fix(auth): add bff-client to IdentityServer + fix pos-web auth

Login was failing because: 1. IdentityServer Config.cs had no 'bff-client' client definition (pos-web uses bff-client for BFF authentication pattern) 2. pos-web had no IdentityServer__ClientSecret env var configured 3. Network policy blocked pos-web → iam-service egress Fixes: - Add bff-client to Config.Clients (ResourceOwnerPassword grant, 8h access token, 7d refresh token for POS sessions) - Add IdentityServer client credentials to pos-web.yaml from secrets - Add pos-web to allow-inter-service-egress network policy Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 22:22:37 +07:00
parent 5ce64b9a1c
commit 8a5b25936d
3 changed files with 42 additions and 3 deletions
--- a/deployments/staging/kubernetes/network-policy.yaml
+++ b/deployments/staging/kubernetes/network-policy.yaml
@@ -349,6 +349,7 @@ spec:
      - mkt-whatsapp-service
      - mkt-x-service
      - mkt-zalo-service
      - pos-web
  policyTypes:
  - Egress
  egress:
--- a/deployments/staging/kubernetes/pos-web.yaml
+++ b/deployments/staging/kubernetes/pos-web.yaml
@@ -45,6 +45,18 @@ spec:
        # VI: IAM Service cho xac thuc
        - name: IamService__BaseUrl
          value: "http://iam-service:8080"
        # EN: BFF IdentityServer client credentials
        # VI: Thong tin xac thuc BFF IdentityServer client
        - name: IdentityServer__ClientId
          valueFrom:
            secretKeyRef:
              name: goodgo-secrets
              key: IdentityServer__ClientId
        - name: IdentityServer__ClientSecret
          valueFrom:
            secretKeyRef:
              name: goodgo-secrets
              key: IdentityServer__ClientSecret
        # EN: YARP Reverse Proxy cluster addresses (K8s internal DNS)
        # VI: Dia chi cluster YARP Reverse Proxy (K8s internal DNS)
        - name: ReverseProxy__Clusters__iam-cluster__Destinations__destination1__Address
--- a/services/iam-service-net/src/IamService.Infrastructure/IdentityServer/Config.cs
+++ b/services/iam-service-net/src/IamService.Infrastructure/IdentityServer/Config.cs
@@ -185,9 +185,9 @@ public static class Config
            ClientId = "swagger-ui",
            ClientName = "Swagger UI",
            ClientSecrets = { new Secret("swagger-ui-secret".Sha256()) },
-            
+
            AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
-            
+
            AllowedScopes =
            {
                IdentityServerConstants.StandardScopes.OpenId,
@@ -197,11 +197,37 @@ public static class Config
                "roles",
                "api"
            },
-            
+
            AllowOfflineAccess = true,
            AccessTokenLifetime = 3600,  // 1 hour for testing convenience
            RefreshTokenExpiration = TokenExpiration.Sliding,
            SlidingRefreshTokenLifetime = 86400  // 1 day
        },
        // EN: BFF (Backend-For-Frontend) Client - POS Web Application
        // VI: BFF Client - Ứng dụng POS Web (Blazor WASM)
        new Client
        {
            ClientId = "bff-client",
            ClientName = "POS Web BFF Client",
            ClientSecrets = { new Secret("bff-client-secret".Sha256()) },
            AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
            AllowedScopes =
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                IdentityServerConstants.StandardScopes.Email,
                IdentityServerConstants.StandardScopes.OfflineAccess,
                "roles",
                "api"
            },
            AllowOfflineAccess = true,
            AccessTokenLifetime = 28800,  // 8 hours — long-lived for POS sessions
            RefreshTokenExpiration = TokenExpiration.Sliding,
            SlidingRefreshTokenLifetime = 604800  // 7 days
        }
    ];
 }