23c3065f20
The Online API now requires the "user" project role (claim urn:zitadel:iam:org:project:roles) instead of an ALLOWED_USER_IDS allowlist. - IOnlineAuthProvider: add GetAccessTokenAsync(forceRefresh) overload - ZitadelAuthProvider: forceRefresh drops the cached token and re-runs the refresh-token grant to mint a fresh, role-bearing token - OnlineInboxApiClient: on 401, force-refresh and retry once; if still 401, throw a clear "missing 'user' role" error - OnlineSyncService: surface the 401 at Error level (no longer silent) - UI: ZitadelTokenInspector decodes the access token after login and warns early when the "user" role is absent (fail-open); shown in settings - docs: online-inbox-api-contract reflects role-based access (no allowlist) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
14 lines
539 B
C#
14 lines
539 B
C#
namespace ClaudeDo.Worker.Online.Interfaces;
|
|
|
|
public interface IOnlineAuthProvider
|
|
{
|
|
Task<string?> GetAccessTokenAsync(CancellationToken ct = default);
|
|
|
|
/// <summary>
|
|
/// Gets an access token, optionally dropping any cached token first so a fresh
|
|
/// (role-bearing) token is minted via the refresh-token grant. Used to recover from a
|
|
/// 401 caused by a stale token issued before role assertion was enabled.
|
|
/// </summary>
|
|
Task<string?> GetAccessTokenAsync(bool forceRefresh, CancellationToken ct = default);
|
|
}
|