tking/fastapi-gsap
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
fastapi-gsap/gsap_broker/drivers
History
Tyler J King 5015f3dd43 fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 
C-1: Keycloak driver now verifies JWT signatures via JWKS.
     Forged tokens are rejected. Previously any base64 JWT was accepted.
C-2: on_behalf_of requires gsap:impersonate role in JWT claims.
C-3: Entra driver denies on JWKS failure (no unverified fallback).
H-10: JWKS cache refreshes on kid miss for key rotation.

Shared JWKSVerifier used by both drivers. alg=none blocked.
iss, aud, exp validated for all tokens.

Signed-off-by: Tyler King <tking@guildhouse.dev>
2026-04-14 07:51:38 -04:00
..
__init__.py feat: fastapi-gsap — lightweight GSAP broker PoC 2026-03-30 14:10:21 -04:00
base.py feat(drivers): add native Entra identity driver 2026-04-14 05:19:54 -04:00
entra.py fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 2026-04-14 07:51:38 -04:00
jwks.py fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 2026-04-14 07:51:38 -04:00
keycloak.py fix(drivers): JWKS verification for Keycloak, remove Entra fallback, gate on_behalf_of 2026-04-14 07:51:38 -04:00
registry.py feat(drivers): add native Entra identity driver 2026-04-14 05:19:54 -04:00