Compare commits
10 Commits
3997d5d77e
...
12cb75783b
| Author | SHA1 | Date | |
|---|---|---|---|
|
12cb75783b | ||
|
|
81070d0571 | ||
|
|
56510de55e | ||
|
|
be41225087 | ||
|
|
c352b64070 | ||
|
|
df4a2b198a | ||
|
|
09a35ce605 | ||
|
|
5f4189da8e | ||
|
|
cc221eab1a | ||
|
|
26c6e141c0 |
9
.dockerignore
Normal file
9
.dockerignore
Normal file
@ -0,0 +1,9 @@
|
||||
**/bin/
|
||||
**/obj/
|
||||
.vs/
|
||||
TestResults/
|
||||
.git/
|
||||
.repo-tasks/
|
||||
.repo-context/
|
||||
.tasks/
|
||||
.agile/
|
||||
63
.gitignore
vendored
63
.gitignore
vendored
@ -1,53 +1,24 @@
|
||||
# AgileWebs local orchestration
|
||||
# Repository orchestration folders (local only)
|
||||
.repo-tasks/
|
||||
.repo-context/
|
||||
.tasks/
|
||||
.agile/
|
||||
|
||||
# Build artifacts
|
||||
**/[Bb]in/
|
||||
**/[Oo]bj/
|
||||
/**/out/
|
||||
/**/artifacts/
|
||||
|
||||
# IDE and editor files
|
||||
# .NET build outputs
|
||||
**/bin/
|
||||
**/obj/
|
||||
.vs/
|
||||
.idea/
|
||||
.vscode/
|
||||
*.suo
|
||||
*.user
|
||||
*.userosscache
|
||||
*.sln.docstates
|
||||
*.rsuser
|
||||
*.swp
|
||||
*.swo
|
||||
|
||||
# NuGet
|
||||
*.nupkg
|
||||
*.snupkg
|
||||
**/packages/*
|
||||
!**/packages/build/
|
||||
|
||||
# Test output
|
||||
TestResults/
|
||||
**/TestResults/
|
||||
*.trx
|
||||
*.coverage
|
||||
*.coveragexml
|
||||
*.user
|
||||
*.suo
|
||||
*.rsuser
|
||||
|
||||
# Logs
|
||||
*.log
|
||||
# IDE
|
||||
.idea/
|
||||
|
||||
# Runtime-local artifacts
|
||||
logs/
|
||||
|
||||
# Local environment files
|
||||
.env
|
||||
.env.*
|
||||
!.env.example
|
||||
|
||||
# Docker
|
||||
.docker/
|
||||
**/.docker/
|
||||
*.pid
|
||||
docker-compose.override.yml
|
||||
docker-compose.*.override.yml
|
||||
|
||||
# OS files
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
*.log
|
||||
.env.local
|
||||
.env.*.local
|
||||
|
||||
22
Dockerfile
Normal file
22
Dockerfile
Normal file
@ -0,0 +1,22 @@
|
||||
# syntax=docker/dockerfile:1.7
|
||||
ARG SDK_IMAGE=mcr.microsoft.com/dotnet/sdk:10.0
|
||||
ARG RUNTIME_IMAGE=mcr.microsoft.com/dotnet/aspnet:10.0
|
||||
|
||||
FROM ${SDK_IMAGE} AS build
|
||||
ARG NUGET_FEED_URL=https://gitea.dream-views.com/api/packages/AgileWebs/nuget/index.json
|
||||
ARG NUGET_FEED_USERNAME=
|
||||
ARG NUGET_FEED_TOKEN=
|
||||
WORKDIR /src
|
||||
COPY . .
|
||||
|
||||
RUN if [ -n "$NUGET_FEED_USERNAME" ] && [ -n "$NUGET_FEED_TOKEN" ]; then dotnet nuget add source "$NUGET_FEED_URL" --name gitea-org --username "$NUGET_FEED_USERNAME" --password "$NUGET_FEED_TOKEN" --store-password-in-clear-text --allow-insecure-connections --configfile /root/.nuget/NuGet/NuGet.Config; fi
|
||||
|
||||
RUN dotnet restore "src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj" --configfile /root/.nuget/NuGet/NuGet.Config
|
||||
RUN dotnet publish "src/Thalos.Bff.Rest/Thalos.Bff.Rest.csproj" -c Release -o /app/publish /p:UseAppHost=false --no-restore
|
||||
|
||||
FROM ${RUNTIME_IMAGE} AS runtime
|
||||
WORKDIR /app
|
||||
ENV ASPNETCORE_URLS=http://+:8080 ASPNETCORE_ENVIRONMENT=Production
|
||||
EXPOSE 8080
|
||||
COPY --from=build /app/publish .
|
||||
ENTRYPOINT ["dotnet", "Thalos.Bff.Rest.dll"]
|
||||
@ -7,13 +7,22 @@
|
||||
|
||||
## Entrypoints
|
||||
|
||||
- `POST /api/identity/token`
|
||||
- `POST /api/identity/session/refresh`
|
||||
- Canonical session endpoints:
|
||||
- `POST /api/identity/session/login`
|
||||
- `POST /api/identity/session/refresh`
|
||||
- `POST /api/identity/session/logout`
|
||||
- `GET /api/identity/session/me`
|
||||
- Compatibility endpoint:
|
||||
- `POST /api/identity/token`
|
||||
- `POST /api/identity/login`
|
||||
- `POST /api/identity/token/refresh`
|
||||
- `POST /api/identity/logout`
|
||||
|
||||
## Boundary Notes
|
||||
|
||||
- Endpoint handlers perform edge validation and permission checks.
|
||||
- Token issuance and policy evaluation requests are mapped to thalos-service identity contracts.
|
||||
- Session refresh requests are mapped through edge contract adapters before downstream calls.
|
||||
- Session login and refresh call canonical thalos-service session gRPC operations.
|
||||
- Session cookies are managed at the BFF edge (`thalos_session`, `thalos_refresh`) with env-driven secure flag.
|
||||
- Token issuance and policy evaluation contracts remain available for compatibility calls.
|
||||
- Business orchestration remains in thalos-service.
|
||||
- Identity abstractions remain owned by Thalos repositories.
|
||||
|
||||
16
docs/architecture/bff-identity-boundary.md
Normal file
16
docs/architecture/bff-identity-boundary.md
Normal file
@ -0,0 +1,16 @@
|
||||
# Thalos BFF Identity Boundary
|
||||
|
||||
## Purpose
|
||||
Keep thalos-bff as an edge adapter layer that consumes thalos-service and adopted identity capability contracts.
