ReBAC 고도화 및 애플리케이션 관리 시스템 통합 구현

adminfront/src/app/routes.tsx

@@ -15,6 +15,7 @@ import TenantRelyingPartyListPage from "../features/tenants/routes/TenantRelying
 import TenantRelyingPartyCreatePage from "../features/tenants/routes/TenantRelyingPartyCreatePage";
 import TenantRelyingPartyDetailPage from "../features/tenants/routes/TenantRelyingPartyDetailPage";
 import RelyingPartyListPage from "../features/relying-parties/RelyingPartyListPage";
+import RelyingPartyCreatePage from "../features/relying-parties/RelyingPartyCreatePage";
 import UserCreatePage from "../features/users/UserCreatePage";
 import UserDetailPage from "../features/users/UserDetailPage";
 import UserListPage from "../features/users/UserListPage";
@@ -33,6 +34,7 @@ export const router = createBrowserRouter(
         { path: "users/new", element: <UserCreatePage /> },
         { path: "users/:id", element: <UserDetailPage /> },
         { path: "relying-parties", element: <RelyingPartyListPage /> },
+        { path: "relying-parties/new", element: <RelyingPartyCreatePage /> },
         { path: "tenants", element: <TenantListPage /> },
         { path: "tenants/new", element: <TenantCreatePage /> },
         {

adminfront/src/components/layout/RoleSwitcher.tsx

@@ -22,7 +22,7 @@ const RoleSwitcher: React.FC = () => {
     window.location.reload();
   };
 
-  if (process.env.NODE_ENV === 'production') return null;
+  if (import.meta.env.MODE === 'production') return null;
 
   return (
     <div style={{
@@ -43,7 +43,7 @@ const RoleSwitcher: React.FC = () => {
       <div style={{ fontWeight: 'bold', borderBottom: '1px solid #444', paddingBottom: '4px', marginBottom: '4px' }}>
         🛠 DEV Role Switcher
       </div>
-      {(['super_admin', 'tenant_admin', 'user'] as const).map(role => (
+      {(['super_admin', 'tenant_admin', 'rp_admin', 'tenant_member'] as const).map(role => (
         <button
           key={role}
           onClick={() => switchRole(role)}
@@ -58,7 +58,7 @@ const RoleSwitcher: React.FC = () => {
             transition: 'background 0.2s'
           }}
         >
-          {role.toUpperCase()} {currentRole === role ? '✅' : ''}
+          {role.toUpperCase().replace('_', ' ')} {currentRole === role ? '✅' : ''}
         </button>
       ))}
     </div>

adminfront/src/features/api-keys/ApiKeyCreatePage.tsx

@@ -4,12 +4,10 @@ import { AlertCircle, Check, ChevronLeft, Copy, Loader2, Save, ShieldCheck } fro
 import * as React from "react";
 import { useForm } from "react-hook-form";
 import { Link, useNavigate } from "react-router-dom";
-import { Badge } from "../../components/ui/badge";
 import { Button } from "../../components/ui/button";
 import {
   Card,
   CardContent,
-  CardDescription,
   CardHeader,
   CardTitle,
 } from "../../components/ui/card";

adminfront/src/features/relying-parties/RelyingPartyCreatePage.tsx

@@ -0,0 +1,228 @@
+import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import type { AxiosError } from "axios";
+import { ArrowLeft, Save } from "lucide-react";
+import { useState } from "react";
+import { Link, useNavigate } from "react-router-dom";
+import { Button } from "../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from "../../components/ui/card";
+import { Input } from "../../components/ui/input";
+import { Label } from "../../components/ui/label";
+import {
+  createRelyingParty,
+  fetchTenants,
+} from "../../lib/adminApi";
+import type { HydraClientReq } from "../../lib/adminApi";
+import { Badge } from "../../components/ui/badge";
+
+function RelyingPartyCreatePage() {
+  const navigate = useNavigate();
+  const queryClient = useQueryClient();
+
+  const [selectedTenantId, setSelectedTenantId] = useState("");
+  const [formData, setFormData] = useState<HydraClientReq>({
+    client_name: "",
+    redirect_uris: [],
+    scope: "openid profile email",
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "client_secret_basic",
+  });
+  const [redirectUriInput, setRedirectUriInput] = useState("");
+
+  // 테넌트 목록 조회 (선택용)
+  const { data: tenantsData } = useQuery({
+    queryKey: ["tenants", { limit: 100 }],
+    queryFn: () => fetchTenants(100, 0),
+  });
+  const tenants = tenantsData?.items ?? [];
+
+  const createMutation = useMutation({
+    mutationFn: (data: HydraClientReq) => createRelyingParty(selectedTenantId, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["relyingParties"] });
+      navigate("/relying-parties");
+    },
+  });
+
+  const errorMsg = (createMutation.error as AxiosError<{ error?: string }>)
+    ?.response?.data?.error;
+
+  const handleSubmit = (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!selectedTenantId) {
+      alert("소속될 테넌트를 선택해주세요.");
+      return;
+    }
+    createMutation.mutate(formData);
+  };
+
+  const addRedirectUri = () => {
+    if (!redirectUriInput.trim()) return;
+    setFormData((prev) => ({
+      ...prev,
+      redirect_uris: [...prev.redirect_uris, redirectUriInput.trim()],
+    }));
+    setRedirectUriInput("");
+  };
+
+  const removeRedirectUri = (index: number) => {
+    setFormData((prev) => ({
+      ...prev,
+      redirect_uris: prev.redirect_uris.filter((_, i) => i !== index),
+    }));
+  };
+
+  return (
+    <div className="space-y-8">
+      <header className="flex flex-wrap items-start justify-between gap-4">
+        <div className="space-y-2">
+          <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
+            <Link to="/relying-parties" className="inline-flex items-center gap-2">
+              <ArrowLeft size={14} />
+              Applications
+            </Link>
+            <span>/</span>
+            <span className="text-foreground">New App</span>
+          </div>
+          <h2 className="text-3xl font-semibold">새 애플리케이션 등록</h2>
+          <p className="text-sm text-[var(--color-muted)]">
+            전체 시스템 차원에서 새로운 Relying Party를 등록합니다.
+          </p>
+        </div>
+      </header>
+
+      <form onSubmit={handleSubmit} className="max-w-2xl">
+        <Card className="bg-[var(--color-panel)]">
+          <CardHeader>
+            <CardTitle>App & Tenant Assignment</CardTitle>
+            <CardDescription>
+              애플리케이션이 소속될 테넌트와 기본 정보를 설정합니다.
+            </CardDescription>
+          </CardHeader>
+          <CardContent className="space-y-6">
+            {errorMsg && (
+              <div className="rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
+                {errorMsg}
+              </div>
+            )}
+
+            {/* 테넌트 선택 추가 */}
+            <div className="space-y-1">
+              <Label htmlFor="tenant_select">Owner Tenant</Label>
+              <select 
+                id="tenant_select"
+                className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50"
+                value={selectedTenantId}
+                onChange={(e) => setSelectedTenantId(e.target.value)}
+                required
+              >
+                <option value="">-- 테넌트 선택 --</option>
+                {tenants.map(t => (
+                    <option key={t.id} value={t.id}>{t.name} ({t.slug})</option>
+                ))}
+              </select>
+              <p className="text-xs text-muted-foreground">이 앱을 관리할 조직을 선택하세요.</p>
+            </div>
+
+            <div className="space-y-1">
+              <Label htmlFor="client_name">Client Name</Label>
+              <Input
+                id="client_name"
+                value={formData.client_name}
+                onChange={(e) =>
+                  setFormData({ ...formData, client_name: e.target.value })
+                }
+                placeholder="My Awesome App"
+                required
+              />
+            </div>
+
+            <div className="space-y-1">
+              <Label>Redirect URIs</Label>
+              <div className="flex gap-2">
+                <Input
+                  value={redirectUriInput}
+                  onChange={(e) => setRedirectUriInput(e.target.value)}
+                  placeholder="https://myapp.com/callback"
+                  onKeyDown={(e) => {
+                    if (e.key === "Enter") {
+                      e.preventDefault();
+                      addRedirectUri();
+                    }
+                  }}
+                />
+                <Button type="button" variant="secondary" onClick={addRedirectUri}>
+                  Add
+                </Button>
+              </div>
+              <div className="mt-2 flex flex-wrap gap-2">
+                {formData.redirect_uris.map((uri, idx) => (
+                  <Badge key={idx} variant="secondary" className="gap-1 pr-1">
+                    {uri}
+                    <button
+                      type="button"
+                      onClick={() => removeRedirectUri(idx)}
+                      className="ml-1 rounded-full p-0.5 hover:bg-muted-foreground/20"
+                    >
+                      &times;
+                    </button>
+                  </Badge>
+                ))}
+              </div>
+            </div>
+
+            <div className="space-y-1">
+              <Label htmlFor="scope">Scope</Label>
+              <Input
+                id="scope"
+                value={formData.scope}
+                onChange={(e) =>
+                  setFormData({ ...formData, scope: e.target.value })
+                }
+                placeholder="openid profile email"
+              />
+            </div>
+            
+            <div className="grid grid-cols-2 gap-4">
+                <div className="space-y-1">
+                    <Label>Auth Method</Label>
+                    <select 
+                        className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring"
+                        value={formData.token_endpoint_auth_method}
+                        onChange={(e) => setFormData({...formData, token_endpoint_auth_method: e.target.value})}
+                    >
+                        <option value="client_secret_basic">client_secret_basic</option>
+                        <option value="client_secret_post">client_secret_post</option>
+                        <option value="none">none (Public Client)</option>
+                    </select>
+                </div>
+            </div>
+
+          </CardContent>
+          <CardFooter className="justify-end gap-2">
+            <Button
+              type="button"
+              variant="ghost"
+              onClick={() => navigate("/relying-parties")}
+            >
+              취소
+            </Button>
+            <Button type="submit" disabled={createMutation.isPending}>
+              <Save size={16} className="mr-2" />
+              생성
+            </Button>
+          </CardFooter>
+        </Card>
+      </form>
+    </div>
+  );
+}
+
+export default RelyingPartyCreatePage;

