feat(auth): medewerker-realm AuthService + provider, roles surface, realm-roles mapper (refs #13)

The behandel-portal authenticates staff against the Keycloak `medewerker` realm. Add

MedewerkerAuthService (reads nested realm_access.roles), provideMedewerkerAuth, a roles/hasRole

surface on the shared AuthService, and a realm-roles protocol mapper so the frontend can read

the behandelaar/teamlead roles from the token. Per ADR-0013 the BFF remains the security boundary.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-16 09:05:45 +02:00
parent 1d12d693ce
commit a88584514c
5 changed files with 123 additions and 6 deletions

View File

@@ -16,7 +16,22 @@
"standardFlowEnabled": true,
"directAccessGrantsEnabled": true,
"redirectUris": ["*"],
"webOrigins": ["*"]
"webOrigins": ["*"],
"protocolMappers": [
{
"name": "realm roles",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-realm-role-mapper",
"config": {
"multivalued": "true",
"claim.name": "realm_access.roles",
"jsonType.label": "String",
"id.token.claim": "true",
"access.token.claim": "true",
"userinfo.token.claim": "true"
}
}
]
}
],
"users": [