|
||||
|
||||
## BFF Responsibilities
|
||||
- Edge contract handling
|
||||
- Service client adaptation
|
||||
- Correlation/tracing propagation
|
||||
- Single active edge protocol policy enforcement (`rest`)
|
||||
- Provider metadata propagation (`InternalJwt`, `AzureAd`, `Google`)
|
||||
|
||||
## Prohibited
|
||||
- Direct DAL access
|
||||
- Identity policy decision ownership
|
||||
- Identity persistence concerns
|
||||
13
docs/migration/building-block-identity-adoption-plan.md
Normal file
13
docs/migration/building-block-identity-adoption-plan.md
Normal file
@ -0,0 +1,13 @@
|
||||
# Building Block Identity Adoption Plan
|
||||
|
||||
## Goal
|
||||
Align BFF contract usage with building-block-identity contract surface without changing behavior.
|
||||
|
||||
## Steps
|
||||
1. Map current BFF identity contract types to capability contract types.
|
||||
2. Keep compatibility bridge active during migration window.
|
||||
3. Validate edge payload behavior and service compatibility.
|
||||
|
||||
## Guardrails
|
||||
- BFF remains service-facing.
|
||||
- No identity decision logic moves into BFF.
|
||||
6
docs/migration/edge-compatibility-checks.md
Normal file
6
docs/migration/edge-compatibility-checks.md
Normal file
@ -0,0 +1,6 @@
|
||||
# Edge Compatibility Checks
|
||||
|
||||
## Checks
|
||||
- Existing edge request/response behavior remains stable.
|
||||
- Correlation and trace metadata pass-through remains stable.
|
||||
- Service contract compatibility is preserved after identity contract adoption.
|
||||
26
docs/runbooks/containerization.md
Normal file
26
docs/runbooks/containerization.md
Normal file
@ -0,0 +1,26 @@
|
||||
# Containerization Runbook
|
||||
|
||||
## Image Build
|
||||
|
||||
If the repo consumes internal packages from Gitea, pass feed credentials as build args.
|
||||
|
||||
```bash
|
||||
docker build --build-arg NUGET_FEED_USERNAME=<gitea-login> --build-arg NUGET_FEED_TOKEN=<gitea-token> -t agilewebs/thalos-bff:dev .
|
||||
```
|
||||
|
||||
## Local Run
|
||||
|
||||
```bash
|
||||
docker run --rm -p 8080:8080 --name thalos-bff agilewebs/thalos-bff:dev
|
||||
```
|
||||
|
||||
## Health Probe
|
||||
|
||||
- Path: `/health`
|
||||
- Fallback path: `/healthz`
|
||||
- Port: `8080`
|
||||
|
||||
## Runtime Notes
|
||||
|
||||
- Requires `ThalosService__GrpcAddress` to target thalos-service in distributed runs.
|
||||
- gRPC client contract protobuf is vendored at `src/Thalos.Bff.Rest/Protos/identity_runtime.proto` to keep image builds repo-local.
|
||||
@ -9,3 +9,7 @@
|
||||
|
||||
- Permission checks happen at BFF entrypoints using thalos-service policy responses.
|
||||
- Authorization decisions are explicit and traceable at edge boundaries.
|
||||
- Auth failure payload shape is standardized as `{ code, message, correlationId }`.
|
||||
- HTTP semantics:
|
||||
- `401`: no valid session or failed session issuance/refresh.
|
||||
- `403`: authenticated but denied by permission policy.
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
using Thalos.Bff.Application.Contracts;
|
||||
using Thalos.Bff.Contracts.Api;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Application.Adapters;
|
||||
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
using Thalos.Bff.Application.Contracts;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
using Thalos.Bff.Application.Sessions;
|
||||
|
||||
namespace Thalos.Bff.Application.Adapters;
|
||||
|
||||
@ -8,6 +9,14 @@ namespace Thalos.Bff.Application.Adapters;
|
||||
/// </summary>
|
||||
public interface IThalosServiceClient
|
||||
{
|
||||
/// <summary>
|
||||
/// Starts canonical session flow in thalos-service.
|
||||
/// </summary>
|
||||
/// <param name="request">Identity token issuance request.</param>
|
||||
/// <param name="correlationId">Request correlation identifier.</param>
|
||||
/// <returns>Session token bundle.</returns>
|
||||
Task<SessionTokensResult> StartSessionAsync(IssueIdentityTokenRequest request, string correlationId);
|
||||
|
||||
/// <summary>
|
||||
/// Requests token issuance from thalos-service.
|
||||
/// </summary>
|
||||
@ -28,4 +37,11 @@ public interface IThalosServiceClient
|
||||
/// <param name="request">Session refresh request.</param>
|
||||
/// <returns>Session refresh response.</returns>
|
||||
Task<RefreshIdentitySessionResponse> RefreshSessionAsync(RefreshIdentitySessionRequest request);
|
||||
|
||||
/// <summary>
|
||||
/// Refreshes canonical session flow in thalos-service.
|
||||
/// </summary>
|
||||
/// <param name="request">Session refresh request.</param>
|
||||
/// <returns>Session token bundle.</returns>
|
||||
Task<SessionTokensResult> RefreshSessionTokensAsync(RefreshIdentitySessionRequest request);
|
||||
}
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
using Thalos.Bff.Application.Contracts;
|
||||
using Thalos.Bff.Contracts.Api;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Application.Adapters;
|
||||
|
||||
@ -12,13 +12,21 @@ public sealed class IdentityEdgeContractAdapter : IIdentityEdgeContractAdapter
|
||||
/// <inheritdoc />
|
||||
public EvaluateIdentityPolicyRequest ToPolicyRequest(IssueTokenApiRequest request, string permissionCode)
|
||||
{
|
||||
return new EvaluateIdentityPolicyRequest(request.SubjectId, request.TenantId, permissionCode);
|
||||
return new EvaluateIdentityPolicyRequest(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
permissionCode,
|
||||
request.Provider);
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
public IssueIdentityTokenRequest ToIssueTokenRequest(IssueTokenApiRequest request)
|
||||
{
|
||||
return new IssueIdentityTokenRequest(request.SubjectId, request.TenantId);
|
||||
return new IssueIdentityTokenRequest(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.Provider,
|
||||
request.ExternalToken);
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
@ -30,7 +38,10 @@ public sealed class IdentityEdgeContractAdapter : IIdentityEdgeContractAdapter
|
||||
/// <inheritdoc />
|
||||
public RefreshIdentitySessionRequest ToRefreshSessionRequest(RefreshSessionApiRequest request)
|
||||
{
|
||||
return new RefreshIdentitySessionRequest(request.RefreshToken, request.CorrelationId);
|
||||
return new RefreshIdentitySessionRequest(
|
||||
request.RefreshToken,
|
||||
request.CorrelationId,
|
||||
request.Provider);
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
|
||||
@ -11,12 +11,32 @@ public sealed class IdentityEdgeGrpcContractAdapter : IIdentityEdgeGrpcContractA
|
||||
/// <inheritdoc />
|
||||
public IssueIdentityTokenGrpcContract ToGrpc(IssueTokenApiRequest request)
|
||||
{
|
||||
return new IssueIdentityTokenGrpcContract(request.SubjectId, request.TenantId, request.CorrelationId);
|
||||
return new IssueIdentityTokenGrpcContract(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.CorrelationId,
|
||||
request.Provider.ToString(),
|
||||
request.ExternalToken);
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
public IssueTokenApiRequest FromGrpc(IssueIdentityTokenGrpcContract contract)
|
||||
{
|
||||
return new IssueTokenApiRequest(contract.SubjectId, contract.TenantId, contract.CorrelationId);
|
||||
return new IssueTokenApiRequest(
|
||||
contract.SubjectId,
|
||||
contract.TenantId,
|
||||
contract.CorrelationId,
|
||||
ParseProvider(contract.Provider),
|
||||
contract.ExternalToken);
|
||||
}
|
||||
|
||||
private static BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider ParseProvider(string provider)
|
||||
{
|
||||
return Enum.TryParse<BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider>(
|
||||
provider,
|
||||
true,
|
||||
out var parsedProvider)
|
||||
? parsedProvider
|
||||
: BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,8 +0,0 @@
|
||||
namespace Thalos.Bff.Application.Contracts;
|
||||
|
||||
/// <summary>
|
||||
/// Transport-neutral internal request contract for refresh session flow.
