feat(bff): medewerker-realm auth + behandelaar policy + GET /behandel/werkbak (refs #13)
Adds a second JWT bearer scheme for the medewerker realm; on validation it lifts Keycloak's realm_access.roles onto the principal so the behandelaar policy can require the role. /behandel/werkbak proxies the domain werkbak behind that policy (401 without a token, 403 without the role). openapi.json + api-client regenerated; Keycloak__MedewerkerAuthority wired into compose. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -7,7 +7,8 @@
|
||||
},
|
||||
"AllowedHosts": "*",
|
||||
"Keycloak": {
|
||||
"Authority": "http://localhost:8180/realms/digid"
|
||||
"Authority": "http://localhost:8180/realms/digid",
|
||||
"MedewerkerAuthority": "http://localhost:8180/realms/medewerker"
|
||||
},
|
||||
"Downstream": {
|
||||
"Domain": { "BaseUrl": "http://localhost:8130/" },
|
||||
|
||||
Reference in New Issue
Block a user