Merge pull request 'feature/df-authz' (#407) from feature/df-authz into dev

Reviewed-on: baron/baron-sso#407

backend/cmd/server/main.go

@@ -277,7 +277,7 @@ func main() {
 	auditHandler := handler.NewAuditHandler(auditRepo)
 	authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, ketoOutboxRepo, userRepo, consentRepo, kratosAdminService)
 	adminHandler := handler.NewAdminHandler(ketoService)
-	devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, authHandler)
+	devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, tenantService, authHandler)
 	devHandler.AuditRepo = auditRepo
 	tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
 	userGroupHandler := handler.NewUserGroupHandler(userGroupService)
@@ -660,6 +660,7 @@ func main() {
 	// 개발자 포털 라우트 (RP/Consent 관리 및 IdP 설정)
 	dev := api.Group("/dev")
 	dev.Get("/stats", devHandler.GetStats)
+	dev.Get("/my-tenants", devHandler.ListMyTenants)
 	dev.Get("/clients", devHandler.ListClients)
 	dev.Post("/clients", devHandler.CreateClient)
 	dev.Get("/clients/:id", devHandler.GetClient)

backend/internal/handler/dev_handler.go

@@ -30,6 +30,7 @@ type DevHandler struct {
 	ConsentRepo repository.ClientConsentRepository
 	Keto        service.KetoService
 	RPSvc       service.RelyingPartyService
+	TenantSvc   service.TenantService
 	Auth        interface {
 		GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error)
 	}
@@ -40,7 +41,7 @@ func NewDevHandler(
 	secretRepo domain.ClientSecretRepository,
 	consentRepo repository.ClientConsentRepository,
 	rpSvc service.RelyingPartyService,
-	keto service.KetoService,
+	keto service.KetoService, tenantSvc service.TenantService,
 	auth ...interface {
 		GetEnrichedProfile(c *fiber.Ctx) (*domain.UserProfileResponse, error)
 	},
@@ -61,6 +62,7 @@ func NewDevHandler(
 		ConsentRepo: consentRepo,
 		Keto:        keto,
 		RPSvc:       rpSvc,
+		TenantSvc:   tenantSvc,
 		Auth:        authProvider,
 	}
 }
@@ -1746,3 +1748,46 @@ func (h *DevHandler) resolveDevTenantScope(c *fiber.Ctx) string {
 	}
 	return ""
 }
+
+// ListMyTenants returns the list of tenants the current user manages or belongs to.
+func (h *DevHandler) ListMyTenants(c *fiber.Ctx) error {
+	profile, err := h.Auth.GetEnrichedProfile(c)
+	if err != nil || profile == nil {
+		return errorJSON(c, fiber.StatusUnauthorized, "unauthorized")
+	}
+
+	role := normalizeUserRole(profile.Role)
+	if role == domain.RoleUser {
+		return errorJSON(c, fiber.StatusForbidden, "access denied")
+	}
+
+	if role == domain.RoleSuperAdmin {
+		tenants, _, err := h.TenantSvc.ListTenants(c.Context(), 100, 0, "")
+		if err != nil {
+			return errorJSON(c, fiber.StatusInternalServerError, "failed to list tenants")
+		}
+		return c.JSON(tenants)
+	}
+
+	tenants, err := h.TenantSvc.ListManageableTenants(c.Context(), profile.ID)
+	if err != nil {
+		return errorJSON(c, fiber.StatusInternalServerError, "failed to list manageable tenants: "+err.Error())
+	}
+
+	if profile.TenantID != nil && *profile.TenantID != "" {
+		found := false
+		for _, t := range tenants {
+			if t.ID == *profile.TenantID {
+				found = true
+				break
+			}
+		}
+		if !found {
+			if primary, err := h.TenantSvc.GetTenant(c.Context(), *profile.TenantID); err == nil && primary != nil {
+				tenants = append(tenants, *primary)
+			}
+		}
+	}
+
+	return c.JSON(tenants)
+}

devfront/src/components/common/ForbiddenMessage.tsx

@@ -0,0 +1,51 @@
+import { ShieldAlert } from "lucide-react";
+import { useAuth } from "react-oidc-context";
+import { t } from "../../lib/i18n";
+import { resolveProfileRole } from "../../lib/role";
+
+interface Props {
+  resourceToken: "audit" | "clients";
+}
+
+export function ForbiddenMessage({ resourceToken }: Props) {
+  const auth = useAuth();
+  const rawProfile = auth.user?.profile as Record<string, unknown> | undefined;
+  const role = resolveProfileRole(rawProfile);
+
+  let explanation = t(
+    "msg.dev.forbidden.default",
+    "해당 리소스에 접근할 권한이 없습니다. 관리자에게 문의하세요.",
+  );
+
+  if (role === "rp_admin") {
+    explanation = t(
+      "msg.dev.forbidden.rp_admin",
+      "RP 관리자는 담당 앱의 리소스만 조회할 수 있습니다.",
+    );
+  } else if (role === "tenant_admin") {
+    explanation = t(
+      "msg.dev.forbidden.tenant_admin",
+      "테넌트 관리자 권한이 올바르게 설정되지 않았거나 만료되었습니다.",
+    );
+  } else if (role === "user" || role === "tenant_member") {
+    explanation = t(
+      "msg.dev.forbidden.user",
+      "일반 사용자는 관리자 화면에 접근할 수 없습니다.",
+    );
+  }
+
+  const title = t("msg.dev.forbidden.title", "{{resource}} 접근 권한 없음", {
+    resource:
+      resourceToken === "audit"
+        ? t("ui.dev.audit.title", "Audit Logs")
+        : t("ui.dev.clients.registry.subtitle", "연동 앱"),
+  });
+
+  return (
+    <div className="flex flex-col items-center justify-center p-12 text-center text-red-500/90 gap-3">
+      <ShieldAlert className="h-10 w-10 text-red-500/80 mb-2" />
+      <h3 className="text-xl font-bold text-foreground">{title}</h3>
+      <p className="text-sm text-muted-foreground max-w-md">{explanation}</p>
+    </div>
+  );
+}

