fastapi-gsap

tking/fastapi-gsap

SHA256

Fork 0

Commit graph

Author	SHA256	Message	Date
Tyler J King	5015f3dd43	fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of C-1: Keycloak driver now verifies JWT signatures via JWKS. Forged tokens are rejected. Previously any base64 JWT was accepted. C-2: on_behalf_of requires gsap:impersonate role in JWT claims. C-3: Entra driver denies on JWKS failure (no unverified fallback). H-10: JWKS cache refreshes on kid miss for key rotation. Shared JWKSVerifier used by both drivers. alg=none blocked. iss, aud, exp validated for all tokens. Signed-off-by: Tyler King <tking@guildhouse.dev>	2026-04-14 07:51:38 -04:00

Author

SHA256

Message

Date

Tyler J King

5015f3dd43

fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of

C-1: Keycloak driver now verifies JWT signatures via JWKS.
     Forged tokens are rejected. Previously any base64 JWT was accepted.
C-2: on_behalf_of requires gsap:impersonate role in JWT claims.
C-3: Entra driver denies on JWKS failure (no unverified fallback).
H-10: JWKS cache refreshes on kid miss for key rotation.

Shared JWKSVerifier used by both drivers. alg=none blocked.
iss, aud, exp validated for all tokens.

Signed-off-by: Tyler King <tking@guildhouse.dev>

2026-04-14 07:51:38 -04:00

1 commit