adminfront/src/features/relying-parties/RelyingPartyListPage.tsx

@@ -0,0 +1,175 @@
+import { useMutation, useQuery } from "@tanstack/react-query";
+import type { AxiosError } from "axios";
+import { Pencil, Plus, RefreshCw, Trash2, Share2, Building2 } from "lucide-react";
+import { useNavigate, Link } from "react-router-dom";
+import { Button } from "../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "../../components/ui/card";
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from "../../components/ui/table";
+import { deleteRelyingParty, fetchAllRelyingParties } from "../../lib/adminApi";
+
+function RelyingPartyListPage() {
+  const navigate = useNavigate();
+  
+  const query = useQuery({
+    queryKey: ["relyingParties", "all"],
+    queryFn: fetchAllRelyingParties,
+  });
+
+  const deleteMutation = useMutation({
+    mutationFn: (clientId: string) => deleteRelyingParty(clientId),
+    onSuccess: () => {
+      query.refetch();
+    },
+  });
+
+  const errorMsg = (query.error as AxiosError<{ error?: string }>)?.response
+    ?.data?.error;
+  const fallbackError =
+    !errorMsg && query.isError ? "애플리케이션 목록 조회에 실패했습니다." : null;
+
+  const items = query.data ?? [];
+
+  const handleDelete = (clientId: string, name: string) => {
+    if (!window.confirm(`앱 "${name}"를 삭제할까요?`)) {
+      return;
+    }
+    deleteMutation.mutate(clientId);
+  };
+
+  return (
+    <div className="space-y-8">
+      <header className="flex flex-wrap items-start justify-between gap-4">
+        <div className="space-y-2">
+          <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
+            <span>Applications</span>
+            <span>/</span>
+            <span className="text-foreground">List</span>
+          </div>
+          <h2 className="text-3xl font-semibold">애플리케이션 관리</h2>
+          <p className="text-sm text-[var(--color-muted)]">
+            전체 테넌트의 Relying Party 목록을 확인하고 관리합니다.
+          </p>
+        </div>
+        <div className="flex items-center gap-2">
+          <Button
+            variant="outline"
+            onClick={() => query.refetch()}
+            disabled={query.isFetching}
+          >
+            <RefreshCw size={16} />
+            새로고침
+          </Button>
+          <Button asChild>
+            <Link to="/relying-parties/new">
+              <Plus size={16} />
+              앱 추가
+            </Link>
+          </Button>
+        </div>
+      </header>
+
+      <Card className="bg-[var(--color-panel)]">
+        <CardHeader className="flex flex-row items-center justify-between">
+          <div>
+            <CardTitle>Application Registry</CardTitle>
+            <CardDescription>
+              총 {items.length}개 앱 등록됨
+            </CardDescription>
+          </div>
+        </CardHeader>
+        <CardContent>
+          {(errorMsg || fallbackError) && (
+            <div className="mb-4 rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
+              {errorMsg ?? fallbackError}
+            </div>
+          )}
+
+          <Table>
+            <TableHeader>
+              <TableRow>
+                <TableHead>NAME</TableHead>
+                <TableHead>TENANT ID</TableHead>
+                <TableHead>CLIENT ID</TableHead>
+                <TableHead>UPDATED</TableHead>
+                <TableHead className="text-right">ACTIONS</TableHead>
+              </TableRow>
+            </TableHeader>
+            <TableBody>
+              {query.isLoading && (
+                <TableRow>
+                  <TableCell colSpan={5}>로딩 중...</TableCell>
+                </TableRow>
+              )}
+              {!query.isLoading && items.length === 0 && (
+                <TableRow>
+                  <TableCell colSpan={5}>
+                    등록된 애플리케이션이 없습니다.
+                  </TableCell>
+                </TableRow>
+              )}
+              {items.map((rp) => (
+                <TableRow key={rp.clientId}>
+                  <TableCell className="font-semibold">
+                    <div className="flex items-center gap-2">
+                        <Share2 size={14} className="text-primary" />
+                        {rp.name}
+                    </div>
+                  </TableCell>
+                  <TableCell>
+                    <div className="flex items-center gap-1 text-xs text-muted-foreground">
+                        <Building2 size={12} />
+                        {rp.tenantId}
+                    </div>
+                  </TableCell>
+                  <TableCell className="font-mono text-xs text-muted-foreground">
+                    {rp.clientId}
+                  </TableCell>
+                  <TableCell>
+                    {rp.updatedAt
+                      ? new Date(rp.updatedAt).toLocaleString("ko-KR")
+                      : "-"}
+                  </TableCell>
+                  <TableCell className="text-right">
+                    <div className="flex justify-end gap-2">
+                      <Button
+                        variant="outline"
+                        size="sm"
+                        onClick={() => navigate(`/tenants/${rp.tenantId}/relying-parties/${rp.clientId}`)}
+                      >
+                        <Pencil size={14} />
+                        관리
+                      </Button>
+                      <Button
+                        variant="outline"
+                        size="sm"
+                        onClick={() => handleDelete(rp.clientId, rp.name)}
+                        disabled={deleteMutation.isPending}
+                      >
+                        <Trash2 size={14} />
+                      </Button>
+                    </div>
+                  </TableCell>
+                </TableRow>
+              ))}
+            </TableBody>
+          </Table>
+        </CardContent>
+      </Card>
+    </div>
+  );
+}
+
+export default RelyingPartyListPage;

