feat(sso): replace local auth with Keycloak OIDC callback flow

2026-03-01 00:51:14 +01:00
parent f28240c37f
commit 1daa6f6e90
3 changed files with 59 additions and 37 deletions
--- a/backend/app/auth.py
+++ b/backend/app/auth.py
@@ -1,21 +1,23 @@
 from datetime import datetime, timedelta, timezone
 from typing import Optional
 from jose import JWTError, jwt
-from passlib.context import CryptContext
+from authlib.integrations.starlette_client import OAuth
 from fastapi import Cookie, HTTPException, status, Depends
 from sqlalchemy.orm import Session
 from app.database import get_db, settings
 from app import models

-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
-
-def hash_password(password: str) -> str:
-    return pwd_context.hash(password)
-
-
-def verify_password(plain: str, hashed: str) -> bool:
-    return pwd_context.verify(plain, hashed)
+oauth = OAuth()
+oauth.register(
+    name="keycloak",
+    client_id=settings.keycloak_client_id,
+    client_secret=settings.keycloak_client_secret,
+    server_metadata_url=(
+        f"{settings.keycloak_url}/realms/{settings.keycloak_realm}"
+        "/.well-known/openid-configuration"
+    ),
+    client_kwargs={"scope": "openid email profile"},
+)


 def create_access_token(user_id: int) -> str: