AgileWebs/thalos-bff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
93a841d3be
thalos-bff/docs/api/identity-edge-api.md
José René White Enciso 93a841d3be fix(thalos-bff): harden oidc callback redirects
2026-03-31 16:02:08 -06:00

1.5 KiB
Raw Blame History

Identity Edge API

Active External Protocol

  • REST is the active external protocol for this BFF deployment.
  • Internal service calls default to gRPC-adapted contracts.

Entrypoints

  • Canonical session endpoints:
    • POST /api/identity/session/login
    • POST /api/identity/session/refresh
    • POST /api/identity/session/logout
    • GET /api/identity/session/me
  • Canonical OIDC endpoints:
    • GET /api/identity/oidc/google/start
    • GET /api/identity/oidc/google/callback
  • Compatibility endpoint:
    • POST /api/identity/token
    • POST /api/identity/login
    • POST /api/identity/token/refresh
    • POST /api/identity/logout

Boundary Notes

  • Endpoint handlers perform edge validation and permission checks.
  • Session login and refresh call canonical thalos-service session gRPC operations.
  • OIDC start/callback handlers generate and validate PKCE/state/nonce payloads.
  • Session cookies are managed at the BFF edge (thalos_session, thalos_refresh) with env-driven secure/domain policy.
  • Callback failures are redirected back to the central auth UX with stable authError and correlationId query values instead of returning a raw provider-facing JSON payload.
  • The temporary OIDC state cookie is cleared on both callback success and callback failure paths.
  • Token issuance and policy evaluation contracts remain available for compatibility calls.
  • Business orchestration remains in thalos-service.
  • Identity abstractions remain owned by Thalos repositories.