adminfront/src/features/tenants/routes/TenantProfilePage.tsx

@@ -1,7 +1,7 @@
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import type { AxiosError } from "axios";
 import { Save, Trash2 } from "lucide-react";
-import { useEffect, useMemo, useState } from "react";
+import { useEffect, useState } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { Button } from "../../../components/ui/button";
 import {

adminfront/src/features/tenants/routes/TenantRelyingPartyCreatePage.tsx

@@ -0,0 +1,239 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import type { AxiosError } from "axios";
+import { ArrowLeft, Save } from "lucide-react";
+import { useState } from "react";
+import { Link, useNavigate, useParams } from "react-router-dom";
+import { Button } from "../../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from "../../../components/ui/card";
+import { Input } from "../../../components/ui/input";
+import { Label } from "../../../components/ui/label";
+import {
+  createRelyingParty,
+} from "../../../lib/adminApi";
+import type { HydraClientReq } from "../../../lib/adminApi";
+import { Badge } from "../../../components/ui/badge";
+
+function TenantRelyingPartyCreatePage() {
+  const { tenantId } = useParams<{ tenantId: string }>();
+  const navigate = useNavigate();
+  const queryClient = useQueryClient();
+
+  const [formData, setFormData] = useState<HydraClientReq>({
+    client_name: "",
+    redirect_uris: [],
+    scope: "openid profile email",
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "client_secret_basic",
+  });
+  const [redirectUriInput, setRedirectUriInput] = useState("");
+
+  const createMutation = useMutation({
+    mutationFn: (data: HydraClientReq) => createRelyingParty(tenantId!, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: ["relyingParties", tenantId] });
+      navigate(`/tenants/${tenantId}/relying-parties`);
+    },
+  });
+
+  const errorMsg = (createMutation.error as AxiosError<{ error?: string }>)
+    ?.response?.data?.error;
+
+  const handleSubmit = (e: React.FormEvent) => {
+    e.preventDefault();
+    createMutation.mutate(formData);
+  };
+
+  const addRedirectUri = () => {
+    if (!redirectUriInput.trim()) return;
+    setFormData((prev) => ({
+      ...prev,
+      redirect_uris: [...prev.redirect_uris, redirectUriInput.trim()],
+    }));
+    setRedirectUriInput("");
+  };
+
+  const removeRedirectUri = (index: number) => {
+    setFormData((prev) => ({
+      ...prev,
+      redirect_uris: prev.redirect_uris.filter((_, i) => i !== index),
+    }));
+  };
+
+  return (
+    <div className="space-y-8">
+      <header className="flex flex-wrap items-start justify-between gap-4">
+        <div className="space-y-2">
+          <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
+            <Link to={`/tenants/${tenantId}/relying-parties`} className="inline-flex items-center gap-2">
+              <ArrowLeft size={14} />
+              Back to List
+            </Link>
+            <span>/</span>
+            <span className="text-foreground">New App</span>
+          </div>
+          <h2 className="text-3xl font-semibold">새 애플리케이션 등록</h2>
+          <p className="text-sm text-[var(--color-muted)]">
+            Ory Hydra OAuth2 Client를 생성하고 현재 테넌트에 연결합니다.
+          </p>
+        </div>
+      </header>
+
+      <form onSubmit={handleSubmit} className="max-w-2xl">
+        <Card className="bg-[var(--color-panel)]">
+          <CardHeader>
+            <CardTitle>Basic Information</CardTitle>
+            <CardDescription>
+              애플리케이션의 기본 정보를 입력하세요.
+            </CardDescription>
+          </CardHeader>
+          <CardContent className="space-y-4">
+            {errorMsg && (
+              <div className="rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
+                {errorMsg}
+              </div>
+            )}
+
+            <div className="space-y-1">
+              <Label htmlFor="client_name">Client Name</Label>
+              <Input
+                id="client_name"
+                value={formData.client_name}
+                onChange={(e) =>
+                  setFormData({ ...formData, client_name: e.target.value })
+                }
+                placeholder="My Awesome App"
+                required
+              />
+            </div>
+
+            <div className="space-y-1">
+              <Label>Redirect URIs</Label>
+              <div className="flex gap-2">
+                <Input
+                  value={redirectUriInput}
+                  onChange={(e) => setRedirectUriInput(e.target.value)}
+                  placeholder="https://myapp.com/callback"
+                  onKeyDown={(e) => {
+                    if (e.key === "Enter") {
+                      e.preventDefault();
+                      addRedirectUri();
+                    }
+                  }}
+                />
+                <Button type="button" variant="secondary" onClick={addRedirectUri}>
+                  Add
+                </Button>
+              </div>
+              <div className="mt-2 flex flex-wrap gap-2">
+                {formData.redirect_uris.map((uri, idx) => (
+                  <Badge key={idx} variant="secondary" className="gap-1 pr-1">
+                    {uri}
+                    <button
+                      type="button"
+                      onClick={() => removeRedirectUri(idx)}
+                      className="ml-1 rounded-full p-0.5 hover:bg-muted-foreground/20"
+                    >
+                      &times;
+                    </button>
+                  </Badge>
+                ))}
+              </div>
+              <p className="text-xs text-muted-foreground">
+                OAuth2 인증 후 리디렉션될 URI 목록입니다.
+              </p>
+            </div>
+
+            <div className="space-y-1">
+              <Label htmlFor="scope">Scope</Label>
+              <Input
+                id="scope"
+                value={formData.scope}
+                onChange={(e) =>
+                  setFormData({ ...formData, scope: e.target.value })
+                }
+                placeholder="openid profile email"
+              />
+              <p className="text-xs text-muted-foreground">
+                Space-separated scopes.
+              </p>
+            </div>
+            
+            <div className="grid grid-cols-2 gap-4">
+                <div className="space-y-1">
+                    <Label>Grant Types</Label>
+                    <div className="flex flex-col gap-1 text-sm text-muted-foreground">
+                        <label className="flex items-center gap-2">
+                            <input 
+                                type="checkbox" 
+                                checked={formData.grant_types?.includes("authorization_code")}
+                                disabled
+                            /> authorization_code
+                        </label>
+                        <label className="flex items-center gap-2">
+                            <input 
+                                type="checkbox" 
+                                checked={formData.grant_types?.includes("refresh_token")}
+                                disabled
+                            /> refresh_token
+                        </label>
+                        <label className="flex items-center gap-2">
+                            <input 
+                                type="checkbox" 
+                                checked={formData.grant_types?.includes("client_credentials")}
+                                onChange={(e) => {
+                                    const checked = e.target.checked;
+                                    setFormData(prev => ({
+                                        ...prev,
+                                        grant_types: checked 
+                                            ? [...(prev.grant_types || []), "client_credentials"]
+                                            : (prev.grant_types || []).filter(t => t !== "client_credentials")
+                                    }))
+                                }}
+                            /> client_credentials
+                        </label>
+                    </div>
+                </div>
+
+                <div className="space-y-1">
+                    <Label>Auth Method</Label>
+                    <select 
+                        className="flex h-9 w-full rounded-md border border-input bg-transparent px-3 py-1 text-sm shadow-sm transition-colors file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50"
+                        value={formData.token_endpoint_auth_method}
+                        onChange={(e) => setFormData({...formData, token_endpoint_auth_method: e.target.value})}
+                    >
+                        <option value="client_secret_basic">client_secret_basic</option>
+                        <option value="client_secret_post">client_secret_post</option>
+                        <option value="none">none (Public Client)</option>
+                    </select>
+                </div>
+            </div>
+
+          </CardContent>
+          <CardFooter className="justify-end gap-2">
+            <Button
+              type="button"
+              variant="ghost"
+              onClick={() => navigate(`/tenants/${tenantId}/relying-parties`)}
+            >
+              취소
+            </Button>
+            <Button type="submit" disabled={createMutation.isPending}>
+              <Save size={16} className="mr-2" />
+              생성
+            </Button>
+          </CardFooter>
+        </Card>
+      </form>
+    </div>
+  );
+}
+
+export default TenantRelyingPartyCreatePage;

