Chris Coutinho
f34366a260
feat: Add Keycloak OAuth provider support with refresh token storage
Implements Keycloak as an external OIDC provider following ADR-002
architecture for background job authentication using offline_access.
## Features
- Keycloak OAuth provider with PKCE and offline_access support
- Refresh token storage with Fernet encryption
- Token verifier for both JWT and opaque tokens
- Multi-client validation (realm-level trust)
- Sample configuration for Keycloak integration
## Implementation
### OAuth Provider (keycloak_oauth.py)
- Authorization Code Flow with PKCE
- Refresh token exchange
- OIDC discovery endpoint support
- Token validation with JWKS
### Token Storage (refresh_token_storage.py)
- Encrypted storage using Fernet symmetric encryption
- SQLite backend for persistence
- Token rotation support
- Per-user token management
### Token Verifier Updates
- Support both JWT (self-encoded) and opaque tokens
- JWKS-based JWT signature verification
- Introspection endpoint fallback for opaque tokens
- Scope extraction from both token types
### Configuration
- .env.keycloak.sample: Example configuration with Keycloak URLs
- docs/keycloak-multi-client-validation.md: Realm-level validation documentation
- app-hooks/post-installation/10-install-user_oidc-app.sh: Updated dependencies
## Architecture Notes
- MCP Server is a protected resource (requires OAuth)
- MCP Client initiates OAuth flow and shares refresh tokens
- Refresh tokens enable background operations without admin credentials
- Supports future token exchange delegation when Keycloak implements it
## References
- ADR-002: Vector Database Background Sync Authentication
- RFC 6749: OAuth 2.0 (offline_access, refresh tokens)
- RFC 7517: JSON Web Key (JWK)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-02 22:03:19 +01:00
..
2025-05-07 23:06:22 +02:00
2025-10-31 02:59:44 +01:00
2025-10-31 02:59:44 +01:00
2025-11-02 22:03:19 +01:00
2025-10-14 01:23:49 +02:00
2025-09-11 17:31:00 +02:00
2025-10-15 14:47:43 +02:00
2025-10-14 01:23:49 +02:00
2025-09-11 17:28:13 +02:00
2025-10-17 03:08:16 +02:00
2025-09-11 17:28:13 +02:00
2025-10-14 01:23:38 +02:00
2025-10-24 04:38:49 +02:00
2025-11-02 22:03:19 +01:00
2025-05-06 02:52:51 +02:00
2025-09-11 17:28:13 +02:00
2025-10-25 21:54:30 +02:00
2025-10-15 16:27:22 +02:00
2025-10-24 04:38:49 +02:00
2025-10-20 19:10:23 +02:00
2025-10-15 16:27:22 +02:00
2025-10-14 01:23:38 +02:00
2025-09-11 17:28:13 +02:00
2025-10-23 11:20:49 +02:00
2025-10-24 04:38:49 +02:00
2025-10-14 01:23:49 +02:00
2025-09-11 17:28:13 +02:00