|
||||
/// </summary>
|
||||
/// <param name="RefreshToken">Refresh token value.</param>
|
||||
/// <param name="CorrelationId">Request correlation identifier.</param>
|
||||
public sealed record RefreshIdentitySessionRequest(string RefreshToken, string CorrelationId);
|
||||
@ -1,8 +0,0 @@
|
||||
namespace Thalos.Bff.Application.Contracts;
|
||||
|
||||
/// <summary>
|
||||
/// Transport-neutral internal response contract for refresh session flow.
|
||||
/// </summary>
|
||||
/// <param name="Token">Refreshed token value.</param>
|
||||
/// <param name="ExpiresInSeconds">Token expiration in seconds.</param>
|
||||
public sealed record RefreshIdentitySessionResponse(string Token, int ExpiresInSeconds);
|
||||
@ -6,4 +6,11 @@ namespace Thalos.Bff.Application.Grpc;
|
||||
/// <param name="SubjectId">Identity subject identifier.</param>
|
||||
/// <param name="TenantId">Tenant identifier.</param>
|
||||
/// <param name="CorrelationId">Request correlation identifier.</param>
|
||||
public sealed record IssueIdentityTokenGrpcContract(string SubjectId, string TenantId, string CorrelationId);
|
||||
/// <param name="Provider">Identity provider.</param>
|
||||
/// <param name="ExternalToken">External provider token when applicable.</param>
|
||||
public sealed record IssueIdentityTokenGrpcContract(
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
string CorrelationId,
|
||||
string Provider = "InternalJwt",
|
||||
string ExternalToken = "");
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Application.Security;
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Application.Security;
|
||||
|
||||
|
||||
14
src/Thalos.Bff.Application/Sessions/SessionTokensResult.cs
Normal file
14
src/Thalos.Bff.Application/Sessions/SessionTokensResult.cs
Normal file
@ -0,0 +1,14 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
|
||||
namespace Thalos.Bff.Application.Sessions;
|
||||
|
||||
/// <summary>
|
||||
/// Session token payload returned by thalos-service session operations.
|
||||
/// </summary>
|
||||
public sealed record SessionTokensResult(
|
||||
string AccessToken,
|
||||
string RefreshToken,
|
||||
int ExpiresInSeconds,
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
IdentityAuthProvider Provider);
|
||||
@ -6,7 +6,7 @@
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.0" />
|
||||
<PackageReference Include="BuildingBlock.Identity.Contracts" Version="0.2.0" />
|
||||
<ProjectReference Include="..\Thalos.Bff.Contracts\Thalos.Bff.Contracts.csproj" />
|
||||
<ProjectReference Include="..\..\..\thalos-service\src\Thalos.Service.Identity.Abstractions\Thalos.Service.Identity.Abstractions.csproj" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
9
src/Thalos.Bff.Contracts/Api/ApiErrorResponse.cs
Normal file
9
src/Thalos.Bff.Contracts/Api/ApiErrorResponse.cs
Normal file
@ -0,0 +1,9 @@
|
||||
namespace Thalos.Bff.Contracts.Api;
|
||||
|
||||
/// <summary>
|
||||
/// Standardized API error payload.
|
||||
/// </summary>
|
||||
/// <param name="Code">Stable machine-readable error code.</param>
|
||||
/// <param name="Message">Human-readable error message.</param>
|
||||
/// <param name="CorrelationId">Request correlation identifier.</param>
|
||||
public sealed record ApiErrorResponse(string Code, string Message, string CorrelationId);
|
||||
@ -1,3 +1,5 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
|
||||
namespace Thalos.Bff.Contracts.Api;
|
||||
|
||||
/// <summary>
|
||||
@ -6,4 +8,11 @@ namespace Thalos.Bff.Contracts.Api;
|
||||
/// <param name="SubjectId">Identity subject identifier.</param>
|
||||
/// <param name="TenantId">Tenant identifier.</param>
|
||||
/// <param name="CorrelationId">Request correlation identifier.</param>
|
||||
public sealed record IssueTokenApiRequest(string SubjectId, string TenantId, string CorrelationId = "");
|
||||
/// <param name="Provider">Identity auth provider.</param>
|
||||
/// <param name="ExternalToken">External provider token when applicable.</param>
|
||||
public sealed record IssueTokenApiRequest(
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
string CorrelationId = "",
|
||||
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
|
||||
string ExternalToken = "");
|
||||
|
||||
@ -1,3 +1,5 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
|
||||
namespace Thalos.Bff.Contracts.Api;
|
||||
|
||||
/// <summary>
|
||||
@ -5,4 +7,8 @@ namespace Thalos.Bff.Contracts.Api;
|
||||
/// </summary>
|
||||
/// <param name="RefreshToken">Refresh token value.</param>
|
||||
/// <param name="CorrelationId">Request correlation identifier.</param>
|
||||
public sealed record RefreshSessionApiRequest(string RefreshToken, string CorrelationId = "");
|
||||
/// <param name="Provider">Identity auth provider.</param>
|
||||
public sealed record RefreshSessionApiRequest(
|
||||
string RefreshToken,
|
||||
string CorrelationId = "",
|
||||
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt);
|
||||
|
||||
18
src/Thalos.Bff.Contracts/Api/SessionLoginApiRequest.cs
Normal file
18
src/Thalos.Bff.Contracts/Api/SessionLoginApiRequest.cs
Normal file
@ -0,0 +1,18 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
|
||||
namespace Thalos.Bff.Contracts.Api;
|
||||
|
||||
/// <summary>
|
||||
/// Canonical API request for session login.
