56510de55e
Why: standardize session login/refresh/logout/me behavior for web clients behind thalos security boundaries. What: add canonical routes, cookie policy handling, grpc session calls, compatibility aliases, standardized auth errors, updated contracts, tests, and docs. Rule: keep BFF as edge adapter over service contracts and preserve identity ownership in thalos.
29 lines
1022 B
Markdown
29 lines
1022 B
Markdown
# Identity Edge API
|
|
|
|
## Active External Protocol
|
|
|
|
- REST is the active external protocol for this BFF deployment.
|
|
- Internal service calls default to gRPC-adapted contracts.
|
|
|
|
## Entrypoints
|
|
|
|
- Canonical session endpoints:
|
|
- `POST /api/identity/session/login`
|
|
- `POST /api/identity/session/refresh`
|
|
- `POST /api/identity/session/logout`
|
|
- `GET /api/identity/session/me`
|
|
- Compatibility endpoint:
|
|
- `POST /api/identity/token`
|
|
- `POST /api/identity/login`
|
|
- `POST /api/identity/token/refresh`
|
|
- `POST /api/identity/logout`
|
|
|
|
## Boundary Notes
|
|
|
|
- Endpoint handlers perform edge validation and permission checks.
|
|
- Session login and refresh call canonical thalos-service session gRPC operations.
|
|
- Session cookies are managed at the BFF edge (`thalos_session`, `thalos_refresh`) with env-driven secure flag.
|
|
- Token issuance and policy evaluation contracts remain available for compatibility calls.
|
|
- Business orchestration remains in thalos-service.
|
|
- Identity abstractions remain owned by Thalos repositories.
|