adminfront/src/features/tenants/routes/TenantRelyingPartyDetailPage.tsx

@@ -0,0 +1,126 @@
+import { useQuery } from "@tanstack/react-query";
+import { ArrowLeft, Copy, ShieldCheck } from "lucide-react";
+import { Link, useParams } from "react-router-dom";
+import { Badge } from "../../../components/ui/badge";
+import { Button } from "../../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "../../../components/ui/card";
+import { fetchRelyingParty } from "../../../lib/adminApi";
+
+function TenantRelyingPartyDetailPage() {
+  const { tenantId, id } = useParams<{ tenantId: string; id: string }>();
+
+  const { data, isLoading, error } = useQuery({
+    queryKey: ["relyingParty", id],
+    queryFn: () => fetchRelyingParty(id!),
+    enabled: !!id,
+  });
+
+  const copyToClipboard = (text: string) => {
+    navigator.clipboard.writeText(text);
+    alert("복사되었습니다.");
+  };
+
+  if (isLoading) return <div>Loading...</div>;
+  if (error) return <div className="text-destructive">Error loading app details.</div>;
+
+  const { relyingParty, oauth2Config } = data!;
+
+  return (
+    <div className="space-y-8">
+      <header className="flex flex-wrap items-start justify-between gap-4">
+        <div className="space-y-2">
+          <div className="flex items-center gap-2 text-sm text-[var(--color-muted)]">
+            <Link to={`/tenants/${tenantId}/relying-parties`} className="inline-flex items-center gap-2">
+              <ArrowLeft size={14} />
+              Relying Parties
+            </Link>
+            <span>/</span>
+            <span className="text-foreground">{relyingParty.name}</span>
+          </div>
+          <h2 className="text-3xl font-semibold">{relyingParty.name}</h2>
+          <p className="text-sm text-[var(--color-muted)]">
+            {relyingParty.description || "상세 설정을 확인하고 관리합니다."}
+          </p>
+        </div>
+        <Badge variant="outline" className="bg-green-50 text-green-700 border-green-200">
+            <ShieldCheck size={14} className="mr-1" />
+            Keto Protected
+        </Badge>
+      </header>
+
+      <div className="grid gap-6 md:grid-cols-2">
+        <Card className="bg-[var(--color-panel)]">
+          <CardHeader>
+            <CardTitle>OAuth2 Credentials</CardTitle>
+            <CardDescription>연동에 필요한 클라이언트 정보입니다.</CardDescription>
+          </CardHeader>
+          <CardContent className="space-y-4">
+            <div className="space-y-1">
+              <p className="text-xs font-medium text-muted-foreground uppercase">Client ID</p>
+              <div className="flex items-center gap-2">
+                <code className="flex-1 rounded bg-muted p-2 text-sm">{oauth2Config.client_id}</code>
+                <Button variant="ghost" size="sm" onClick={() => copyToClipboard(oauth2Config.client_id!)}>
+                  <Copy size={14} />
+                </Button>
+              </div>
+            </div>
+
+            <div className="space-y-1">
+              <p className="text-xs font-medium text-muted-foreground uppercase">Client Secret</p>
+              <div className="flex items-center gap-2">
+                <code className="flex-1 rounded bg-muted p-2 text-sm">
+                    {oauth2Config.client_secret || (oauth2Config.metadata?.client_secret as string) || "********"}
+                </code>
+                {(oauth2Config.client_secret || oauth2Config.metadata?.client_secret) && (
+                    <Button variant="ghost" size="sm" onClick={() => copyToClipboard((oauth2Config.client_secret || oauth2Config.metadata?.client_secret) as string)}>
+                        <Copy size={14} />
+                    </Button>
+                )}
+              </div>
+              <p className="text-[10px] text-amber-600">
+                * Secret은 생성 시점에만 노출되거나 메타데이터에 암호화되어 저장될 수 있습니다.
+              </p>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card className="bg-[var(--color-panel)]">
+          <CardHeader>
+            <CardTitle>Configuration</CardTitle>
+            <CardDescription>OAuth2 동작 설정</CardDescription>
+          </CardHeader>
+          <CardContent className="space-y-4">
+            <div className="space-y-1">
+              <p className="text-xs font-medium text-muted-foreground uppercase">Redirect URIs</p>
+              <ul className="list-inside list-disc text-sm">
+                {(oauth2Config.redirect_uris || []).map((uri, i) => (
+                  <li key={i}>{uri}</li>
+                ))}
+              </ul>
+            </div>
+            <div className="space-y-1">
+              <p className="text-xs font-medium text-muted-foreground uppercase">Allowed Scopes</p>
+              <div className="flex flex-wrap gap-1">
+                {(oauth2Config.scope || "").split(" ").filter(Boolean).map(s => (
+                    <Badge key={s} variant="secondary">{s}</Badge>
+                ))}
+              </div>
+            </div>
+            <div className="space-y-1">
+              <p className="text-xs font-medium text-muted-foreground uppercase">Auth Method</p>
+              <span className="text-sm">{oauth2Config.token_endpoint_auth_method}</span>
+            </div>
+          </CardContent>
+        </Card>
+      </div>
+    </div>
+  );
+}
+
+export default TenantRelyingPartyDetailPage;

