Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .cf-studio/config/artifacts.toml
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,11 @@ path = "docs/components/backend/authenticator/DESIGN.md"
name = "Authenticator Service Design"
traceability = "DOCS-ONLY"

[[systems.artifacts]]
kind = "ADR"
path = "docs/components/backend/authenticator/specs/ADR/0001-per-environment-idp-selection.md"
name = "ADR-0001: Per-Environment IdP Selection (fakeidp for CI/compose, Dex for local k8s)"

[[systems.artifacts]]
kind = "DESIGN"
path = "docs/components/backend/gateway/DESIGN.md"
Expand Down
43 changes: 28 additions & 15 deletions .env.compose.example
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,14 @@ FRONTEND_IMAGE=
# host-side build step, and generates an override that drops the bind
# mount for the service.
#
# Equivalent CLI: `./dev-compose.sh up --from-ghcr=api-gateway,identity`
API_GATEWAY_IMAGE=
# Equivalent CLI: `./dev-compose.sh up --from-ghcr=analytics,identity`
ANALYTICS_IMAGE=
IDENTITY_IMAGE=

# ── Host port mapping ─────────────────────────────────────────────────
# Change these if 8080/8081/8082/8084/3000/3306/8123/6379 are already in use.
API_GATEWAY_PORT=8080
# GATEWAY_PORT is the nginx edge (the :8080 entry).
GATEWAY_PORT=8080
ANALYTICS_PORT=8081
IDENTITY_PORT=8082
# fakeidp — the dev/e2e fake OIDC provider (dev-only; never in production).
Expand Down Expand Up @@ -118,13 +118,14 @@ SEEDED_LOCAL_CH=
# Replace with the UUID present in your persons.insight_tenant_id.
TENANT_DEFAULT_ID=00000000-df51-5b42-9538-d2b56b7ee953

# The api-gateway runs no-auth.yaml (auth_disabled=true) — all requests get
# the default-tenant root context, and the frontend dev-impersonates
# VITE_DEV_USER_EMAIL (below). OIDC login via the authenticator is not wired
# up for the compose dev stack.
# Full auth (NGINX_BFF): the nginx `gateway` on :8080 is the entry — it does
# auth_request to the authenticator (which logs in against fakeidp), injects the
# gateway JWT, and every downstream service verifies it (no auth_disabled). Drive
# the login flow with curl (/auth/login -> fakeidp -> /auth/callback -> cookie ->
# /api/...), as the step-07 e2e does; the SPA login lands with the FE cutover.
#
# The OIDC_* vars below are read by the frontend (VITE_OIDC_ISSUER /
# VITE_OIDC_CLIENT_ID) but are unused while dev-impersonation is active.
# VITE_OIDC_CLIENT_ID).
OIDC_ISSUER=
# Also the authenticator's OIDC client_id (must equal fakeidp's default aud so
# the id_token audience matches). Defaults to `insight-authenticator`.
Expand All @@ -134,13 +135,25 @@ OIDC_AUDIENCE=
OIDC_CLIENT_SECRET=

# ── Authenticator (nginx+auth step 04) ────────────────────────────────
# In compose the authenticator logs in against fakeidp. Discovery/JWKS/token
# are fetched in-network (fakeidp:8084); the browser-facing redirect_uri is
# host-visible. Login requires the person to exist in Identity — seed the DB
# (./dev-compose.sh seed identity); an unknown person is denied (403).
AUTHENTICATOR_OIDC_ISSUER=http://fakeidp:8084
AUTHENTICATOR_REDIRECT_URI=http://localhost:8083/auth/callback
AUTHENTICATOR_GATEWAY_ISSUER=http://localhost:8080
# In compose the authenticator logs in against fakeidp. Login requires the
# person to exist in Identity — seed the DB (./dev-compose.sh seed identity);
# an unknown person is denied (403).
#
# fakeidp issuer: LEAVE UNSET. `./dev-compose.sh up` auto-detects the host IP and
# sets FAKEIDP_ISSUER + AUTHENTICATOR_OIDC_ISSUER to http://<host-ip>:8084 — an IP
# the BROWSER reaches without an HTTPS-upgrade (a hostname like fakeidp:8084 gets
# upgraded and fails; localhost means the container itself) and the containers
# reach too. Set this ONLY to pin a real IdP (then auto-detect is skipped).
# AUTHENTICATOR_OIDC_ISSUER=https://your-idp.example/realm
# redirect_uri MUST be the origin the BROWSER loads the SPA from, so the
# `__Host-sid` session cookie lands on the SPA's origin (not the authenticator's
# own :8083). FRONTEND_MODE=dev serves the SPA via Vite at :3000 (which proxies
# /auth + /api to the gateway), so the callback rides that origin. If you browse
# the gateway edge instead, use http://localhost:8080/auth/callback.
AUTHENTICATOR_REDIRECT_URI=http://localhost:3000/auth/callback
# Token `iss` = the TLS discovery front (analytics' plugin resolves JWKS over
# https). The browser still reaches the gateway plainly at :8080.
AUTHENTICATOR_GATEWAY_ISSUER=https://authn-tls:8443
AUTHENTICATOR_IDENTITY_URL=http://identity:8082

# ── Dev impersonation ─────────────────────────────────────────────────
Expand Down
Loading
Loading