|
||||
/// </summary>
|
||||
/// <param name="SubjectId">Identity subject identifier.</param>
|
||||
/// <param name="TenantId">Tenant identifier.</param>
|
||||
/// <param name="CorrelationId">Request correlation identifier.</param>
|
||||
/// <param name="Provider">Identity auth provider.</param>
|
||||
/// <param name="ExternalToken">External provider token when applicable.</param>
|
||||
public sealed record SessionLoginApiRequest(
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
string CorrelationId,
|
||||
IdentityAuthProvider Provider = IdentityAuthProvider.InternalJwt,
|
||||
string ExternalToken = "");
|
||||
16
src/Thalos.Bff.Contracts/Api/SessionLoginApiResponse.cs
Normal file
16
src/Thalos.Bff.Contracts/Api/SessionLoginApiResponse.cs
Normal file
@ -0,0 +1,16 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
|
||||
namespace Thalos.Bff.Contracts.Api;
|
||||
|
||||
/// <summary>
|
||||
/// Canonical API response for session login and refresh.
|
||||
/// </summary>
|
||||
/// <param name="SubjectId">Identity subject identifier.</param>
|
||||
/// <param name="TenantId">Tenant identifier.</param>
|
||||
/// <param name="Provider">Identity auth provider.</param>
|
||||
/// <param name="ExpiresInSeconds">Access token expiration in seconds.</param>
|
||||
public sealed record SessionLoginApiResponse(
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
IdentityAuthProvider Provider,
|
||||
int ExpiresInSeconds);
|
||||
16
src/Thalos.Bff.Contracts/Api/SessionMeApiResponse.cs
Normal file
16
src/Thalos.Bff.Contracts/Api/SessionMeApiResponse.cs
Normal file
@ -0,0 +1,16 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
|
||||
namespace Thalos.Bff.Contracts.Api;
|
||||
|
||||
/// <summary>
|
||||
/// API response contract for current authenticated session details.
|
||||
/// </summary>
|
||||
/// <param name="IsAuthenticated">Indicates whether the caller has an authenticated session.</param>
|
||||
/// <param name="SubjectId">Identity subject identifier.</param>
|
||||
/// <param name="TenantId">Tenant identifier.</param>
|
||||
/// <param name="Provider">Identity auth provider.</param>
|
||||
public sealed record SessionMeApiResponse(
|
||||
bool IsAuthenticated,
|
||||
string SubjectId,
|
||||
string TenantId,
|
||||
IdentityAuthProvider Provider);
|
||||
@ -11,5 +11,5 @@ public sealed class ThalosBffPackageContract : IBlueprintPackageContract
|
||||
public BlueprintPackageDescriptor Descriptor { get; } = new(
|
||||
"Thalos.Bff.Contracts",
|
||||
PackageVersionPolicy.Minor,
|
||||
["Core.Blueprint.Common", "Thalos.Service.Identity.Abstractions"]);
|
||||
["Core.Blueprint.Common", "BuildingBlock.Identity.Contracts"]);
|
||||
}
|
||||
|
||||
@ -5,6 +5,7 @@
|
||||
<Nullable>enable</Nullable>
|
||||
</PropertyGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
|
||||
<PackageReference Include="Core.Blueprint.Common" Version="0.2.0" />
|
||||
<PackageReference Include="BuildingBlock.Identity.Contracts" Version="0.2.0" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
@ -1,9 +1,10 @@
|
||||
using Grpc.Core;
|
||||
using Microsoft.Extensions.Primitives;
|
||||
using Thalos.Bff.Application.Adapters;
|
||||
using Thalos.Bff.Application.Contracts;
|
||||
using Thalos.Bff.Application.Sessions;
|
||||
using Thalos.Service.Grpc;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Rest.Adapters;
|
||||
|
||||
@ -12,11 +13,35 @@ namespace Thalos.Bff.Rest.Adapters;
|
||||
/// </summary>
|
||||
public sealed class ThalosServiceGrpcClientAdapter(
|
||||
IdentityRuntime.IdentityRuntimeClient grpcClient,
|
||||
IHttpContextAccessor httpContextAccessor,
|
||||
IConfiguration configuration) : IThalosServiceClient
|
||||
IHttpContextAccessor httpContextAccessor) : IThalosServiceClient
|
||||
{
|
||||
private const string CorrelationHeaderName = "x-correlation-id";
|
||||
private readonly string refreshTenantId = configuration["ThalosService:RefreshTenantId"] ?? "refresh";
|
||||
|
||||
/// <inheritdoc />
|
||||
public async Task<SessionTokensResult> StartSessionAsync(IssueIdentityTokenRequest request, string correlationId)
|
||||
{
|
||||
var resolvedCorrelationId = ResolveCorrelationId(correlationId);
|
||||
var grpcRequest = new StartIdentitySessionGrpcRequest
|
||||
{
|
||||
SubjectId = request.SubjectId,
|
||||
TenantId = request.TenantId,
|
||||
Provider = request.Provider.ToString(),
|
||||
ExternalToken = request.ExternalToken,
|
||||
CorrelationId = resolvedCorrelationId
|
||||
};
|
||||
|
||||
var grpcResponse = await grpcClient.StartIdentitySessionAsync(
|
||||
grpcRequest,
|
||||
headers: CreateHeaders(resolvedCorrelationId));
|
||||
|
||||
return new SessionTokensResult(
|
||||
grpcResponse.AccessToken,
|
||||
grpcResponse.RefreshToken,
|
||||
grpcResponse.ExpiresInSeconds,
|
||||
grpcResponse.SubjectId,
|
||||
grpcResponse.TenantId,
|
||||
ParseProvider(grpcResponse.Provider));
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
public async Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
|
||||
@ -25,7 +50,9 @@ public sealed class ThalosServiceGrpcClientAdapter(
|
||||
var grpcRequest = new IssueIdentityTokenGrpcRequest
|
||||
{
|
||||
SubjectId = request.SubjectId,
|
||||
TenantId = request.TenantId
|
||||
TenantId = request.TenantId,
|
||||
Provider = request.Provider.ToString(),
|
||||
ExternalToken = request.ExternalToken
|
||||
};
|
||||
|
||||
var grpcResponse = await grpcClient.IssueIdentityTokenAsync(
|
||||
@ -43,7 +70,8 @@ public sealed class ThalosServiceGrpcClientAdapter(
|
||||
{
|
||||
SubjectId = request.SubjectId,
|
||||
TenantId = request.TenantId,
|
||||
PermissionCode = request.PermissionCode
