Adds a second JWT bearer scheme for the medewerker realm; on validation it lifts Keycloak's realm_access.roles onto the principal so the behandelaar policy can require the role. /behandel/werkbak proxies the domain werkbak behind that policy (401 without a token, 403 without the role). openapi.json + api-client regenerated; Keycloak__MedewerkerAuthority wired into compose. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
18 lines
423 B
JSON
18 lines
423 B
JSON
{
|
|
"Logging": {
|
|
"LogLevel": {
|
|
"Default": "Information",
|
|
"Microsoft.AspNetCore": "Warning"
|
|
}
|
|
},
|
|
"AllowedHosts": "*",
|
|
"Keycloak": {
|
|
"Authority": "http://localhost:8180/realms/digid",
|
|
"MedewerkerAuthority": "http://localhost:8180/realms/medewerker"
|
|
},
|
|
"Downstream": {
|
|
"Domain": { "BaseUrl": "http://localhost:8130/" },
|
|
"Projection": { "BaseUrl": "http://localhost:8120/" }
|
|
}
|
|
}
|