All checks were successful
CI / lint (pull_request) Successful in 1m12s
CI / build (pull_request) Successful in 51s
CI / unit (pull_request) Successful in 1m3s
CI / frontend (pull_request) Successful in 1m48s
CI / mutation (pull_request) Successful in 3m57s
CI / verify-stack (pull_request) Successful in 7m59s
After login the submit silently did nothing: the confirmation ("...is
ontvangen...") never rendered because the POST to the BFF went out with no
Authorization header, so the BFF rejected it and the no-error-handler
subscribe left the page unchanged.
Root cause: angular-auth-oidc-client's interceptor attaches the token when
`req.url.startsWith(secureRoute)`. The api-client calls the BFF with RELATIVE
URLs (same-origin via the nginx proxy), so `req.url` is `/self-service/...` —
but secureRoutes was configured as the app ORIGIN (`http://self-service`),
which a relative URL never starts with. No match → no token.
Configure secureRoutes with the relative `/self-service/` prefix instead. The
unit test mocked the api-client, so only the walking-skeleton e2e exercises the
real token attachment — now green.
Verified against a focused stack (keycloak + self-service + real BFF + stub
domain): the submit now carries the bearer token, the BFF forwards to the
domain, and the portal shows the confirmation with the returned reference.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
56 lines
2.1 KiB
TypeScript
56 lines
2.1 KiB
TypeScript
import { EnvironmentProviders, makeEnvironmentProviders } from '@angular/core';
|
|
import {
|
|
authInterceptor,
|
|
LogLevel,
|
|
provideAuth,
|
|
withAppInitializerAuthCheck,
|
|
} from 'angular-auth-oidc-client';
|
|
import { AuthService } from './auth.service';
|
|
import { DigiadAuthService } from './digid-auth.service';
|
|
|
|
export interface DigiadAuthOptions {
|
|
/** The Keycloak `digid` realm issuer, as reachable from the browser. */
|
|
authority: string;
|
|
/** Where Keycloak redirects back to after login (usually the app origin). */
|
|
redirectUrl: string;
|
|
/**
|
|
* Route prefixes whose requests get the bearer token attached. The api-client calls the BFF with
|
|
* **relative** URLs (same-origin via the nginx proxy), so these must be relative path prefixes
|
|
* (e.g. `/self-service/`) — angular-auth-oidc-client matches `req.url.startsWith(route)`, and a
|
|
* relative `req.url` never starts with an absolute origin.
|
|
*/
|
|
secureRoutes: string[];
|
|
}
|
|
|
|
/**
|
|
* Configure DigiD login (Keycloak `digid` realm, public client `big-portal`, auth-code + PKCE) and
|
|
* bind {@link AuthService} to the OIDC-backed implementation. Register {@link authInterceptor} in the
|
|
* app's HttpClient so BFF calls carry the token.
|
|
*/
|
|
export function provideDigiadAuth(options: DigiadAuthOptions): EnvironmentProviders {
|
|
return makeEnvironmentProviders([
|
|
provideAuth(
|
|
{
|
|
config: {
|
|
authority: options.authority,
|
|
redirectUrl: options.redirectUrl,
|
|
postLogoutRedirectUri: options.redirectUrl,
|
|
clientId: 'big-portal',
|
|
scope: 'openid profile',
|
|
responseType: 'code',
|
|
silentRenew: true,
|
|
useRefreshToken: true,
|
|
secureRoutes: options.secureRoutes,
|
|
logLevel: LogLevel.Warn,
|
|
},
|
|
},
|
|
// Run checkAuth() at startup so the DigiD callback (?code=…) is processed before the router
|
|
// and guard run — without it the guard sees "not authenticated" and re-triggers login (loop).
|
|
withAppInitializerAuthCheck(),
|
|
),
|
|
{ provide: AuthService, useClass: DigiadAuthService },
|
|
]);
|
|
}
|
|
|
|
export { authInterceptor };
|