
+
+builder.Services.AddHttpContextAccessor();
+builder.Services.AddHealthChecks();
+builder.Services.AddBlueprintRuntimeCore();
+builder.Services.AddThalosBffApplicationRuntime();
+builder.Services.AddScoped<IThalosServiceClient, ThalosServiceGrpcClientAdapter>();
+builder.Services.AddGrpcClient<IdentityRuntime.IdentityRuntimeClient>(options =>
+{
+    var serviceAddress = builder.Configuration["ThalosService:GrpcAddress"] ?? "http://localhost:5251";
+    options.Address = new Uri(serviceAddress);
+});

-// Stage 3 skeleton: single active external protocol for this deployment is REST.
 var app = builder.Build();

-app.MapPost("/api/identity/token", (IssueTokenApiRequest request) =>
+app.Use(async (context, next) =>
 {
-    return Results.Ok(new IssueTokenApiResponse("", 0));
+    var correlationId = ResolveCorrelationId(context);
+    context.Items[CorrelationHeaderName] = correlationId;
+    context.Request.Headers[CorrelationHeaderName] = correlationId;
+    context.Response.Headers[CorrelationHeaderName] = correlationId;
+    await next();
 });

-app.MapPost("/api/identity/session/refresh", (RefreshSessionApiRequest request) =>
+app.MapPost($"{EndpointConventions.ApiPrefix}/token", async (
+    IssueTokenApiRequest request,
+    HttpContext context,
+    IIssueTokenHandler handler) =>
 {
-    return Results.Ok(new RefreshSessionApiResponse("", 0));
+    var normalizedRequest = request with { CorrelationId = ResolveCorrelationId(context, request.CorrelationId) };
+
+    try
+    {
+        var response = await handler.HandleAsync(normalizedRequest);
+        return Results.Ok(response);
+    }
+    catch (UnauthorizedAccessException)
+    {
+        return Results.Unauthorized();
+    }
 });

+app.MapPost($"{EndpointConventions.ApiPrefix}/session/refresh", async (
+    RefreshSessionApiRequest request,
+    HttpContext context,
+    IRefreshSessionHandler handler) =>
+{
+    var normalizedRequest = request with { CorrelationId = ResolveCorrelationId(context, request.CorrelationId) };
+    var response = await handler.HandleAsync(normalizedRequest);
+    return Results.Ok(response);
+});
+
+app.MapHealthChecks("/healthz");
+
 app.Run();
+
+string ResolveCorrelationId(HttpContext context, string? preferred = null)
+{
+    if (!string.IsNullOrWhiteSpace(preferred))
+    {
+        context.Items[CorrelationHeaderName] = preferred;
+        context.Request.Headers[CorrelationHeaderName] = preferred;
+        context.Response.Headers[CorrelationHeaderName] = preferred;
+        return preferred;
+    }
+
+    if (context.Items.TryGetValue(CorrelationHeaderName, out var itemValue) &&
+        itemValue is string itemCorrelationId &&
+        !string.IsNullOrWhiteSpace(itemCorrelationId))
+    {
+        return itemCorrelationId;
+    }
+
+    if (context.Request.Headers.TryGetValue(CorrelationHeaderName, out var headerValue) &&
+        !StringValues.IsNullOrEmpty(headerValue))
+    {
+        return headerValue.ToString();
+    }
+
+    return context.TraceIdentifier;
+}
--- a/src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj
+++ b/src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj
@ -4,8 +4,22 @@
    <Nullable>enable</Nullable>
    <ImplicitUsings>enable</ImplicitUsings>
  </PropertyGroup>
+  <ItemGroup>
+    <PackageReference Include="Google.Protobuf" Version="3.31.1" />
+    <PackageReference Include="Grpc.Core.Api" Version="2.71.0" />
+    <PackageReference Include="Grpc.Net.Client" Version="2.71.0" />
+    <PackageReference Include="Grpc.Net.ClientFactory" Version="2.71.0" />
+    <PackageReference Include="Grpc.Tools" Version="2.71.0">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+  <ItemGroup>
+    <Protobuf Include="..\..\..\thalos-service\src\Thalos.Service.Grpc\Protos\identity_runtime.proto" GrpcServices="Client" Link="Protos\identity_runtime.proto" />
+  </ItemGroup>
  <ItemGroup>
    <ProjectReference Include="..\Thalos.Bff.Application\Thalos.Bff.Application.csproj" />
    <ProjectReference Include="..\Thalos.Bff.Contracts\Thalos.Bff.Contracts.csproj" />
+    <ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
  </ItemGroup>
 </Project>
--- a/tests/Thalos.Bff.Application.UnitTests/ContractShapeTests.cs
+++ b/tests/Thalos.Bff.Application.UnitTests/ContractShapeTests.cs
@ -1,4 +1,5 @@
 using Core.Blueprint.Common.Contracts;
+using BuildingBlock.Identity.Contracts.Conventions;
 using Thalos.Bff.Contracts.Api;
 using Thalos.Bff.Contracts.Conventions;

@ -14,6 +15,7 @@ public class ContractShapeTests
        Assert.Equal("user-1", request.SubjectId);
        Assert.Equal("tenant-1", request.TenantId);
        Assert.Equal("corr-123", request.CorrelationId);
+        Assert.Equal(IdentityAuthProvider.InternalJwt, request.Provider);
    }

    [Fact]
@ -24,6 +26,6 @@ public class ContractShapeTests
        Assert.Equal("Thalos.Bff.Contracts", contract.Descriptor.PackageId);
        Assert.Equal(PackageVersionPolicy.Minor, contract.Descriptor.VersionPolicy);
        Assert.Contains("Core.Blueprint.Common", contract.Descriptor.DependencyPackageIds);
-        Assert.Contains("Thalos.Service.Identity.Abstractions", contract.Descriptor.DependencyPackageIds);
+        Assert.Contains("BuildingBlock.Identity.Contracts", contract.Descriptor.DependencyPackageIds);
    }
 }
--- a/tests/Thalos.Bff.Application.UnitTests/IssueTokenHandlerTests.cs
+++ b/tests/Thalos.Bff.Application.UnitTests/IssueTokenHandlerTests.cs
@ -1,9 +1,9 @@
-using Thalos.Bff.Application.Contracts;
 using Thalos.Bff.Application.Adapters;
 using Thalos.Bff.Application.Handlers;
 using Thalos.Bff.Application.Security;
 using Thalos.Bff.Contracts.Api;
-using Thalos.Service.Identity.Abstractions.Contracts;
+using BuildingBlock.Identity.Contracts.Requests;
+using BuildingBlock.Identity.Contracts.Responses;

 namespace Thalos.Bff.Application.UnitTests;

--- a/tests/Thalos.Bff.Application.UnitTests/RefreshSessionHandlerTests.cs
+++ b/tests/Thalos.Bff.Application.UnitTests/RefreshSessionHandlerTests.cs
@ -1,8 +1,8 @@
 using Thalos.Bff.Application.Adapters;
-using Thalos.Bff.Application.Contracts;
 using Thalos.Bff.Application.Handlers;
 using Thalos.Bff.Contracts.Api;
-using Thalos.Service.Identity.Abstractions.Contracts;
+using BuildingBlock.Identity.Contracts.Requests;
+using BuildingBlock.Identity.Contracts.Responses;

 namespace Thalos.Bff.Application.UnitTests;