Authentication etc.

bbconf/broker-config.toml

@@ -45,21 +45,16 @@ idp_url = "https://kcdev.basebox.health:8443"
 # OpenID Connect scope; default is "openid profile email"
 scope = "openid profile email"
 
-# Optional base URL for OAuth2 URLs, e.g. "https://domain.tld/auth"
-# If omitted, it will be derived from the fields in the [server] section.
-# base_url = "http://127.0.0.1:8080"
+# Fully qualified URL to the OAuth2 callback endpoint.
+# After the user entered his/her credentials at the IdP's login form, the client will be redirected
+# to this URL. When the client receives a request to this URL, it must send the request's query
+# string to the broker's "openid_connect_path" set below.
+redirect_url = "http://127.0.0.1:5173/oauth-callback"
 
-# Will be appended to `base_url` to form the OAuth2 callback URL
-redirect_path = "/oauth/callback"
-
-# Set to true to get a user's additional claims from OAuth2
-user_info_additional_claims_required = true
-
-# On successful login (auth code flow complete), the browser can optionally
-# be redirected to the application URL.
-# If this is unset, the browser gets an empty 200 response on successful
-# authorization code flow completion.
-client_app_url = "http://127.0.0.1:5173/"
+# OpenID Connect login completion request path.
+# The client must pass the query string from the call to "redirect_url" to this URL and gets
+# a basebox session token in return.
+openid_connect_path = "/oauth/complete-login"
 
 # Path to the browser login URL.
 # This path is where the basebox broker returns a 302 response that redirects the browser to
@@ -71,6 +66,9 @@ login_path = "/oauth/login"
 # Simply POST to this URL with the session cookie or bearer token.
 logout_path = "/oauth/logout"
 
+# Set to true to get a user's additional claims from OAuth2
+user_info_additional_claims_required = true
+
 
 [business_logic_layer]
 business_logic_layer_enabled = false