yasithdev opened a new pull request, #160:
URL: https://github.com/apache/airavata-portals/pull/160

   ## Summary
   Per the directive to **move authentication purely to Keycloak — no separate 
Django auth layer, just expect a valid token**:
   
   - **`KeycloakTokenAuthentication`** (`apps/auth/token_authentication.py`): 
validates the Bearer JWT against the realm JWKS (signature + expiry), derives a 
**lightweight non-DB user** from the claims, and builds `request.authz_token` 
directly from the token. No session, no DB `User`, no OAuth login flow. Set as 
the **sole** DRF `DEFAULT_AUTHENTICATION_CLASSES` (replacing 
`SessionAuthentication` + `OAuthAuthentication`).
   - **Lazy Thrift client** (`AiravataClientMiddleware`): the Thrift client is 
now a `SimpleLazyObject`, so requests that only use the gRPC client 
(`request.airavata`) never open a Thrift connection. The legacy Thrift server 
is gone (backend is gRPC-only on :9090), so the old per-request eager Thrift 
connect otherwise **hangs every request**.
   
   ## Validated against the running backend
   `manage.py runserver` + a Keycloak Bearer token, against the live tilt stack:
   - `GET /api/projects/` → **200** 
`{"next":null,"previous":null,"results":[],...}` (migrated gRPC read)
   - `GET /api/applications/` → **200** `[]` (migrated gRPC read)
   - missing token → **401**, invalid token → **401**
   
   ## ⚠️ Behavioral change to review
   This replaces **session** auth for the API, so the browser frontend must 
send the Keycloak token as an `Authorization: Bearer` header rather than rely 
on the session cookie — a coordinated frontend change. The broader removal of 
the login views / `KeycloakBackend` / DB `User` mirror continues in D5/D6. 
Flagging for a maintainer's eyes before merge since it changes auth repo-wide.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to