|
||||
PermissionCode = request.PermissionCode,
|
||||
Provider = request.Provider.ToString()
|
||||
};
|
||||
|
||||
var grpcResponse = await grpcClient.EvaluateIdentityPolicyAsync(
|
||||
@ -58,19 +86,33 @@ public sealed class ThalosServiceGrpcClientAdapter(
|
||||
|
||||
/// <inheritdoc />
|
||||
public async Task<RefreshIdentitySessionResponse> RefreshSessionAsync(RefreshIdentitySessionRequest request)
|
||||
{
|
||||
var sessionTokens = await RefreshSessionTokensAsync(request);
|
||||
return new RefreshIdentitySessionResponse(sessionTokens.AccessToken, sessionTokens.ExpiresInSeconds);
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
public async Task<SessionTokensResult> RefreshSessionTokensAsync(RefreshIdentitySessionRequest request)
|
||||
{
|
||||
var correlationId = ResolveCorrelationId(request.CorrelationId);
|
||||
var grpcRequest = new IssueIdentityTokenGrpcRequest
|
||||
var grpcRequest = new RefreshIdentitySessionGrpcRequest
|
||||
{
|
||||
SubjectId = request.RefreshToken,
|
||||
TenantId = refreshTenantId
|
||||
RefreshToken = request.RefreshToken,
|
||||
CorrelationId = correlationId,
|
||||
Provider = request.Provider.ToString()
|
||||
};
|
||||
|
||||
var grpcResponse = await grpcClient.IssueIdentityTokenAsync(
|
||||
var grpcResponse = await grpcClient.RefreshIdentitySessionAsync(
|
||||
grpcRequest,
|
||||
headers: CreateHeaders(correlationId));
|
||||
|
||||
return new RefreshIdentitySessionResponse(grpcResponse.Token, grpcResponse.ExpiresInSeconds);
|
||||
return new SessionTokensResult(
|
||||
grpcResponse.AccessToken,
|
||||
string.IsNullOrWhiteSpace(grpcResponse.RefreshToken) ? request.RefreshToken : grpcResponse.RefreshToken,
|
||||
grpcResponse.ExpiresInSeconds,
|
||||
grpcResponse.SubjectId,
|
||||
grpcResponse.TenantId,
|
||||
ParseProvider(grpcResponse.Provider));
|
||||
}
|
||||
|
||||
private string ResolveCorrelationId(string? preferred = null)
|
||||
@ -104,4 +146,11 @@ public sealed class ThalosServiceGrpcClientAdapter(
|
||||
{ CorrelationHeaderName, correlationId }
|
||||
};
|
||||
}
|
||||
|
||||
private static BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider ParseProvider(string provider)
|
||||
{
|
||||
return Enum.TryParse<BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider>(provider, true, out var parsedProvider)
|
||||
? parsedProvider
|
||||
: BuildingBlock.Identity.Contracts.Conventions.IdentityAuthProvider.InternalJwt;
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,16 +1,28 @@
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using Core.Blueprint.Common.DependencyInjection;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using Microsoft.Extensions.Primitives;
|
||||
using Thalos.Bff.Application.Adapters;
|
||||
using Thalos.Bff.Application.DependencyInjection;
|
||||
using Thalos.Bff.Application.Handlers;
|
||||
using Thalos.Bff.Application.Security;
|
||||
using Thalos.Bff.Contracts.Api;
|
||||
using Thalos.Bff.Rest.Adapters;
|
||||
using Thalos.Bff.Rest.Endpoints;
|
||||
using Thalos.Service.Grpc;
|
||||
|
||||
const string CorrelationHeaderName = "x-correlation-id";
|
||||
const string SessionAccessCookieName = "thalos_session";
|
||||
const string SessionRefreshCookieName = "thalos_refresh";
|
||||
|
||||
var builder = WebApplication.CreateBuilder(args);
|
||||
var edgeProtocol = builder.Configuration["ThalosBff:EdgeProtocol"] ?? "rest";
|
||||
if (!string.Equals(edgeProtocol, "rest", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
throw new InvalidOperationException(
|
||||
$"Thalos BFF supports one active edge protocol per deployment. Configured: '{edgeProtocol}'. Expected: 'rest'.");
|
||||
}
|
||||
|
||||
builder.Services.AddHttpContextAccessor();
|
||||
builder.Services.AddHealthChecks();
|
||||
@ -34,6 +46,90 @@ app.Use(async (context, next) =>
|
||||
await next();
|
||||
});
|
||||
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/session/login", async (
|
||||
SessionLoginApiRequest request,
|
||||
HttpContext context,
|
||||
IThalosServiceClient serviceClient,
|
||||
IIdentityEdgeContractAdapter contractAdapter,
|
||||
IPermissionGuard permissionGuard) =>
|
||||
{
|
||||
var correlationId = ResolveCorrelationId(context, request.CorrelationId);
|
||||
var issueRequest = new IssueTokenApiRequest(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
correlationId,
|
||||
request.Provider,
|
||||
request.ExternalToken);
|
||||
|
||||
var policyRequest = contractAdapter.ToPolicyRequest(issueRequest, "identity.token.issue");
|
||||
var policyResponse = await serviceClient.EvaluatePolicyAsync(policyRequest);
|
||||
if (!permissionGuard.CanAccess(policyResponse))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status403Forbidden, "forbidden", "Permission denied.", correlationId);
|
||||
}
|
||||
|
||||
var serviceRequest = contractAdapter.ToIssueTokenRequest(issueRequest);
|
||||
var sessionTokens = await serviceClient.StartSessionAsync(serviceRequest, correlationId);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(sessionTokens.AccessToken) || string.IsNullOrWhiteSpace(sessionTokens.RefreshToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_login_failed", "Unable to issue session.", correlationId);
|
||||
}
|
||||
|
||||
WriteSessionCookies(context, sessionTokens, builder.Configuration);
|
||||
|
||||
var response = new SessionLoginApiResponse(
|
||||
sessionTokens.SubjectId,
|
||||
sessionTokens.TenantId,
|
||||
sessionTokens.Provider,
|
||||
sessionTokens.ExpiresInSeconds);
|
||||
|
||||
return Results.Ok(response);
|
||||
});
|
||||
|
||||
// Compatibility alias kept for existing token-based callers.
