20 lines
726 B
Markdown
20 lines
726 B
Markdown
# Thalos BFF Identity Boundary
|
|
|
|
## Purpose
|
|
Keep thalos-bff as an edge adapter layer that consumes thalos-service and adopted identity capability contracts.
|
|
|
|
## BFF Responsibilities
|
|
- Edge contract handling
|
|
- Service client adaptation
|
|
- Correlation/tracing propagation
|
|
- Single active edge protocol policy enforcement (`rest`)
|
|
- Provider metadata propagation (`InternalJwt`, `AzureAd`, `Google`)
|
|
- OIDC edge flow orchestration (Google start/callback with PKCE/state/nonce)
|
|
- Session-cookie issuance policy (secure/domain settings for cross-subdomain web auth)
|
|
|
|
## Prohibited
|
|
- Direct DAL access
|
|
- Identity policy decision ownership
|
|
- Identity persistence concerns
|
|
- Provider secret-manager coupling inside domain/service logic
|