The behandel-portal authenticates staff against the Keycloak `medewerker` realm. Add MedewerkerAuthService (reads nested realm_access.roles), provideMedewerkerAuth, a roles/hasRole surface on the shared AuthService, and a realm-roles protocol mapper so the frontend can read the behandelaar/teamlead roles from the token. Per ADR-0013 the BFF remains the security boundary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
60 lines
1.6 KiB
JSON
60 lines
1.6 KiB
JSON
{
|
|
"realm": "medewerker",
|
|
"enabled": true,
|
|
"displayName": "Medewerkers",
|
|
"roles": {
|
|
"realm": [
|
|
{ "name": "behandelaar", "description": "Behandelt registratieaanvragen" },
|
|
{ "name": "teamlead", "description": "Teamleider behandeling" }
|
|
]
|
|
},
|
|
"clients": [
|
|
{
|
|
"clientId": "big-portal",
|
|
"enabled": true,
|
|
"publicClient": true,
|
|
"standardFlowEnabled": true,
|
|
"directAccessGrantsEnabled": true,
|
|
"redirectUris": ["*"],
|
|
"webOrigins": ["*"],
|
|
"protocolMappers": [
|
|
{
|
|
"name": "realm roles",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-realm-role-mapper",
|
|
"config": {
|
|
"multivalued": "true",
|
|
"claim.name": "realm_access.roles",
|
|
"jsonType.label": "String",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"userinfo.token.claim": "true"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"users": [
|
|
{
|
|
"username": "merel-behandelaar",
|
|
"enabled": true,
|
|
"firstName": "Merel",
|
|
"lastName": "Behandelaar",
|
|
"email": "merel@big.example.nl",
|
|
"emailVerified": true,
|
|
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
|
"realmRoles": ["behandelaar"]
|
|
},
|
|
{
|
|
"username": "tom-teamlead",
|
|
"enabled": true,
|
|
"firstName": "Tom",
|
|
"lastName": "Teamlead",
|
|
"email": "tom@big.example.nl",
|
|
"emailVerified": true,
|
|
"credentials": [{ "type": "password", "value": "test123", "temporary": false }],
|
|
"realmRoles": ["behandelaar", "teamlead"]
|
|
}
|
|
]
|
|
}
|