Accept Tessera (Keycloak-compatible) OIDC tokens as API bearer

Adds an additive bearer-verification path: verify RS256 access tokens against Tessera's JWKS (iss/aud/exp), map sub/preferred_username/email + roles (realm_access.roles, resource_access.<audience>.roles) to the app's identity. Existing auth (API keys / app JWTs / sessions) is unchanged. Issuer + audience are env-configurable. Validated end-to-end against the local sim. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 15:11:31 +01:00
parent 1a5a3ed1b1
commit 0bdc432215
3 changed files with 266 additions and 5 deletions
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -26,6 +26,13 @@ class Settings(BaseSettings):
    # for production; set SESSION_COOKIE_SECURE=false for plain-HTTP local dev.
    SESSION_COOKIE_SECURE: bool = True

+    # External OIDC provider ("Tessera", Keycloak-compatible) whose RS256
+    # access tokens are accepted as API bearer tokens (additive to local
+    # HS256 JWT + API keys). Tokens are verified against the issuer's JWKS;
+    # `iss` must equal TESSERA_ISSUER and `aud` must contain TESSERA_AUDIENCE.
+    TESSERA_ISSUER: str = "https://login.hangman-lab.top/realms/Hangman-Lab"
+    TESSERA_AUDIENCE: str = "harbor-forge"
+
    class Config:
        env_file = ".env"