adminfront/src/features/tenants/routes/TenantRelyingPartyListPage.tsx

@@ -0,0 +1,155 @@
+import { useMutation, useQuery } from "@tanstack/react-query";
+import type { AxiosError } from "axios";
+import { Pencil, Plus, RefreshCw, Trash2, Share2 } from "lucide-react";
+import { Link, useNavigate, useParams } from "react-router-dom";
+import { Button } from "../../../components/ui/button";
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from "../../../components/ui/card";
+import {
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+} from "../../../components/ui/table";
+import { deleteRelyingParty, fetchRelyingParties } from "../../../lib/adminApi";
+
+function TenantRelyingPartyListPage() {
+  const { tenantId } = useParams<{ tenantId: string }>();
+  const navigate = useNavigate();
+  
+  const query = useQuery({
+    queryKey: ["relyingParties", tenantId],
+    queryFn: () => fetchRelyingParties(tenantId!),
+    enabled: !!tenantId,
+  });
+
+  const deleteMutation = useMutation({
+    mutationFn: (clientId: string) => deleteRelyingParty(clientId),
+    onSuccess: () => {
+      query.refetch();
+    },
+  });
+
+  const errorMsg = (query.error as AxiosError<{ error?: string }>)?.response
+    ?.data?.error;
+  const fallbackError =
+    !errorMsg && query.isError ? "앱 목록 조회에 실패했습니다." : null;
+
+  const items = query.data ?? [];
+
+  const handleDelete = (clientId: string, name: string) => {
+    if (!window.confirm(`앱 "${name}"를 삭제할까요?`)) {
+      return;
+    }
+    deleteMutation.mutate(clientId);
+  };
+
+  return (
+    <Card className="bg-[var(--color-panel)] mt-6">
+      <CardHeader className="flex flex-row items-center justify-between">
+        <div>
+          <CardTitle>Relying Parties (Apps)</CardTitle>
+          <CardDescription>
+            이 테넌트에 등록된 OAuth2/OIDC 애플리케이션입니다.
+          </CardDescription>
+        </div>
+        <div className="flex items-center gap-2">
+            <Button
+                variant="outline"
+                size="sm"
+                onClick={() => query.refetch()}
+                disabled={query.isFetching}
+            >
+                <RefreshCw size={14} />
+                새로고침
+            </Button>
+            <Button size="sm" asChild>
+                <Link to={`/tenants/${tenantId}/relying-parties/new`}>
+                <Plus size={14} />
+                앱 추가
+                </Link>
+            </Button>
+        </div>
+      </CardHeader>
+      <CardContent>
+        {(errorMsg || fallbackError) && (
+          <div className="mb-4 rounded-lg border border-destructive/40 bg-destructive/10 px-3 py-2 text-sm text-destructive">
+            {errorMsg ?? fallbackError}
+          </div>
+        )}
+
+        <Table>
+          <TableHeader>
+            <TableRow>
+              <TableHead>CLIENT ID</TableHead>
+              <TableHead>NAME</TableHead>
+              <TableHead>DESCRIPTION</TableHead>
+              <TableHead>UPDATED</TableHead>
+              <TableHead className="text-right">ACTIONS</TableHead>
+            </TableRow>
+          </TableHeader>
+          <TableBody>
+            {query.isLoading && (
+              <TableRow>
+                <TableCell colSpan={5}>로딩 중...</TableCell>
+              </TableRow>
+            )}
+            {!query.isLoading && items.length === 0 && (
+              <TableRow>
+                <TableCell colSpan={5}>
+                  아직 등록된 앱이 없습니다.
+                </TableCell>
+              </TableRow>
+            )}
+            {items.map((rp) => (
+              <TableRow key={rp.clientId}>
+                <TableCell className="font-mono text-xs">{rp.clientId}</TableCell>
+                <TableCell className="font-semibold">
+                    <div className="flex items-center gap-2">
+                        <Share2 size={14} className="text-muted-foreground" />
+                        {rp.name}
+                    </div>
+                </TableCell>
+                <TableCell className="text-muted-foreground">{rp.description || "-"}</TableCell>
+                <TableCell>
+                  {rp.updatedAt
+                    ? new Date(rp.updatedAt).toLocaleString("ko-KR")
+                    : "-"}
+                </TableCell>
+                <TableCell className="text-right">
+                  <div className="flex justify-end gap-2">
+                    <Button
+                      variant="outline"
+                      size="sm"
+                      onClick={() => navigate(`/tenants/${tenantId}/relying-parties/${rp.clientId}`)}
+                    >
+                      <Pencil size={14} />
+                      관리
+                    </Button>
+                    <Button
+                      variant="outline"
+                      size="sm"
+                      onClick={() => handleDelete(rp.clientId, rp.name)}
+                      disabled={deleteMutation.isPending}
+                    >
+                      <Trash2 size={14} />
+                    </Button>
+                  </div>
+                </TableCell>
+              </TableRow>
+            ))}
+          </TableBody>
+        </Table>
+      </CardContent>
+    </Card>
+  );
+}
+
+export default TenantRelyingPartyListPage;

backend/internal/bootstrap/bootstrap.go

@@ -36,7 +36,7 @@ func migrateSchemas(db *gorm.DB) error {
 		&domain.User{},
 		&domain.ApiKey{},
 		&domain.IdentityProviderConfig{},
-		// &domain.RelyingParty{}, // TODO: Uncomment when model is ready
+		&domain.RelyingParty{},
 		// &domain.UserConsent{},  // TODO: Uncomment when model is ready
 	)
 }

backend/internal/bootstrap/keto_sync.go

@@ -0,0 +1,52 @@
+package bootstrap
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"context"
+	"log/slog"
+
+	"gorm.io/gorm"
+)
+
+// SyncKetoRelations synchronizes all existing DB users and tenants to Ory Keto.
+// This ensures data consistency for existing data when ReBAC is introduced.
+func SyncKetoRelations(db *gorm.DB, keto service.KetoService) error {
+	slog.Info("🚀 Starting Keto ReBAC relation synchronization...")
+	ctx := context.Background()
+
+	// 1. Sync All Tenants (Ensure they exist in Keto if needed)
+	var tenants []domain.Tenant
+	if err := db.Find(&tenants).Error; err != nil {
+		return err
+	}
+	slog.Info("Syncing tenants to Keto", "count", len(tenants))
+	for _, t := range tenants {
+		if t.ParentID != nil {
+			_ = keto.CreateRelation(ctx, "Tenant", t.ID, "parent", *t.ParentID)
+		}
+	}
+
+	// 2. Sync All Users
+	var users []domain.User
+	if err := db.Find(&users).Error; err != nil {
+		return err
+	}
+	slog.Info("Syncing users to Keto", "count", len(users))
+	for _, u := range users {
+		// Membership
+		if u.TenantID != nil {
+			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "members", u.ID)
+		}
+
+		// Roles
+		if u.Role == domain.RoleSuperAdmin {
+			_ = keto.CreateRelation(ctx, "System", "global", "super_admins", u.ID)
+		} else if u.Role == domain.RoleTenantAdmin && u.TenantID != nil {
+			_ = keto.CreateRelation(ctx, "Tenant", *u.TenantID, "admins", u.ID)
+		}
+	}
+
+	slog.Info("✅ Keto ReBAC synchronization completed.")
+	return nil
+}

backend/internal/domain/hydra_models.go

@@ -0,0 +1,38 @@
+package domain
+
+import "time"
+
+type HydraClient struct {
+	ClientID                string                 `json:"client_id"`
+	ClientName              string                 `json:"client_name,omitempty"`
+	ClientSecret            string                 `json:"client_secret,omitempty"` // Added
+	RedirectURIs            []string               `json:"redirect_uris,omitempty"`
+	GrantTypes              []string               `json:"grant_types,omitempty"`
+	ResponseTypes           []string               `json:"response_types,omitempty"`
+	Scope                   string                 `json:"scope,omitempty"`
+	TokenEndpointAuthMethod string                 `json:"token_endpoint_auth_method,omitempty"`
+	Metadata                map[string]interface{} `json:"metadata,omitempty"`
+}
+
+type HydraConsentRequest struct {
+	Challenge         string      `json:"challenge"`
+	RequestedScope    []string    `json:"requested_scope"`
+	RequestedAudience []string    `json:"requested_access_token_audience"`
+	Skip              bool        `json:"skip"`
+	Subject           string      `json:"subject"`
+	Client            HydraClient `json:"client"`
+}
+
+type HydraConsentSession struct {
+	ConsentRequestID string               `json:"consent_request_id,omitempty"`
+	Subject          string               `json:"subject,omitempty"`
+	GrantedScope     []string             `json:"grant_scope,omitempty"`
+	GrantedAudience  []string             `json:"grant_access_token_audience,omitempty"`
+	Remember         bool                 `json:"remember"`
+	RememberFor      int                  `json:"remember_for,omitempty"`
+	AuthenticatedAt  *time.Time           `json:"authenticated_at,omitempty"`
+	RequestedAt      *time.Time           `json:"requested_at,omitempty"`
+	HandledAt        *time.Time           `json:"handled_at,omitempty"`
+	Client           HydraClient          `json:"client,omitempty"`
+	ConsentRequest   *HydraConsentRequest `json:"consent_request,omitempty"`
+}

