Hybrid Authentication (Demo202509)

For the Demo202509 release, Arda uses a hybrid authentication approach: Cognito-issued JWT between the browser/SPA and the BFF, and a static Bearer Token (API Key) between the BFF and the backend API endpoints.

Authentication Information Required by Backend

Field	Description
User ID	Human-readable unique identifier for the user (Cognito `username`)
Tenant ID	UUID of the subscriber organization (`custom:tenant` Cognito attribute)
Role	Enumerated role value stored in a Cognito custom attribute. Valid values: `PUBLIC`, `USER`, `ADMIN`, `ARDA`

Transmission: Demo202509

BFF → Backend: Bearer Token (API Key) in the Authorization header
User ID: Custom header X-Author
Tenant ID: Custom header X-Tenant-ID
Role: Custom header X-Role-ID (TBD as of Aug 2025)

The BFF is responsible for extracting these values from the Cognito JWT and forwarding them in the correct headers. The BFF is considered trusted by the backend if the Bearer Token matches.

SYSTEM Access

When the BFF needs to access backend services without a logged-in user (e.g., during sign-up):

Header	Value
Bearer Token	Configured BFF API Key
`X-Author`	`SYSTEM`
`X-Tenant-ID`	`SYSTEM`
`X-Role-ID`	`ARDA`

Long-Term Direction

In the long term, all three layers (SPA, BFF, backend) will use a single JWT issued by the OAuth2 server. The JWT will carry:

sub — User ID
custom:tenant — Tenant ID (array of UUIDs for multi-tenant)
Role claim — may evolve to a permission reference or Access Decision Service lookup

URL Redirect Convention

Cognito requires all redirect URLs to be pre-registered. To avoid registering every possible target URL, the BFF uses a single registered redirect endpoint:

https://<app-host>/redirect

The BFF appends a target query parameter (URL-encoded, optionally encrypted) containing the actual destination. On receiving the callback, the BFF decodes the target and redirects the browser.