From 8a5b25936d9d5176f151a2217117c889779ac8b5 Mon Sep 17 00:00:00 2001
From: Ho Ngoc Hai <hongochai10@icloud.com>
Date: Sat, 11 Apr 2026 22:22:37 +0700
Subject: [PATCH] fix(auth): add bff-client to IdentityServer + fix pos-web
 auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Login was failing because:
1. IdentityServer Config.cs had no 'bff-client' client definition
   (pos-web uses bff-client for BFF authentication pattern)
2. pos-web had no IdentityServer__ClientSecret env var configured
3. Network policy blocked pos-web → iam-service egress

Fixes:
- Add bff-client to Config.Clients (ResourceOwnerPassword grant,
  8h access token, 7d refresh token for POS sessions)
- Add IdentityServer client credentials to pos-web.yaml from secrets
- Add pos-web to allow-inter-service-egress network policy

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../staging/kubernetes/network-policy.yaml    |  1 +
 deployments/staging/kubernetes/pos-web.yaml   | 12 +++++++
 .../IdentityServer/Config.cs                  | 32 +++++++++++++++++--
 3 files changed, 42 insertions(+), 3 deletions(-)

diff --git a/deployments/staging/kubernetes/network-policy.yaml b/deployments/staging/kubernetes/network-policy.yaml
index c46b0f81..96bfe7ae 100644
--- a/deployments/staging/kubernetes/network-policy.yaml
+++ b/deployments/staging/kubernetes/network-policy.yaml
@@ -349,6 +349,7 @@ spec:
       - mkt-whatsapp-service
       - mkt-x-service
       - mkt-zalo-service
+      - pos-web
   policyTypes:
   - Egress
   egress:
diff --git a/deployments/staging/kubernetes/pos-web.yaml b/deployments/staging/kubernetes/pos-web.yaml
index 9fe4285b..3de66ffc 100644
--- a/deployments/staging/kubernetes/pos-web.yaml
+++ b/deployments/staging/kubernetes/pos-web.yaml
@@ -45,6 +45,18 @@ spec:
         # VI: IAM Service cho xac thuc
         - name: IamService__BaseUrl
           value: "http://iam-service:8080"
+        # EN: BFF IdentityServer client credentials
+        # VI: Thong tin xac thuc BFF IdentityServer client
+        - name: IdentityServer__ClientId
+          valueFrom:
+            secretKeyRef:
+              name: goodgo-secrets
+              key: IdentityServer__ClientId
+        - name: IdentityServer__ClientSecret
+          valueFrom:
+            secretKeyRef:
+              name: goodgo-secrets
+              key: IdentityServer__ClientSecret
         # EN: YARP Reverse Proxy cluster addresses (K8s internal DNS)
         # VI: Dia chi cluster YARP Reverse Proxy (K8s internal DNS)
         - name: ReverseProxy__Clusters__iam-cluster__Destinations__destination1__Address
diff --git a/services/iam-service-net/src/IamService.Infrastructure/IdentityServer/Config.cs b/services/iam-service-net/src/IamService.Infrastructure/IdentityServer/Config.cs
index 3362c738..8883e03e 100644
--- a/services/iam-service-net/src/IamService.Infrastructure/IdentityServer/Config.cs
+++ b/services/iam-service-net/src/IamService.Infrastructure/IdentityServer/Config.cs
@@ -185,9 +185,9 @@ public static class Config
             ClientId = "swagger-ui",
             ClientName = "Swagger UI",
             ClientSecrets = { new Secret("swagger-ui-secret".Sha256()) },
-            
+
             AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
-            
+
             AllowedScopes =
             {
                 IdentityServerConstants.StandardScopes.OpenId,
@@ -197,11 +197,37 @@ public static class Config
                 "roles",
                 "api"
             },
-            
+
             AllowOfflineAccess = true,
             AccessTokenLifetime = 3600,  // 1 hour for testing convenience
             RefreshTokenExpiration = TokenExpiration.Sliding,
             SlidingRefreshTokenLifetime = 86400  // 1 day
+        },
+
+        // EN: BFF (Backend-For-Frontend) Client - POS Web Application
+        // VI: BFF Client - Ứng dụng POS Web (Blazor WASM)
+        new Client
+        {
+            ClientId = "bff-client",
+            ClientName = "POS Web BFF Client",
+            ClientSecrets = { new Secret("bff-client-secret".Sha256()) },
+
+            AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
+
+            AllowedScopes =
+            {
+                IdentityServerConstants.StandardScopes.OpenId,
+                IdentityServerConstants.StandardScopes.Profile,
+                IdentityServerConstants.StandardScopes.Email,
+                IdentityServerConstants.StandardScopes.OfflineAccess,
+                "roles",
+                "api"
+            },
+
+            AllowOfflineAccess = true,
+            AccessTokenLifetime = 28800,  // 8 hours — long-lived for POS sessions
+            RefreshTokenExpiration = TokenExpiration.Sliding,
+            SlidingRefreshTokenLifetime = 604800  // 7 days
         }
     ];
 }