feat(idp): add keycloak-first support with authentik fallback

app/security/authentik_jwt.py

@@ -50,16 +50,18 @@ class AuthentikTokenVerifier:
 
     @staticmethod
     def _infer_userinfo_endpoint(issuer: str | None, base_url: str | None) -> str | None:
-        if base_url:
-            return base_url.rstrip("/") + "/application/o/userinfo/"
         if issuer:
             normalized = issuer.rstrip("/")
+            if "/realms/" in normalized:
+                return normalized + "/protocol/openid-connect/userinfo"
             marker = "/application/o/"
             marker_index = normalized.find(marker)
             if marker_index != -1:
                 root = normalized[:marker_index]
                 return root + marker + "userinfo/"
             return normalized + "/userinfo/"
+        if base_url:
+            return base_url.rstrip("/") + "/application/o/userinfo/"
         return None
 
     def _enrich_from_userinfo(self, principal: AuthentikPrincipal, token: str) -> AuthentikPrincipal:
@@ -156,13 +158,13 @@ class AuthentikTokenVerifier:
 def _get_verifier() -> AuthentikTokenVerifier:
     settings = get_settings()
     return AuthentikTokenVerifier(
-        issuer=settings.authentik_issuer,
-        jwks_url=settings.authentik_jwks_url,
-        audience=settings.authentik_audience,
-        client_secret=settings.authentik_client_secret,
-        base_url=settings.authentik_base_url,
-        userinfo_endpoint=settings.authentik_userinfo_endpoint,
-        verify_tls=settings.authentik_verify_tls,
+        issuer=settings.idp_issuer,
+        jwks_url=settings.idp_jwks_url,
+        audience=settings.idp_audience,
+        client_secret=settings.idp_client_secret,
+        base_url=settings.idp_base_url,
+        userinfo_endpoint=settings.idp_userinfo_endpoint,
+        verify_tls=settings.idp_verify_tls,
     )