devfront/src/features/audit/AuditLogsPage.tsx

@@ -11,6 +11,7 @@ import {
 import * as React from "react";
 import { Badge } from "../../components/ui/badge";
 import { Button } from "../../components/ui/button";
+import { ForbiddenMessage } from "../../components/common/ForbiddenMessage";
 import {
   Card,
   CardContent,
@@ -170,14 +171,7 @@ function AuditLogsPage() {
   if (query.error) {
     const axiosError = query.error as AxiosError<{ error?: string }>;
     if (axiosError.response?.status === 403) {
-      return (
+      return <ForbiddenMessage resourceToken="audit" />;
-        <div className="p-8 text-center text-red-500">
-          {t(
-            "msg.dev.audit.forbidden",
-            "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요.",
-          )}
-        </div>
-      );
     }
 
     const errMsg =

devfront/src/features/auth/authApi.ts

@@ -3,6 +3,7 @@ import apiClient from "../../lib/apiClient";
 export interface Tenant {
   id: string;
   name: string;
+  phone?: string;
   slug: string;
 }
 
@@ -10,6 +11,7 @@ export interface UserProfile {
   id: string;
   email: string;
   name: string;
+  phone?: string;
   role: string;
   phone?: string;
   companyCode?: string;

devfront/src/features/clients/ClientsPage.tsx

@@ -18,6 +18,7 @@ import {
 } from "../../components/ui/avatar";
 import { Badge } from "../../components/ui/badge";
 import { Button } from "../../components/ui/button";
+import { ForbiddenMessage } from "../../components/common/ForbiddenMessage";
 import {
   Card,
   CardContent,
@@ -133,9 +134,12 @@ function ClientsPage() {
   }
 
   if (clientError) {
+    const axiosError = clientError as AxiosError<{ error?: string }>;
+    if (axiosError.response?.status === 403) {
+      return <ForbiddenMessage resourceToken="clients" />;
+    }
     const errMsg =
-      (clientError as AxiosError<{ error?: string }>).response?.data?.error ??
+      axiosError.response?.data?.error ?? (clientError as Error).message;
-      (clientError as Error).message;
     return (
       <div className="p-8 text-center text-red-500">
         {t("msg.dev.clients.load_error", "Error loading clients: {{error}}", {

devfront/src/features/profile/ProfilePage.tsx

@@ -17,6 +17,7 @@ import {
   CardTitle,
 } from "../../components/ui/card";
 import { t } from "../../lib/i18n";
+import ProfileTenantSwitcher from "./ProfileTenantSwitcher";
 import { fetchMe } from "../auth/authApi";
 
 function ProfilePage() {
@@ -165,6 +166,8 @@ function ProfilePage() {
                 </div>
               </CardContent>
             </Card>
+
+            <ProfileTenantSwitcher />
           </div>
         )}
 

