tking/fastapi-gsap
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Python GSAP broker reference implementation
26 commits 2 branches 3 tags 31 MiB
Python 99.8%
Dockerfile 0.2%
Find a file
Tyler J King 5015f3dd43 fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 
C-1: Keycloak driver now verifies JWT signatures via JWKS.
     Forged tokens are rejected. Previously any base64 JWT was accepted.
C-2: on_behalf_of requires gsap:impersonate role in JWT claims.
C-3: Entra driver denies on JWKS failure (no unverified fallback).
H-10: JWKS cache refreshes on kid miss for key rotation.

Shared JWKSVerifier used by both drivers. alg=none blocked.
iss, aud, exp validated for all tokens.

Signed-off-by: Tyler King <tking@guildhouse.dev>
2026-04-14 07:51:38 -04:00
gsap_broker fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 2026-04-14 07:51:38 -04:00
tests fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 2026-04-14 07:51:38 -04:00
.gitignore feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
Dockerfile feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
INTUNE.md docs: add Intune connector configuration guide 2026-04-14 05:30:06 -04:00
pyproject.toml feat: absorb llm-principal-broker as gsap_broker/delegations/ 2026-04-08 13:37:06 -04:00
README.md Initial commit 2026-03-30 18:03:34 +00:00
requirements.txt feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
uv.lock feat: governed connector module 2026-03-30 16:42:38 -04:00

README.md

fastapi-gsap

Lightweight FastAPI reference implementation of the GSAP broker (GCAP-SPEC-SHELLBOUND-BROKER-0001)