import { EnvironmentProviders, makeEnvironmentProviders } from '@angular/core'; import { authInterceptor, LogLevel, provideAuth, withAppInitializerAuthCheck, } from 'angular-auth-oidc-client'; import { AuthService } from './auth.service'; import { DigiadAuthService } from './digid-auth.service'; export interface DigiadAuthOptions { /** The Keycloak `digid` realm issuer, as reachable from the browser. */ authority: string; /** Where Keycloak redirects back to after login (usually the app origin). */ redirectUrl: string; /** * Route prefixes whose requests get the bearer token attached. The api-client calls the BFF with * **relative** URLs (same-origin via the nginx proxy), so these must be relative path prefixes * (e.g. `/self-service/`) — angular-auth-oidc-client matches `req.url.startsWith(route)`, and a * relative `req.url` never starts with an absolute origin. */ secureRoutes: string[]; } /** * Configure DigiD login (Keycloak `digid` realm, public client `big-portal`, auth-code + PKCE) and * bind {@link AuthService} to the OIDC-backed implementation. Register {@link authInterceptor} in the * app's HttpClient so BFF calls carry the token. */ export function provideDigiadAuth(options: DigiadAuthOptions): EnvironmentProviders { return makeEnvironmentProviders([ provideAuth( { config: { authority: options.authority, redirectUrl: options.redirectUrl, postLogoutRedirectUri: options.redirectUrl, clientId: 'big-portal', scope: 'openid profile', responseType: 'code', silentRenew: true, useRefreshToken: true, secureRoutes: options.secureRoutes, logLevel: LogLevel.Warn, }, }, // Run checkAuth() at startup so the DigiD callback (?code=…) is processed before the router // and guard run — without it the guard sees "not authenticated" and re-triggers login (loop). withAppInitializerAuthCheck(), ), { provide: AuthService, useClass: DigiadAuthService }, ]); } export { authInterceptor };