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/login", async (
|
||||
SessionLoginApiRequest request,
|
||||
HttpContext context,
|
||||
IThalosServiceClient serviceClient,
|
||||
IIdentityEdgeContractAdapter contractAdapter,
|
||||
IPermissionGuard permissionGuard) =>
|
||||
{
|
||||
var correlationId = ResolveCorrelationId(context, request.CorrelationId);
|
||||
var issueRequest = new IssueTokenApiRequest(
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
correlationId,
|
||||
request.Provider,
|
||||
request.ExternalToken);
|
||||
|
||||
var policyRequest = contractAdapter.ToPolicyRequest(issueRequest, "identity.token.issue");
|
||||
var policyResponse = await serviceClient.EvaluatePolicyAsync(policyRequest);
|
||||
if (!permissionGuard.CanAccess(policyResponse))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status403Forbidden, "forbidden", "Permission denied.", correlationId);
|
||||
}
|
||||
|
||||
var serviceRequest = contractAdapter.ToIssueTokenRequest(issueRequest);
|
||||
var sessionTokens = await serviceClient.StartSessionAsync(serviceRequest, correlationId);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(sessionTokens.AccessToken) || string.IsNullOrWhiteSpace(sessionTokens.RefreshToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_login_failed", "Unable to issue session.", correlationId);
|
||||
}
|
||||
|
||||
WriteSessionCookies(context, sessionTokens, builder.Configuration);
|
||||
|
||||
var response = new SessionLoginApiResponse(
|
||||
sessionTokens.SubjectId,
|
||||
sessionTokens.TenantId,
|
||||
sessionTokens.Provider,
|
||||
sessionTokens.ExpiresInSeconds);
|
||||
|
||||
return Results.Ok(response);
|
||||
});
|
||||
|
||||
// Compatibility alias kept for existing token-based callers.
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/token", async (
|
||||
IssueTokenApiRequest request,
|
||||
HttpContext context,
|
||||
@ -48,24 +144,117 @@ app.MapPost($"{EndpointConventions.ApiPrefix}/token", async (
|
||||
}
|
||||
catch (UnauthorizedAccessException)
|
||||
{
|
||||
return Results.Unauthorized();
|
||||
var correlationId = ResolveCorrelationId(context, normalizedRequest.CorrelationId);
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "unauthorized", "Unauthorized request.", correlationId);
|
||||
}
|
||||
});
|
||||
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/session/refresh", async (
|
||||
RefreshSessionApiRequest request,
|
||||
RefreshSessionApiRequest? request,
|
||||
HttpContext context,
|
||||
IRefreshSessionHandler handler) =>
|
||||
IThalosServiceClient serviceClient) =>
|
||||
{
|
||||
var normalizedRequest = request with { CorrelationId = ResolveCorrelationId(context, request.CorrelationId) };
|
||||
var response = await handler.HandleAsync(normalizedRequest);
|
||||
return Results.Ok(response);
|
||||
var correlationId = ResolveCorrelationId(context, request?.CorrelationId);
|
||||
var refreshToken = request?.RefreshToken;
|
||||
if (string.IsNullOrWhiteSpace(refreshToken))
|
||||
{
|
||||
context.Request.Cookies.TryGetValue(SessionRefreshCookieName, out refreshToken);
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(refreshToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_missing", "Session refresh token is required.", correlationId);
|
||||
}
|
||||
|
||||
var provider = request?.Provider ?? IdentityAuthProvider.InternalJwt;
|
||||
var refreshResponse = await serviceClient.RefreshSessionTokensAsync(
|
||||
new RefreshIdentitySessionRequest(refreshToken, correlationId, provider));
|
||||
|
||||
if (string.IsNullOrWhiteSpace(refreshResponse.AccessToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_refresh_failed", "Session refresh failed.", correlationId);
|
||||
}
|
||||
|
||||
WriteSessionCookies(context, refreshResponse, builder.Configuration);
|
||||
return Results.Ok(new SessionLoginApiResponse(
|
||||
refreshResponse.SubjectId,
|
||||
refreshResponse.TenantId,
|
||||
refreshResponse.Provider,
|
||||
refreshResponse.ExpiresInSeconds));
|
||||
});
|
||||
|
||||
// Compatibility alias kept for token-first refresh callers.
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/token/refresh", async (
|
||||
RefreshSessionApiRequest? request,
|
||||
HttpContext context,
|
||||
IThalosServiceClient serviceClient) =>
|
||||
{
|
||||
var correlationId = ResolveCorrelationId(context, request?.CorrelationId);
|
||||
var refreshToken = request?.RefreshToken;
|
||||
if (string.IsNullOrWhiteSpace(refreshToken))
|
||||
{
|
||||
context.Request.Cookies.TryGetValue(SessionRefreshCookieName, out refreshToken);
|
||||
}
|
||||
|
||||
if (string.IsNullOrWhiteSpace(refreshToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_missing", "Session refresh token is required.", correlationId);
|
||||
}
|
||||
|
||||
var provider = request?.Provider ?? IdentityAuthProvider.InternalJwt;
|
||||
var refreshResponse = await serviceClient.RefreshSessionTokensAsync(
|
||||
new RefreshIdentitySessionRequest(refreshToken, correlationId, provider));
|
||||
|
||||
if (string.IsNullOrWhiteSpace(refreshResponse.AccessToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_refresh_failed", "Session refresh failed.", correlationId);
|
||||
}
|
||||
|
||||
WriteSessionCookies(context, refreshResponse, builder.Configuration);
|
||||
return Results.Ok(new RefreshSessionApiResponse(refreshResponse.AccessToken, refreshResponse.ExpiresInSeconds));
|
||||
});
|
||||
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/session/logout", (HttpContext context) =>
|
||||
{
|
||||
DeleteSessionCookies(context, builder.Configuration);
|
||||
return Results.NoContent();
|
||||
});
|
||||
|
||||
// Compatibility alias for logout callers.
