feat(auth): medewerker-realm AuthService + provider, roles surface, realm-roles mapper (refs #13)
The behandel-portal authenticates staff against the Keycloak `medewerker` realm. Add MedewerkerAuthService (reads nested realm_access.roles), provideMedewerkerAuth, a roles/hasRole surface on the shared AuthService, and a realm-roles protocol mapper so the frontend can read the behandelaar/teamlead roles from the token. Per ADR-0013 the BFF remains the security boundary. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -16,7 +16,22 @@
|
||||
"standardFlowEnabled": true,
|
||||
"directAccessGrantsEnabled": true,
|
||||
"redirectUris": ["*"],
|
||||
"webOrigins": ["*"]
|
||||
"webOrigins": ["*"],
|
||||
"protocolMappers": [
|
||||
{
|
||||
"name": "realm roles",
|
||||
"protocol": "openid-connect",
|
||||
"protocolMapper": "oidc-usermodel-realm-role-mapper",
|
||||
"config": {
|
||||
"multivalued": "true",
|
||||
"claim.name": "realm_access.roles",
|
||||
"jsonType.label": "String",
|
||||
"id.token.claim": "true",
|
||||
"access.token.claim": "true",
|
||||
"userinfo.token.claim": "true"
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"users": [
|
||||
|
||||
Reference in New Issue
Block a user