feat(sync): keycloak as source-of-truth with auto catalog sync and token refresh

backend/app/api/auth.py

@@ -5,7 +5,7 @@ import httpx
 from fastapi import APIRouter, HTTPException, status
 
 from app.core.config import get_settings
-from app.schemas.login import LoginRequest, LoginResponse, OIDCAuthUrlResponse, OIDCCodeExchangeRequest
+from app.schemas.login import LoginRequest, LoginResponse, OIDCAuthUrlResponse, OIDCCodeExchangeRequest, RefreshTokenRequest
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 logger = logging.getLogger(__name__)
@@ -45,12 +45,7 @@ def login(payload: LoginRequest) -> LoginResponse:
     token = data.get("access_token")
     if not token:
         raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_missing_access_token")
-    return LoginResponse(
-        access_token=token,
-        token_type=data.get("token_type", "Bearer"),
-        expires_in=data.get("expires_in"),
-        scope=data.get("scope"),
-    )
+    return _build_login_response(data)
 
 
 @router.get("/oidc/url", response_model=OIDCAuthUrlResponse)
@@ -123,9 +118,50 @@ def exchange_oidc_code(payload: OIDCCodeExchangeRequest) -> LoginResponse:
     token = data.get("access_token")
     if not token:
         raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_missing_access_token")
+    return _build_login_response(data)
+
+
+@router.post("/refresh", response_model=LoginResponse)
+def refresh_access_token(payload: RefreshTokenRequest) -> LoginResponse:
+    settings = get_settings()
+    client_id = settings.idp_client_id or settings.idp_audience
+    if not settings.idp_base_url or not client_id or not settings.idp_client_secret:
+        raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="idp_login_not_configured")
+
+    form = {
+        "grant_type": "refresh_token",
+        "client_id": client_id,
+        "client_secret": settings.idp_client_secret,
+        "refresh_token": payload.refresh_token,
+    }
+    try:
+        resp = httpx.post(
+            settings.idp_token_endpoint,
+            data=form,
+            timeout=10,
+            verify=settings.idp_verify_tls,
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+        )
+    except Exception as exc:
+        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_unreachable") from exc
+
+    if resp.status_code >= 400:
+        logger.warning("idp refresh-token grant failed: status=%s body=%s", resp.status_code, resp.text)
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid_refresh_token")
+
+    data = resp.json()
+    token = data.get("access_token")
+    if not token:
+        raise HTTPException(status_code=status.HTTP_502_BAD_GATEWAY, detail="idp_missing_access_token")
+    return _build_login_response(data)
+
+
+def _build_login_response(data: dict) -> LoginResponse:
     return LoginResponse(
-        access_token=token,
+        access_token=data.get("access_token", ""),
+        refresh_token=data.get("refresh_token"),
         token_type=data.get("token_type", "Bearer"),
         expires_in=data.get("expires_in"),
+        refresh_expires_in=data.get("refresh_expires_in"),
         scope=data.get("scope"),
     )