|
||||
app.MapPost($"{EndpointConventions.ApiPrefix}/logout", (HttpContext context) =>
|
||||
{
|
||||
DeleteSessionCookies(context, builder.Configuration);
|
||||
return Results.NoContent();
|
||||
});
|
||||
|
||||
app.MapGet($"{EndpointConventions.ApiPrefix}/session/me", (HttpContext context) =>
|
||||
{
|
||||
var correlationId = ResolveCorrelationId(context);
|
||||
|
||||
if (!context.Request.Cookies.TryGetValue(SessionAccessCookieName, out var accessToken) ||
|
||||
string.IsNullOrWhiteSpace(accessToken))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_missing", "No active session.", correlationId);
|
||||
}
|
||||
|
||||
if (!TryParseSessionProfile(accessToken, out var meResponse))
|
||||
{
|
||||
return ErrorResult(StatusCodes.Status401Unauthorized, "session_invalid", "Invalid session token.", correlationId);
|
||||
}
|
||||
|
||||
return Results.Ok(meResponse);
|
||||
});
|
||||
|
||||
app.MapHealthChecks("/healthz");
|
||||
app.MapHealthChecks("/health");
|
||||
|
||||
app.Run();
|
||||
|
||||
IResult ErrorResult(int statusCode, string code, string message, string correlationId)
|
||||
{
|
||||
return Results.Json(new ApiErrorResponse(code, message, correlationId), statusCode: statusCode);
|
||||
}
|
||||
|
||||
string ResolveCorrelationId(HttpContext context, string? preferred = null)
|
||||
{
|
||||
if (!string.IsNullOrWhiteSpace(preferred))
|
||||
@ -91,3 +280,79 @@ string ResolveCorrelationId(HttpContext context, string? preferred = null)
|
||||
|
||||
return context.TraceIdentifier;
|
||||
}
|
||||
|
||||
void WriteSessionCookies(HttpContext context, Thalos.Bff.Application.Sessions.SessionTokensResult tokens, IConfiguration configuration)
|
||||
{
|
||||
var secureCookie = configuration.GetValue("ThalosBff:SessionCookieSecure", false);
|
||||
var cookieOptions = CreateCookieOptions(secureCookie, tokens.ExpiresInSeconds);
|
||||
|
||||
context.Response.Cookies.Append(SessionAccessCookieName, tokens.AccessToken, cookieOptions);
|
||||
|
||||
var refreshCookieSeconds = Math.Max(tokens.ExpiresInSeconds, 8 * 60 * 60);
|
||||
context.Response.Cookies.Append(
|
||||
SessionRefreshCookieName,
|
||||
tokens.RefreshToken,
|
||||
CreateCookieOptions(secureCookie, refreshCookieSeconds));
|
||||
}
|
||||
|
||||
void DeleteSessionCookies(HttpContext context, IConfiguration configuration)
|
||||
{
|
||||
var secureCookie = configuration.GetValue("ThalosBff:SessionCookieSecure", false);
|
||||
var options = CreateCookieOptions(secureCookie, 0);
|
||||
context.Response.Cookies.Delete(SessionAccessCookieName, options);
|
||||
context.Response.Cookies.Delete(SessionRefreshCookieName, options);
|
||||
}
|
||||
|
||||
static CookieOptions CreateCookieOptions(bool secure, int expiresInSeconds)
|
||||
{
|
||||
return new CookieOptions
|
||||
{
|
||||
HttpOnly = true,
|
||||
Secure = secure,
|
||||
SameSite = SameSiteMode.Lax,
|
||||
Path = "/",
|
||||
MaxAge = TimeSpan.FromSeconds(Math.Max(0, expiresInSeconds))
|
||||
};
|
||||
}
|
||||
|
||||
static bool TryParseSessionProfile(string accessToken, out SessionMeApiResponse response)
|
||||
{
|
||||
response = new SessionMeApiResponse(false, string.Empty, string.Empty, IdentityAuthProvider.InternalJwt);
|
||||
|
||||
if (string.IsNullOrWhiteSpace(accessToken))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
var parts = accessToken.Split(':', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
|
||||
if (parts.Length < 3)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
IdentityAuthProvider provider;
|
||||
string subjectId;
|
||||
string tenantId;
|
||||
|
||||
if (parts[0].Equals("azure", StringComparison.OrdinalIgnoreCase) && parts.Length >= 4)
|
||||
{
|
||||
provider = IdentityAuthProvider.AzureAd;
|
||||
subjectId = parts[1];
|
||||
tenantId = parts[2];
|
||||
}
|
||||
else if (parts[0].Equals("google", StringComparison.OrdinalIgnoreCase) && parts.Length >= 4)
|
||||
{
|
||||
provider = IdentityAuthProvider.Google;
|
||||
subjectId = parts[1];
|
||||
tenantId = parts[2];
|
||||
}
|
||||
else
|
||||
{
|
||||
provider = IdentityAuthProvider.InternalJwt;
|
||||
subjectId = parts[0];
|
||||
tenantId = parts[1];
|
||||
}
|
||||
|
||||
response = new SessionMeApiResponse(true, subjectId, tenantId, provider);
|
||||
return true;
|
||||
}
|
||||
|
||||
69
src/Thalos.Bff.Rest/Protos/identity_runtime.proto
Normal file
69
src/Thalos.Bff.Rest/Protos/identity_runtime.proto
Normal file
@ -0,0 +1,69 @@
|
||||
syntax = "proto3";
|
||||
|
||||
option csharp_namespace = "Thalos.Service.Grpc";
|
||||
|
||||
package thalos.service.grpc;
|
||||
|
||||
service IdentityRuntime {
|
||||
rpc StartIdentitySession (StartIdentitySessionGrpcRequest) returns (StartIdentitySessionGrpcResponse);
|
||||
rpc RefreshIdentitySession (RefreshIdentitySessionGrpcRequest) returns (RefreshIdentitySessionGrpcResponse);
|
||||
rpc IssueIdentityToken (IssueIdentityTokenGrpcRequest) returns (IssueIdentityTokenGrpcResponse);
|
||||
rpc EvaluateIdentityPolicy (EvaluateIdentityPolicyGrpcRequest) returns (EvaluateIdentityPolicyGrpcResponse);
|
||||
}
|
||||
|
||||
message StartIdentitySessionGrpcRequest {
|
||||
string subject_id = 1;
|
||||
string tenant_id = 2;
|
||||
string provider = 3;
|
||||
string external_token = 4;
|
||||
string correlation_id = 5;
|
||||
}
|
||||
|
||||
message StartIdentitySessionGrpcResponse {
|
||||
string access_token = 1;
|
||||
string refresh_token = 2;
|
||||
int32 expires_in_seconds = 3;
|
||||
string subject_id = 4;
|
||||
string tenant_id = 5;
|
||||
string provider = 6;
|
||||
}
|
||||
|
||||
message RefreshIdentitySessionGrpcRequest {
|
||||
string refresh_token = 1;
|
||||
string correlation_id = 2;
|
||||
string provider = 3;
|
||||
}
|
||||
|
||||
message RefreshIdentitySessionGrpcResponse {
|
||||
string access_token = 1;
|
||||
string refresh_token = 2;
|
||||
int32 expires_in_seconds = 3;
|
||||
string subject_id = 4;
|
||||
string tenant_id = 5;
|
||||
string provider = 6;
|
||||
}
|
||||
|
||||
message IssueIdentityTokenGrpcRequest {
|
||||
string subject_id = 1;
|
||||
string tenant_id = 2;
|
||||
string provider = 3;
|
||||
string external_token = 4;
|
||||
}
|
||||
|
||||
message IssueIdentityTokenGrpcResponse {
|
||||
