member/member-backend

Fork 0

Go to file

Chris 34fc865b30 fix(auth): relax keycloak audience check and auto-redirect logged-in user

2026-04-01 01:48:06 +08:00

app

fix(auth): relax keycloak audience check and auto-redirect logged-in user

2026-04-01 01:48:06 +08:00

scripts

feat(idp): add keycloak-first support with authentik fallback

2026-04-01 00:41:38 +08:00

tests

refactor(internal): switch auth to api-client headers

2026-03-31 21:09:18 +08:00

.env

feat: add authentik jwt verification and me endpoints

2026-03-29 23:06:19 +08:00

.env.development

chore(env): use member-frontend oidc client and keep member-backend admin client

2026-04-01 01:30:44 +08:00

.env.example

chore(env): configure keycloak master client for local backend

2026-04-01 01:20:46 +08:00

.env.production.example

feat(idp): add keycloak-first support with authentik fallback

2026-04-01 00:41:38 +08:00

pyproject.toml

feat: add authentik admin user sync endpoint

2026-03-29 23:08:52 +08:00

README.md

feat(idp): add keycloak-first support with authentik fallback

2026-04-01 00:41:38 +08:00

README.md

memberapi.ose.tw backend

Quick start

cd backend
python -m venv .venv
source .venv/bin/activate
pip install -e .
cp .env.example .env
./scripts/start_dev.sh

Required DB setup

Initialize API client whitelist table with docs/API_CLIENTS_SQL.sql.
Initialize core tables with backend/scripts/init_schema.sql.
Generate api_key_hash and update api_clients records, e.g.:

python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'

IdP JWT setup（Keycloak 優先）

若設定 KEYCLOAK_BASE_URL + KEYCLOAK_REALM，後端會優先走 Keycloak。
未設定 Keycloak 時，才走 AUTHENTIK_*。

Keycloak

必填：
- KEYCLOAK_BASE_URL
- KEYCLOAK_REALM
- KEYCLOAK_CLIENT_ID
- KEYCLOAK_CLIENT_SECRET
可選：
- KEYCLOAK_ISSUER（預設：<base>/realms/<realm>）
- KEYCLOAK_JWKS_URL（預設：<issuer>/protocol/openid-connect/certs）
- KEYCLOAK_TOKEN_ENDPOINT（預設：<issuer>/protocol/openid-connect/token）
- KEYCLOAK_USERINFO_ENDPOINT（預設：<issuer>/protocol/openid-connect/userinfo）
- KEYCLOAK_AUDIENCE
- KEYCLOAK_VERIFY_TLS（預設 true）

Authentik（備援）

Configure at least one of:
- AUTHENTIK_JWKS_URL
- AUTHENTIK_ISSUER (the service infers <issuer>/jwks/)
Optional:
- AUTHENTIK_AUDIENCE (enables audience claim validation)
- AUTHENTIK_CLIENT_ID (used by /auth/login, fallback to AUTHENTIK_AUDIENCE)
- AUTHENTIK_CLIENT_SECRET (required if your access/id token uses HS256 signing)
- AUTHENTIK_TOKEN_ENDPOINT (default: <AUTHENTIK_BASE_URL>/application/o/token/)
- AUTHENTIK_USERINFO_ENDPOINT (optional, default inferred from issuer/base URL; used to fill missing email/name claims)

IdP Admin API setup

Keycloak（優先）
- KEYCLOAK_BASE_URL
- KEYCLOAK_REALM
- KEYCLOAK_ADMIN_CLIENT_ID
- KEYCLOAK_ADMIN_CLIENT_SECRET
- KEYCLOAK_ADMIN_REALM（可選，預設同 KEYCLOAK_REALM）
Authentik（備援）
- AUTHENTIK_BASE_URL
- AUTHENTIK_ADMIN_TOKEN
- AUTHENTIK_VERIFY_TLS

Main APIs

GET /healthz
GET /auth/oidc/url
POST /auth/oidc/exchange
GET /me (Bearer token required)
GET /me/permissions/snapshot (Bearer token required)
POST /internal/users/upsert-by-sub
GET /internal/permissions/{user_sub}/snapshot
POST /internal/idp/users/ensure（相容：/internal/authentik/users/ensure）
POST /admin/permissions/grant
POST /admin/permissions/revoke
GET|POST /admin/systems
GET|POST /admin/modules
GET|POST /admin/companies
GET|POST /admin/sites
GET /admin/members
GET|POST /admin/permission-groups
POST|DELETE /admin/permission-groups/{group_key}/members/{user_sub}
POST /admin/permission-groups/{group_key}/permissions/grant|revoke
GET /internal/systems
GET /internal/modules
GET /internal/companies
GET /internal/sites
GET /internal/members

README.md Unescape Escape

memberapi.ose.tw backend

Quick start

Required DB setup

IdP JWT setup（Keycloak 優先）

Keycloak

Authentik（備援）

IdP Admin API setup

Main APIs

README.md