ADR proposal · BFF OIDC validation + downstream boundaries #63
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Context
S-07 (#8) adds the BFF — the single backend the portals talk to (CLAUDE.md §8.3). It exposes
POST /self-service/registrationsandGET /openbaar/register?q=...for the walking skeleton, validates Keycloak-issued tokens, and fans out to the Domain Service (#6) and projection-api (#7). This is ADR-worthy (§14): a new dependency (JWT bearer auth), and new service boundaries (BFF→domain, BFF→projection).Decisions to record
POST /self-service/registrationsrequires a valid Keycloakdigid-realm JWT; the BFF extracts thebsnclaim and forwards it to the domain. Missing/invalid/expired token → 401.GET /openbaar/registeris anonymous (the openbaar register is a public lookup, S-09).Microsoft.AspNetCore.Authentication.JwtBeareragainst the Keycloakdigidrealm authority. Unit/BDD tests override the bearer options with a test signing key so valid/invalid/expired tokens can be minted without a live Keycloak; real Keycloak validation is a live-stackverify-bffcheck.services/bff/openapi.json) via .NET's built-in OpenAPI, so S-08's Angular client is generated from it (never hand-written, §10).Known wrinkle
Keycloak issues tokens whose
issis its browser-facing URL, which differs from the BFF's in-container authority — the classic container OIDC issuer mismatch. Unit tests sidestep it (test key);verify-bffhandles it explicitly (issuer/authority alignment). Recorded so it isn't rediscovered.ADR file
docs/architecture/adr-0010-bff-oidc.mdlands in the PR that implements #8.