hzhang 0bdc432215 Accept Tessera (Keycloak-compatible) OIDC tokens as API bearer ...

Adds an additive bearer-verification path: verify RS256 access tokens against
Tessera's JWKS (iss/aud/exp), map sub/preferred_username/email + roles
(realm_access.roles, resource_access.<audience>.roles) to the app's identity.
Existing auth (API keys / app JWTs / sessions) is unchanged. Issuer + audience
are env-configurable. Validated end-to-end against the local sim.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-02 15:11:31 +01:00

..

api

Accept Tessera (Keycloak-compatible) OIDC tokens as API bearer

2026-06-02 15:11:31 +01:00

cli

fix(cli): import all model modules so SA relationship resolution works

2026-05-24 19:10:26 +01:00

core

Accept Tessera (Keycloak-compatible) OIDC tokens as API bearer

2026-06-02 15:11:31 +01:00

models

Merge fix/security-audit: RBAC/API-key-hash/cookie hardening

2026-06-01 09:23:35 +01:00

schemas

Merge fix/security-audit: RBAC/API-key-hash/cookie hardening

2026-06-01 09:23:35 +01:00

services

feat(backend)!: kill AbstractWizard, env-driven config + hf-cli

2026-05-24 19:01:37 +01:00

__init__.py

refactor: move all files to root (no nested backend/)

2026-02-21 08:25:37 +00:00

init_bootstrap.py

feat(knowledge-base): KnowledgeBase feature — models, CRUD API, RBAC

2026-05-31 15:03:14 +01:00

main.py

Merge fix/security-audit: RBAC/API-key-hash/cookie hardening

2026-06-01 09:23:35 +01:00