Oliver/gmal-scope-builder
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
28 commits 1 branch 0 tags 446 KiB
Commit graph

4 commits

Author SHA1 Message Date
Vadym Samoilenko
b7db37828b Fix 401: send ID token instead of Graph access token 
Access tokens for User.Read scope have audience=graph.microsoft.com,
but the backend validates audience=CLIENT_ID. ID tokens always have
audience=CLIENT_ID so they validate correctly.

Also add upn claim fallback for email extraction from ID token.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-30 11:16:44 +01:00
Vadym Samoilenko
dbbef4972b Fix blocking JWKS fetch causing 504s + app-only logout 
- auth.py: replace synchronous httpx.get (blocked event loop) with
  async httpx.AsyncClient; add key-rotation refresh on unknown kid
- App.tsx: use onRedirectNavigate: false so Sign out clears only the
  local MSAL session without redirecting to Microsoft logout endpoint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-30 11:11:46 +01:00
Vadym Samoilenko
c37e6888e2 Add DEV_AUTH_BYPASS env var to skip SSO in local dev 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-28 20:19:22 +00:00
Vadym Samoilenko
b2812593ae Add Azure SSO + production deployment config 
- MSAL.js (PKCE) browser-side auth against Azure Entra ID
- Bearer token interceptor on all API calls
- Backend JWT validation middleware (python-jose + JWKS)
- All API routes protected; /api/health stays public
- vite base set to /gsb/, BrowserRouter basename=/gsb
- docker-compose: remove frontend service, lock backend to 127.0.0.1:8002, remove dev volumes
- backend: 2 workers, no --reload

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-28 18:51:18 +00:00