backend/internal/domain/relying_party.go

@@ -0,0 +1,26 @@
+package domain
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// RelyingParty represents an OAuth2 Client owner by a Tenant.
+// It maps 1:1 to a Hydra Client.
+type RelyingParty struct {
+	ClientID    string         `gorm:"primaryKey" json:"clientId"` // Maps to Hydra Client ID
+	TenantID    string         `gorm:"index;not null" json:"tenantId"`
+	Name        string         `json:"name"` // Display name (can be same as Hydra Client Name)
+	Description string         `json:"description"`
+	CreatedAt   time.Time      `json:"createdAt"`
+	UpdatedAt   time.Time      `json:"updatedAt"`
+	DeletedAt   gorm.DeletedAt `gorm:"index" json:"-"`
+
+	// We don't store OAuth2 specific config here (redirect_uris, etc.)
+	// those are fetched from Hydra on demand.
+}
+
+func (rp *RelyingParty) TableName() string {
+	return "relying_parties"
+}

backend/internal/handler/auth_handler.go

@@ -3424,6 +3424,53 @@ func (h *AuthHandler) AcceptOidcLoginRequest(c *fiber.Ctx) error {
 }
 
 func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error) {
+	slog.Info("🚨 [FATAL_DEBUG] ENVIRONMENT CHECK", 
+		"APP_ENV", os.Getenv("APP_ENV"), 
+		"GO_ENV", os.Getenv("GO_ENV"),
+		"X-Test-Role", c.Get("X-Test-Role"),
+	)
+	slog.Info("🚀 [TRACE] resolveCurrentProfile entry", "path", c.Path(), "method", c.Method())
+	// [Dev Only] Mock Role Bypass
+	appEnv := strings.ToLower(os.Getenv("APP_ENV"))
+	mockRole := c.Get("X-Test-Role")
+	if mockRole == "" {
+		mockRole = c.Get("X-Mock-Role")
+	}
+
+	// Always log in development to see what's happening
+	if appEnv == "dev" || appEnv == "development" || appEnv == "" {
+		slog.Info("🔍 [AUTH_DEBUG] Checking mock role", 
+			"env", appEnv, 
+			"mockRole", mockRole, 
+			"X-Test-Role", c.Get("X-Test-Role"),
+			"X-Mock-Role", c.Get("X-Mock-Role"),
+		)
+	}
+
+	// If in dev mode and we have a mock role, bypass Kratos
+	if (appEnv == "dev" || appEnv == "development" || appEnv == "") && mockRole != "" {
+		slog.Info("🔑 [AUTH_DEBUG] Mock bypass SUCCESS", "role", mockRole)
+		mockProfile := &domain.UserProfileResponse{
+			ID:    "00000000-0000-0000-0000-000000000000",
+			Email: "mock@hmac.kr",
+			Name:  "Dev Mock User",
+			Role:  mockRole,
+		}
+		if tid := c.Get("X-Tenant-ID"); tid != "" {
+			mockProfile.TenantID = &tid
+		}
+		return mockProfile, nil
+	}
+
+	// Mock bypass failed - log headers for debugging if in dev
+	if appEnv == "dev" || appEnv == "development" || appEnv == "" {
+		slog.Warn("⚠️ [DEBUG] Mock auth bypass failed", 
+			"appEnv", appEnv, 
+			"X-Test-Role", c.Get("X-Test-Role"), 
+			"X-Mock-Role", c.Get("X-Mock-Role"),
+			"path", c.Path())
+	}
+
 	var profile *domain.UserProfileResponse
 	var err error
 
@@ -3438,7 +3485,7 @@ func (h *AuthHandler) resolveCurrentProfile(c *fiber.Ctx) (*domain.UserProfileRe
 	}
 
 	if err != nil || profile == nil {
-		return nil, errors.New("invalid session")
+		return nil, errors.New("invalid session (trace:resolve_profile)")
 	}
 
 	// [New] Enrich with Local DB (Roles, TenantID, etc.)

backend/internal/handler/relying_party_handler.go

@@ -0,0 +1,111 @@
+package handler
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/service"
+	"github.com/gofiber/fiber/v2"
+	"log/slog"
+)
+
+type RelyingPartyHandler struct {
+	Service service.RelyingPartyService
+}
+
+func NewRelyingPartyHandler(s service.RelyingPartyService) *RelyingPartyHandler {
+	return &RelyingPartyHandler{Service: s}
+}
+
+func (h *RelyingPartyHandler) Create(c *fiber.Ctx) error {
+	tenantID := c.Params("tenantId")
+	if tenantID == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId is required"})
+	}
+
+	var req domain.HydraClient
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	rp, err := h.Service.Create(c.Context(), tenantID, req)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(rp)
+}
+
+func (h *RelyingPartyHandler) ListAll(c *fiber.Ctx) error {
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized: user profile not found in context"})
+	}
+
+	var rps []domain.RelyingParty
+	var err error
+
+	if profile.Role == domain.RoleSuperAdmin {
+		rps, err = h.Service.ListAll(c.Context())
+	} else if profile.Role == domain.RoleTenantAdmin && profile.TenantID != nil {
+		rps, err = h.Service.List(c.Context(), *profile.TenantID)
+	} else {
+		slog.Warn("Forbidden access to all applications", "userID", profile.ID, "role", profile.Role)
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: insufficient role to list all applications"})
+	}
+
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(rps)
+}
+
+func (h *RelyingPartyHandler) List(c *fiber.Ctx) error {
+	tenantID := c.Params("tenantId")
+	if tenantID == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "tenantId is required"})
+	}
+
+	rps, err := h.Service.List(c.Context(), tenantID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(rps)
+}
+
+func (h *RelyingPartyHandler) Get(c *fiber.Ctx) error {
+	id := c.Params("id")
+	rp, hydraClient, err := h.Service.Get(c.Context(), id)
+	if err != nil {
+		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "relying party not found"})
+	}
+
+	return c.JSON(fiber.Map{
+		"relyingParty": rp,
+		"oauth2Config": hydraClient,
+	})
+}
+
+func (h *RelyingPartyHandler) Update(c *fiber.Ctx) error {
+	id := c.Params("id")
+	var req domain.HydraClient
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	rp, err := h.Service.Update(c.Context(), id, req)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(rp)
+}
+
+func (h *RelyingPartyHandler) Delete(c *fiber.Ctx) error {
+	id := c.Params("id")
+	if err := h.Service.Delete(c.Context(), id); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}

backend/internal/handler/user_handler.go

@@ -55,12 +55,13 @@ type userListResponse struct {
 }
 
 func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
-	if h.KratosAdmin == nil {
-		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "identity provider not available"})
-	}
-
 	// [New] Get requester profile from middleware
-	requester, _ := c.Locals("user_profile").(*domain.UserProfileResponse)
+	var requesterRole string
+	var requesterCompany string
+	if profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse); ok {
+		requesterRole = profile.Role
+		requesterCompany = profile.CompanyCode
+	}
 
 	limit := c.QueryInt("limit", 50)
 	offset := c.QueryInt("offset", 0)
@@ -73,52 +74,82 @@ func (h *UserHandler) ListUsers(c *fiber.Ctx) error {
 		offset = 0
 	}
 
