AgileWebs/thalos-bff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
development
thalos-bff/docs/runbooks/containerization.md
José René White Enciso 93a841d3be fix(thalos-bff): harden oidc callback redirects
2026-03-31 16:02:08 -06:00

1.7 KiB
Raw Permalink Blame History

Containerization Runbook

Image Build

If the repo consumes internal packages from Gitea, pass feed credentials as build args.

docker build   --build-arg NUGET_FEED_USERNAME=<gitea-login>   --build-arg NUGET_FEED_TOKEN=<gitea-token>   -t agilewebs/thalos-bff:dev .

Local Run

docker run --rm -p 8080:8080 \
  -e ThalosService__GrpcAddress=http://thalos-service:8081 \
  -e ThalosBff__Oidc__Google__ClientId=<google-client-id> \
  -e ThalosBff__Oidc__Google__ClientSecret=<google-client-secret> \
  -e ThalosBff__Oidc__Google__RedirectUri=https://auth.dream-views.com/api/identity/oidc/google/callback \
  -e ThalosBff__Oidc__StateSigningSecret=<state-signing-secret> \
  -e ThalosBff__SessionCookieSecure=true \
  -e ThalosBff__SessionCookieDomain=.dream-views.com \
  --name thalos-bff agilewebs/thalos-bff:dev

Health Probe

  • Path: /health
  • Fallback path: /healthz
  • Port: 8080

Runtime Notes

  • Requires ThalosService__GrpcAddress to target thalos-service in distributed runs.
  • gRPC client contract protobuf is vendored at src/Thalos.Bff.Rest/Protos/identity_runtime.proto to keep image builds repo-local.
  • OIDC callback requires ThalosBff__Oidc__Google__ClientId, ClientSecret, RedirectUri, and StateSigningSecret.
  • For cross-subdomain SPA auth, set ThalosBff__SessionCookieDomain=.dream-views.com and secure cookies in non-local environments.
  • Callback failures should land back on the central auth host (or another allowlisted return host) with authError and correlationId query values for UX recovery and support diagnostics.
  • The OIDC state cookie is transient and should be cleared after any callback attempt, successful or failed.