tking/fastapi-gsap
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
fastapi-gsap/gsap_broker/routers
History
Tyler J King 5015f3dd43 fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 
C-1: Keycloak driver now verifies JWT signatures via JWKS.
     Forged tokens are rejected. Previously any base64 JWT was accepted.
C-2: on_behalf_of requires gsap:impersonate role in JWT claims.
C-3: Entra driver denies on JWKS failure (no unverified fallback).
H-10: JWKS cache refreshes on kid miss for key rotation.

Shared JWKSVerifier used by both drivers. alg=none blocked.
iss, aud, exp validated for all tokens.

Signed-off-by: Tyler King <tking@guildhouse.dev>
2026-04-14 07:51:38 -04:00
..
__init__.py feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
authorize.py fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 2026-04-14 07:51:38 -04:00
complete.py feat: session-scoped ACs — multiple CRs per session 2026-04-03 02:06:15 -04:00
connectors.py feat: wire credential resolver and connectors into broker startup 2026-04-14 06:03:57 -04:00
drivers.py feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
elevate.py feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
functions.py feat: governed function runtime + billing drain 2026-03-30 22:12:29 -04:00
health.py feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
session.py feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00