+	// 1. Try Kratos First
 	identities, err := h.KratosAdmin.ListIdentities(c.Context())
+	if err == nil {
+		filtered := make([]service.KratosIdentity, 0, len(identities))
+		searchLower := strings.ToLower(search)
+
+		for _, identity := range identities {
+			email := strings.ToLower(extractTraitString(identity.Traits, "email"))
+			name := strings.ToLower(extractTraitString(identity.Traits, "name"))
+			compCode := extractTraitString(identity.Traits, "companyCode")
+
+			// Tenant Admin filtering
+			if requesterRole == domain.RoleTenantAdmin {
+				if requesterCompany == "" || compCode != requesterCompany {
+					continue
+				}
+			}
+
+			// Search filtering
+			if search != "" {
+				if !strings.Contains(email, searchLower) && !strings.Contains(name, searchLower) {
+					continue
+				}
+			}
+			filtered = append(filtered, identity)
+		}
+
+		total := int64(len(filtered))
+		if offset > len(filtered) {
+			offset = len(filtered)
+		}
+		end := offset + limit
+		if end > len(filtered) {
+			end = len(filtered)
+		}
+
+		items := make([]userSummary, 0, end-offset)
+		for _, identity := range filtered[offset:end] {
+			summary := h.mapIdentitySummary(c.Context(), identity)
+			items = append(items, summary)
+		}
+
+		return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
+	}
+
+	// 2. Fallback to Local DB if Kratos is down (Development only recommended)
+	slog.Warn("Kratos unavailable, falling back to local DB for user list", "error", err)
+
+	// Fetch from UserRepo
+	users, total, err := h.UserRepo.List(c.Context(), offset, limit, search)
 	if err != nil {
-		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "failed to fetch users from both kratos and local db"})
 	}
 
-	filtered := make([]service.KratosIdentity, 0, len(identities))
+	items := make([]userSummary, 0, len(users))
-	searchLower := strings.ToLower(search)
+	for _, u := range users {
-
+		items = append(items, userSummary{
-	for _, identity := range identities {
+			ID:          u.ID,
-		email := strings.ToLower(extractTraitString(identity.Traits, "email"))
+			Email:       u.Email,
-		name := strings.ToLower(extractTraitString(identity.Traits, "name"))
+			Name:        u.Name,
-		compCode := extractTraitString(identity.Traits, "companyCode")
+			Phone:       u.Phone,
-
+			Role:        u.Role,
-		// 1. Tenant Admin filtering
+			Status:      u.Status,
-		if requester != nil && requester.Role == domain.RoleTenantAdmin {
+			CompanyCode: u.CompanyCode,
-			if requester.CompanyCode == "" || compCode != requester.CompanyCode {
+			Department:  u.Department,
-				continue // Skip users from other tenants
+			CreatedAt:   u.CreatedAt.Format(time.RFC3339),
-			}
+			UpdatedAt:   u.UpdatedAt.Format(time.RFC3339),
-		}
+		})
-
-		// 2. Search filtering
-		if search != "" {
-			if !strings.Contains(email, searchLower) && !strings.Contains(name, searchLower) {
-				continue
-			}
-		}
-
-		filtered = append(filtered, identity)
 	}
 
-	total := int64(len(filtered))
+	return c.JSON(userListResponse{
-	if offset > len(filtered) {
+		Items:  items,
-		offset = len(filtered)
+		Total:  total,
-	}
+		Limit:  limit,
-	end := offset + limit
+		Offset: offset,
-	if end > len(filtered) {
+	})
-		end = len(filtered)
-	}
-
-	items := make([]userSummary, 0, end-offset)
-	for _, identity := range filtered[offset:end] {
-		summary := h.mapIdentitySummary(c.Context(), identity)
-		items = append(items, summary)
-	}
-
-	return c.JSON(userListResponse{Items: items, Limit: limit, Offset: offset, Total: total})
 }
 
 func (h *UserHandler) GetUser(c *fiber.Ctx) error {

backend/internal/middleware/api_key_auth.go

@@ -101,7 +101,7 @@ func validateScope(method, path string, rawScopes string) bool {
 	}
 
 	// 3. 테넌트 관리 관련 (tenant:*)
-	if strings.Contains(path, "/admin/tenants") {
+	if strings.Contains(path, "/admin/tenants") || strings.Contains(path, "/admin/relying-parties") {
 		if method == fiber.MethodGet {
 			return scopeMap["tenant:read"]
 		}

backend/internal/middleware/rbac.go

@@ -18,16 +18,14 @@ type RBACConfig struct {
 // RequireKetoPermission enforces permissions using Ory Keto (ReBAC)
 func RequireKetoPermission(config RBACConfig, namespace, relation string) fiber.Handler {
 	return func(c *fiber.Ctx) error {
-		// Bypass if already authenticated via API Key
-		if c.Locals("apiKeyName") != nil {
-			return c.Next()
-		}
-
 		profile, err := config.AuthHandler.GetEnrichedProfile(c)
 		if err != nil {
-			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_keto)"})
 		}
 
+		// Store profile in locals for further use in handlers
+		c.Locals("user_profile", profile)
+
 		// Super Admin bypass
 		if profile.Role == domain.RoleSuperAdmin {
 			return c.Next()
@@ -65,10 +63,13 @@ func RequireRole(config RBACConfig) fiber.Handler {
 		profile, err := config.AuthHandler.GetEnrichedProfile(c)
 		if err != nil {
 			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{
-				"error": "unauthorized: " + err.Error(),
+				"error": "unauthorized (trace:rbac_role): " + err.Error(),
 			})
 		}
 
+		// Store profile in locals for further use in handlers
+		c.Locals("user_profile", profile)
+
 		// Super Admin always has access
 		if profile.Role == domain.RoleSuperAdmin {
 			return c.Next()
@@ -112,9 +113,12 @@ func RequireTenantMatch(config RBACConfig) fiber.Handler {
 
 		profile, err := config.AuthHandler.GetEnrichedProfile(c)
 		if err != nil {
-			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized (trace:rbac_match)"})
 		}
 
+		// Store profile in locals for further use in handlers
+		c.Locals("user_profile", profile)
+
 		// Super Admin bypass
 		if profile.Role == domain.RoleSuperAdmin {
 			return c.Next()

backend/internal/repository/relying_party_repository.go

@@ -0,0 +1,61 @@
+package repository
+
+import (
+	"baron-sso-backend/internal/domain"
+	"context"
+
+	"gorm.io/gorm"
+)
+
+type RelyingPartyRepository interface {
+	Create(ctx context.Context, rp *domain.RelyingParty) error
+	Update(ctx context.Context, rp *domain.RelyingParty) error
+	Delete(ctx context.Context, clientID string) error
+	FindByID(ctx context.Context, clientID string) (*domain.RelyingParty, error)
+	ListByTenantID(ctx context.Context, tenantID string) ([]domain.RelyingParty, error)
+	ListAll(ctx context.Context) ([]domain.RelyingParty, error)
+}
+
+func (r *relyingPartyRepository) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
+	var rps []domain.RelyingParty
+	if err := r.db.WithContext(ctx).Find(&rps).Error; err != nil {
+		return nil, err
+	}
+	return rps, nil
+}
+
+type relyingPartyRepository struct {
+	db *gorm.DB
+}
+
+func NewRelyingPartyRepository(db *gorm.DB) RelyingPartyRepository {
+	return &relyingPartyRepository{db: db}
+}
+
+func (r *relyingPartyRepository) Create(ctx context.Context, rp *domain.RelyingParty) error {
+	return r.db.WithContext(ctx).Create(rp).Error
+}
+
+func (r *relyingPartyRepository) Update(ctx context.Context, rp *domain.RelyingParty) error {
+	return r.db.WithContext(ctx).Save(rp).Error
+}
+
+func (r *relyingPartyRepository) Delete(ctx context.Context, clientID string) error {
+	return r.db.WithContext(ctx).Delete(&domain.RelyingParty{}, "client_id = ?", clientID).Error
+}
+
+func (r *relyingPartyRepository) FindByID(ctx context.Context, clientID string) (*domain.RelyingParty, error) {
+	var rp domain.RelyingParty
+	if err := r.db.WithContext(ctx).First(&rp, "client_id = ?", clientID).Error; err != nil {
+		return nil, err
+	}
+	return &rp, nil
+}
+
+func (r *relyingPartyRepository) ListByTenantID(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
+	var rps []domain.RelyingParty
+	if err := r.db.WithContext(ctx).Where("tenant_id = ?", tenantID).Find(&rps).Error; err != nil {
+		return nil, err
+	}
+	return rps, nil
+}

