import { EnvironmentProviders, makeEnvironmentProviders } from '@angular/core'; import { LogLevel, provideAuth, withAppInitializerAuthCheck } from 'angular-auth-oidc-client'; import { AuthService } from './auth.service'; import { MedewerkerAuthService } from './medewerker-auth.service'; export interface MedewerkerAuthOptions { /** The Keycloak `medewerker` realm issuer, as reachable from the browser. */ authority: string; /** Where Keycloak redirects back to after login (usually the app origin). */ redirectUrl: string; /** * Route prefixes whose requests get the bearer token attached. The api-client calls the BFF with * **relative** URLs (same-origin via the nginx proxy), so these must be relative path prefixes * (e.g. `/behandel/`) — angular-auth-oidc-client matches `req.url.startsWith(route)`, and a * relative `req.url` never starts with an absolute origin. */ secureRoutes: string[]; } /** * Configure medewerker login (Keycloak `medewerker` realm, public client `big-portal`, auth-code + * PKCE) and bind {@link AuthService} to the medewerker-backed implementation. Register * {@link authInterceptor} (re-exported from digid-auth.providers) in the app's HttpClient so BFF * calls carry the token. */ export function provideMedewerkerAuth(options: MedewerkerAuthOptions): EnvironmentProviders { return makeEnvironmentProviders([ provideAuth( { config: { authority: options.authority, redirectUrl: options.redirectUrl, postLogoutRedirectUri: options.redirectUrl, clientId: 'big-portal', scope: 'openid profile', responseType: 'code', silentRenew: true, useRefreshToken: true, secureRoutes: options.secureRoutes, logLevel: LogLevel.Warn, }, }, // Run checkAuth() at startup so the login callback (?code=…) is processed before the router // and guard run — without it the guard sees "not authenticated" and re-triggers login (loop). withAppInitializerAuthCheck(), ), { provide: AuthService, useClass: MedewerkerAuthService }, ]); }