56510de55e
Why: standardize session login/refresh/logout/me behavior for web clients behind thalos security boundaries. What: add canonical routes, cookie policy handling, grpc session calls, compatibility aliases, standardized auth errors, updated contracts, tests, and docs. Rule: keep BFF as edge adapter over service contracts and preserve identity ownership in thalos.
1022 B
1022 B
Identity Edge API
Active External Protocol
- REST is the active external protocol for this BFF deployment.
- Internal service calls default to gRPC-adapted contracts.
Entrypoints
- Canonical session endpoints:
POST /api/identity/session/loginPOST /api/identity/session/refreshPOST /api/identity/session/logoutGET /api/identity/session/me
- Compatibility endpoint:
POST /api/identity/tokenPOST /api/identity/loginPOST /api/identity/token/refreshPOST /api/identity/logout
Boundary Notes
- Endpoint handlers perform edge validation and permission checks.
- Session login and refresh call canonical thalos-service session gRPC operations.
- Session cookies are managed at the BFF edge (
thalos_session,thalos_refresh) with env-driven secure flag. - Token issuance and policy evaluation contracts remain available for compatibility calls.
- Business orchestration remains in thalos-service.
- Identity abstractions remain owned by Thalos repositories.