yasithdev opened a new pull request, #160:
URL: https://github.com/apache/airavata-portals/pull/160
## Summary
Per the directive to **move authentication purely to Keycloak — no separate
Django auth layer, just expect a valid token**:
- **`KeycloakTokenAuthentication`** (`apps/auth/token_authentication.py`):
validates the Bearer JWT against the realm JWKS (signature + expiry), derives a
**lightweight non-DB user** from the claims, and builds `request.authz_token`
directly from the token. No session, no DB `User`, no OAuth login flow. Set as
the **sole** DRF `DEFAULT_AUTHENTICATION_CLASSES` (replacing
`SessionAuthentication` + `OAuthAuthentication`).
- **Lazy Thrift client** (`AiravataClientMiddleware`): the Thrift client is
now a `SimpleLazyObject`, so requests that only use the gRPC client
(`request.airavata`) never open a Thrift connection. The legacy Thrift server
is gone (backend is gRPC-only on :9090), so the old per-request eager Thrift
connect otherwise **hangs every request**.
## Validated against the running backend
`manage.py runserver` + a Keycloak Bearer token, against the live tilt stack:
- `GET /api/projects/` → **200**
`{"next":null,"previous":null,"results":[],...}` (migrated gRPC read)
- `GET /api/applications/` → **200** `[]` (migrated gRPC read)
- missing token → **401**, invalid token → **401**
## ⚠️ Behavioral change to review
This replaces **session** auth for the API, so the browser frontend must
send the Keycloak token as an `Authorization: Bearer` header rather than rely
on the session cookie — a coordinated frontend change. The broader removal of
the login views / `KeycloakBackend` / DB `User` mirror continues in D5/D6.
Flagging for a maintainer's eyes before merge since it changes auth repo-wide.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]