string token = 1;
|
||||
int32 expires_in_seconds = 2;
|
||||
}
|
||||
|
||||
message EvaluateIdentityPolicyGrpcRequest {
|
||||
string subject_id = 1;
|
||||
string tenant_id = 2;
|
||||
string permission_code = 3;
|
||||
string provider = 4;
|
||||
}
|
||||
|
||||
message EvaluateIdentityPolicyGrpcResponse {
|
||||
string subject_id = 1;
|
||||
string permission_code = 2;
|
||||
bool is_allowed = 3;
|
||||
}
|
||||
@ -15,11 +15,11 @@
|
||||
</PackageReference>
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<Protobuf Include="..\..\..\thalos-service\src\Thalos.Service.Grpc\Protos\identity_runtime.proto" GrpcServices="Client" Link="Protos\identity_runtime.proto" />
|
||||
<Protobuf Include="Protos\identity_runtime.proto" GrpcServices="Client" />
|
||||
</ItemGroup>
|
||||
<ItemGroup>
|
||||
<ProjectReference Include="..\Thalos.Bff.Application\Thalos.Bff.Application.csproj" />
|
||||
<ProjectReference Include="..\Thalos.Bff.Contracts\Thalos.Bff.Contracts.csproj" />
|
||||
<ProjectReference Include="..\..\..\blueprint-platform\src\Core.Blueprint.Common\Core.Blueprint.Common.csproj" />
|
||||
<PackageReference Include="Core.Blueprint.Common" Version="0.2.0" />
|
||||
</ItemGroup>
|
||||
</Project>
|
||||
|
||||
@ -1,4 +1,5 @@
|
||||
using Core.Blueprint.Common.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Conventions;
|
||||
using Thalos.Bff.Contracts.Api;
|
||||
using Thalos.Bff.Contracts.Conventions;
|
||||
|
||||
@ -14,6 +15,18 @@ public class ContractShapeTests
|
||||
Assert.Equal("user-1", request.SubjectId);
|
||||
Assert.Equal("tenant-1", request.TenantId);
|
||||
Assert.Equal("corr-123", request.CorrelationId);
|
||||
Assert.Equal(IdentityAuthProvider.InternalJwt, request.Provider);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void SessionLoginApiRequest_WhenCreated_UsesProviderDefault()
|
||||
{
|
||||
var request = new SessionLoginApiRequest("user-2", "tenant-2", "corr-456");
|
||||
|
||||
Assert.Equal("user-2", request.SubjectId);
|
||||
Assert.Equal("tenant-2", request.TenantId);
|
||||
Assert.Equal("corr-456", request.CorrelationId);
|
||||
Assert.Equal(IdentityAuthProvider.InternalJwt, request.Provider);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
@ -24,6 +37,6 @@ public class ContractShapeTests
|
||||
Assert.Equal("Thalos.Bff.Contracts", contract.Descriptor.PackageId);
|
||||
Assert.Equal(PackageVersionPolicy.Minor, contract.Descriptor.VersionPolicy);
|
||||
Assert.Contains("Core.Blueprint.Common", contract.Descriptor.DependencyPackageIds);
|
||||
Assert.Contains("Thalos.Service.Identity.Abstractions", contract.Descriptor.DependencyPackageIds);
|
||||
Assert.Contains("BuildingBlock.Identity.Contracts", contract.Descriptor.DependencyPackageIds);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,9 +1,10 @@
|
||||
using Thalos.Bff.Application.Contracts;
|
||||
using Thalos.Bff.Application.Adapters;
|
||||
using Thalos.Bff.Application.Handlers;
|
||||
using Thalos.Bff.Application.Sessions;
|
||||
using Thalos.Bff.Application.Security;
|
||||
using Thalos.Bff.Contracts.Api;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Application.UnitTests;
|
||||
|
||||
@ -25,6 +26,17 @@ public class IssueTokenHandlerTests
|
||||
|
||||
private sealed class FakeThalosServiceClient : IThalosServiceClient
|
||||
{
|
||||
public Task<SessionTokensResult> StartSessionAsync(IssueIdentityTokenRequest request, string correlationId)
|
||||
{
|
||||
return Task.FromResult(new SessionTokensResult(
|
||||
"token-xyz",
|
||||
"refresh-xyz",
|
||||
1800,
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.Provider));
|
||||
}
|
||||
|
||||
public Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
|
||||
{
|
||||
return Task.FromResult(new IssueIdentityTokenResponse("token-xyz", 1800));
|
||||
@ -39,6 +51,17 @@ public class IssueTokenHandlerTests
|
||||
{
|
||||
return Task.FromResult(new RefreshIdentitySessionResponse("token-refreshed", 1800));
|
||||
}
|
||||
|
||||
public Task<SessionTokensResult> RefreshSessionTokensAsync(RefreshIdentitySessionRequest request)
|
||||
{
|
||||
return Task.FromResult(new SessionTokensResult(
|
||||
"token-refreshed",
|
||||
request.RefreshToken,
|
||||
1800,
|
||||
"user-1",
|
||||
"tenant-1",
|
||||
request.Provider));
|
||||
}
|
||||
}
|
||||
|
||||
private sealed class FakeIdentityEdgeContractAdapter : IIdentityEdgeContractAdapter
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
using Thalos.Bff.Application.Adapters;
|
||||
using Thalos.Bff.Application.Contracts;
|
||||
using Thalos.Bff.Application.Handlers;
|
||||
using Thalos.Bff.Application.Sessions;
|
||||
using Thalos.Bff.Contracts.Api;
|
||||
using Thalos.Service.Identity.Abstractions.Contracts;
|
||||
using BuildingBlock.Identity.Contracts.Requests;
|
||||
using BuildingBlock.Identity.Contracts.Responses;
|
||||
|
||||
namespace Thalos.Bff.Application.UnitTests;
|
||||
|
||||
@ -21,6 +22,17 @@ public class RefreshSessionHandlerTests
|
||||
|
||||
private sealed class FakeThalosServiceClient : IThalosServiceClient
|
||||
{
|
||||
public Task<SessionTokensResult> StartSessionAsync(IssueIdentityTokenRequest request, string correlationId)
|
||||
{
|
||||
return Task.FromResult(new SessionTokensResult(
|
||||
"token-xyz",
|
||||
"refresh-xyz",
|
||||
1800,
|
||||
request.SubjectId,
|
||||
request.TenantId,
|
||||
request.Provider));
|
||||
}
|
||||
|
||||
public Task<IssueIdentityTokenResponse> IssueTokenAsync(IssueIdentityTokenRequest request)
|
||||
{
|
||||
return Task.FromResult(new IssueIdentityTokenResponse("token-xyz", 1800));
|
||||
@ -35,6 +47,17 @@ public class RefreshSessionHandlerTests
|
||||
{
|
||||
return Task.FromResult(new RefreshIdentitySessionResponse("token-refreshed", 1800));
|
||||
}
|
||||
|
||||
public Task<SessionTokensResult> RefreshSessionTokensAsync(RefreshIdentitySessionRequest request)
|
||||
{
|
||||
return Task.FromResult(new SessionTokensResult(
|
||||
"token-refreshed",
|
||||
request.RefreshToken,
|
||||
1800,
|
||||
"user-1",
|
||||
"tenant-1",
|
||||
request.Provider));
|
||||
}
|
||||
}
|
||||
|
||||
private sealed class FakeIdentityEdgeContractAdapter : IIdentityEdgeContractAdapter
|
||||
|
||||
Loading…
Reference in New Issue
Block a user