backend/internal/repository/user_repository.go

@@ -13,6 +13,7 @@ type UserRepository interface {
 	FindByEmail(ctx context.Context, email string) (*domain.User, error)
 	FindByID(ctx context.Context, id string) (*domain.User, error)
 	ListByTenant(ctx context.Context, tenantID string) ([]domain.User, error)
+	List(ctx context.Context, offset, limit int, search string) ([]domain.User, int64, error)
 }
 
 type userRepository struct {
@@ -54,3 +55,24 @@ func (r *userRepository) ListByTenant(ctx context.Context, tenantID string) ([]d
 	}
 	return users, nil
 }
+
+func (r *userRepository) List(ctx context.Context, offset, limit int, search string) ([]domain.User, int64, error) {
+	var users []domain.User
+	var total int64
+	db := r.db.WithContext(ctx).Model(&domain.User{})
+
+	if search != "" {
+		searchTerm := "%" + search + "%"
+		db = db.Where("email LIKE ? OR name LIKE ?", searchTerm, searchTerm)
+	}
+
+	if err := db.Count(&total).Error; err != nil {
+		return nil, 0, err
+	}
+
+	if err := db.Offset(offset).Limit(limit).Find(&users).Error; err != nil {
+		return nil, 0, err
+	}
+
+	return users, total, nil
+}

backend/internal/service/relying_party_service.go

@@ -0,0 +1,155 @@
+package service
+
+import (
+	"baron-sso-backend/internal/domain"
+	"baron-sso-backend/internal/repository"
+	"context"
+	"fmt"
+	"log/slog"
+)
+
+type RelyingPartyService interface {
+	Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error)
+	Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error)
+	List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error)
+	ListAll(ctx context.Context) ([]domain.RelyingParty, error)
+	ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error)
+	Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error)
+	Delete(ctx context.Context, clientID string) error
+}
+
+func (s *relyingPartyService) ListAll(ctx context.Context) ([]domain.RelyingParty, error) {
+	return s.repo.ListAll(ctx)
+}
+
+func (s *relyingPartyService) ListByTenantIDs(ctx context.Context, tenantIDs []string) ([]domain.RelyingParty, error) {
+	// Simple implementation for now, repository could be optimized with IN clause
+	var allRps []domain.RelyingParty
+	for _, tid := range tenantIDs {
+		rps, _ := s.repo.ListByTenantID(ctx, tid)
+		allRps = append(allRps, rps...)
+	}
+	return allRps, nil
+}
+
+type relyingPartyService struct {
+	repo         repository.RelyingPartyRepository
+	hydraService *HydraAdminService
+	ketoService  KetoService
+}
+
+func NewRelyingPartyService(
+	repo repository.RelyingPartyRepository,
+	hydraService *HydraAdminService,
+	ketoService KetoService,
+) RelyingPartyService {
+	return &relyingPartyService{
+		repo:         repo,
+		hydraService: hydraService,
+		ketoService:  ketoService,
+	}
+}
+
+func (s *relyingPartyService) Create(ctx context.Context, tenantID string, client domain.HydraClient) (*domain.RelyingParty, error) {
+	// 1. Create Client in Hydra
+	// Ensure metadata contains tenant_id for reference
+	if client.Metadata == nil {
+		client.Metadata = make(map[string]interface{})
+	}
+	client.Metadata["tenant_id"] = tenantID
+
+	createdClient, err := s.hydraService.CreateClient(ctx, client)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create hydra client: %w", err)
+	}
+
+	// 2. Create Record in DB
+	rp := &domain.RelyingParty{
+		ClientID:    createdClient.ClientID,
+		TenantID:    tenantID,
+		Name:        createdClient.ClientName,
+		Description: "", // Hydra doesn't have description field standard, maybe in metadata?
+	}
+
+	if err := s.repo.Create(ctx, rp); err != nil {
+		// Rollback: Delete Hydra Client
+		_ = s.hydraService.DeleteClient(ctx, createdClient.ClientID)
+		return nil, fmt.Errorf("failed to create relying party in db: %w", err)
+	}
+
+	// 3. Create Relation in Keto
+	// RelyingParty:<client_id>#parent_tenant@Tenant:<tenant_id>
+	err = s.ketoService.CreateRelation(ctx, "RelyingParty", createdClient.ClientID, "parent_tenant", "Tenant:"+tenantID)
+	if err != nil {
+		slog.Error("Failed to create keto relation for relying party", "error", err, "client_id", createdClient.ClientID)
+		// We don't rollback here, but we should probably have a background job to fix this.
+		// Or return error and let caller decide? For MVP, logging error is acceptable as per issue discussion (Eventual Consistency preferred).
+	}
+
+	return rp, nil
+}
+
+func (s *relyingPartyService) Get(ctx context.Context, clientID string) (*domain.RelyingParty, *domain.HydraClient, error) {
+	// Get from DB
+	rp, err := s.repo.FindByID(ctx, clientID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// Get from Hydra
+	hydraClient, err := s.hydraService.GetClient(ctx, clientID)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return rp, hydraClient, nil
+}
+
+func (s *relyingPartyService) List(ctx context.Context, tenantID string) ([]domain.RelyingParty, error) {
+	return s.repo.ListByTenantID(ctx, tenantID)
+}
+
+func (s *relyingPartyService) Update(ctx context.Context, clientID string, client domain.HydraClient) (*domain.RelyingParty, error) {
+	// Update Hydra
+	updatedClient, err := s.hydraService.UpdateClient(ctx, clientID, client)
+	if err != nil {
+		return nil, err
+	}
+
+	// Update DB
+	rp, err := s.repo.FindByID(ctx, clientID)
+	if err != nil {
+		return nil, err
+	}
+	rp.Name = updatedClient.ClientName
+	// Update other fields if necessary
+
+	if err := s.repo.Update(ctx, rp); err != nil {
+		return nil, err
+	}
+
+	return rp, nil
+}
+
+func (s *relyingPartyService) Delete(ctx context.Context, clientID string) error {
+	// Delete from DB
+	if err := s.repo.Delete(ctx, clientID); err != nil {
+		return err
+	}
+
+	// Delete from Hydra
+	if err := s.hydraService.DeleteClient(ctx, clientID); err != nil {
+		slog.Error("Failed to delete hydra client", "error", err, "client_id", clientID)
+		// Proceeding...
+	}
+
+	// Delete from Keto (Optional, but good practice to clean up)
+	// We might not know the tenant ID here without querying DB first, but if DB is deleted, we might miss it.
+	//Ideally, we should query DB first.
+	// But `DeleteRelation` requires specific object/relation/subject.
+	// If we want to delete ALL relations for this object, Keto API supports that?
+	// `DeleteRelation` in our service wrapper is specific.
+	// We can skip explicit Keto deletion for now as orphaned tuples are less critical than orphaned resources.
+
+	return nil
+}