BffConfig is parsed but never implemented, and on reflection it does not belong in this crate: BFF is stateful session / token-lifecycle management (a separate product, e.g. oauth2-proxy / Pomerium), whereas this proxy is a stateless transcoding data plane with stateless auth primitives (JWT, forward-auth, ext_authz, OIDC discovery). A server-side session/token store would also break the multi-instance-stateless design.
Changes
- Remove
BffConfig, the auth.bff field, and its defaults.
- Reword the OpenAPI cookie security-scheme description so it no longer references a BFF login flow.
- README: drop BFF from the Roadmap; add a Non-goals note (use a dedicated BFF in front, or the forward-auth / authz hooks).
No behavior change (the field was never wired). Estimate: 1h
BffConfigis parsed but never implemented, and on reflection it does not belong in this crate: BFF is stateful session / token-lifecycle management (a separate product, e.g. oauth2-proxy / Pomerium), whereas this proxy is a stateless transcoding data plane with stateless auth primitives (JWT, forward-auth, ext_authz, OIDC discovery). A server-side session/token store would also break the multi-instance-stateless design.Changes
BffConfig, theauth.bfffield, and its defaults.No behavior change (the field was never wired). Estimate: 1h