AgileWebs/thalos-bff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
development
thalos-bff/docs/architecture/bff-identity-boundary.md
José René White Enciso 730abb95ec feat(thalos-bff): add google oidc start and callback flow
2026-03-11 10:13:21 -06:00

726 B
Raw Permalink Blame History

Thalos BFF Identity Boundary

Purpose

Keep thalos-bff as an edge adapter layer that consumes thalos-service and adopted identity capability contracts.

BFF Responsibilities

  • Edge contract handling
  • Service client adaptation
  • Correlation/tracing propagation
  • Single active edge protocol policy enforcement (rest)
  • Provider metadata propagation (InternalJwt, AzureAd, Google)
  • OIDC edge flow orchestration (Google start/callback with PKCE/state/nonce)
  • Session-cookie issuance policy (secure/domain settings for cross-subdomain web auth)

Prohibited

  • Direct DAL access
  • Identity policy decision ownership
  • Identity persistence concerns
  • Provider secret-manager coupling inside domain/service logic