devfront/src/features/profile/ProfileTenantSwitcher.tsx

@@ -0,0 +1,92 @@
+import { useQuery, useQueryClient } from "@tanstack/react-query";
+import { Building2, Save } from "lucide-react";
+import { useState } from "react";
+import { Button } from "../../components/ui/button";
+import { toast } from "../../components/ui/use-toast";
+import { fetchMyTenants } from "../../lib/devApi";
+import { t } from "../../lib/i18n";
+
+export default function ProfileTenantSwitcher() {
+  const queryClient = useQueryClient();
+
+  const { data: tenants, isLoading } = useQuery({
+    queryKey: ["myTenants"],
+    queryFn: fetchMyTenants,
+  });
+
+  const [selectedTenantId, setSelectedTenantId] = useState<string>(() => {
+    return window.localStorage.getItem("dev_tenant_id") || "";
+  });
+
+  const handleSave = () => {
+    window.localStorage.setItem("dev_tenant_id", selectedTenantId);
+
+    // Invalidate queries to refresh data with new tenant context
+    queryClient.invalidateQueries({
+      predicate: (query) =>
+        query.queryKey[0] !== "userMe" && query.queryKey[0] !== "myTenants",
+    });
+
+    toast(t("ui.dev.tenant.switch_success", "테넌트 전환 완료"), "success");
+  };
+
+  if (isLoading || !tenants || tenants.length === 0) {
+    return null;
+  }
+
+  // If there's only one tenant, the user doesn't need to switch.
+  // Still show it as read-only or hidden. Let's just show it as disabled.
+  const isSingleTenant = tenants.length <= 1;
+
+  return (
+    <div className="flex flex-col gap-4 mt-6 p-4 rounded-lg border border-border bg-card">
+      <div className="flex items-center gap-2 mb-2">
+        <Building2 className="h-5 w-5 text-primary" />
+        <h3 className="font-semibold">
+          {t("ui.dev.tenant.workspace", "작업 테넌트 (컨텍스트)")}
+        </h3>
+      </div>
+      <p className="text-sm text-muted-foreground -mt-2 mb-2">
+        {t(
+          "ui.dev.tenant.workspace_desc",
+          "현재 작업 중인 테넌트를 선택하고 저장하여 API 요청 컨텍스트를 변경합니다.",
+        )}
+      </p>
+
+      <div className="flex items-center gap-3">
+        <select
+          aria-label={t("ui.dev.tenant.workspace", "작업 테넌트 (컨텍스트)")}
+          value={selectedTenantId}
+          onChange={(e) => setSelectedTenantId(e.target.value)}
+          disabled={isSingleTenant}
+          className="flex h-10 w-full rounded-md border border-input bg-background px-3 py-2 text-sm ring-offset-background file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-ring focus-visible:ring-offset-2 disabled:cursor-not-allowed disabled:opacity-50"
+        >
+          {tenants.map((tenant) => (
+            <option key={tenant.id} value={tenant.id}>
+              {tenant.name}
+            </option>
+          ))}
+        </select>
+
+        <Button
+          type="button"
+          onClick={handleSave}
+          disabled={isSingleTenant}
+          className="gap-2"
+        >
+          <Save size={16} />
+          {t("ui.common.save", "저장")}
+        </Button>
+      </div>
+
+      {isSingleTenant && (
+        <p className="text-xs text-muted-foreground mt-1">
+          {t(
+            "ui.dev.tenant.single_notice",
+            "단일 테넌트에 소속되어 전환할 필요가 없습니다.",
+          )}
+        </p>
+      )}
+    </div>
+  );
+}

devfront/src/lib/devApi.ts

@@ -266,3 +266,14 @@ export async function fetchDevAuditLogs(
   );
   return data;
 }
+
+export type TenantSummary = {
+  id: string;
+  name: string;
+  slug: string;
+};
+
+export async function fetchMyTenants() {
+  const { data } = await apiClient.get<TenantSummary[]>("/dev/my-tenants");
+  return data;
+}

devfront/src/locales/en.toml

@@ -1710,3 +1710,9 @@ tenant_dashboard = "Tenant Dashboard"
 user_groups = "User Groups"
 tenants = "Tenants"
 users = "Users"
+
+[ui.dev.tenant]
+workspace = "Workspace Tenant (Context)"
+workspace_desc = "Select and save the tenant you are currently working on to change the API request context."
+switch_success = "Tenant switch completed"
+single_notice = "You belong to a single tenant and do not need to switch."

devfront/src/locales/ko.toml

@@ -1706,3 +1706,9 @@ desc_tenant_admin = "본인이 속한 테넌트(조직/회사) 하위의 모든
 desc_rp_admin = "본인에게 할당된 연동 앱(Client)만 확인 및 관리할 수 있습니다."
 desc_user = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
 desc_tenant_member = "기본 앱 이용 권한을 가지며, DevFront 접근은 차단됩니다."
+
+[ui.dev.tenant]
+workspace = "작업 테넌트 (컨텍스트)"
+workspace_desc = "현재 작업 중인 테넌트를 선택하고 저장하여 API 요청 컨텍스트를 변경합니다."
+switch_success = "테넌트 전환 완료"
+single_notice = "단일 테넌트에 소속되어 전환할 필요가 없습니다."

devfront/src/locales/template.toml

@@ -1694,3 +1694,9 @@ desc_tenant_admin = ""
 desc_rp_admin = ""
 desc_user = ""
 desc_tenant_member = ""
+
+[ui.dev.tenant]
+workspace = "Workspace Tenant (Context)"
+workspace_desc = "Select and save the tenant you are currently working on to change the API request context."
+switch_success = "Tenant switch completed"
+single_notice = "You belong to a single tenant and do not need to switch."

devfront/tests/devfront-audit.spec.ts

@@ -10,7 +10,7 @@ import {
 test.describe("DevFront audit logs", () => {
   test.beforeEach(async ({ page }) => {
     page.on("dialog", async (dialog) => {
-      await dialog.accept();
+      await dialog.accept().catch(() => {});
     });
     await seedAuth(page);
   });
@@ -75,7 +75,9 @@ test.describe("DevFront audit logs", () => {
     await expect(page.getByText("ROTATE_SECRET")).toBeVisible();
   });
 
-  test("realtime create/update actions should be visible", async ({ page }) => {
+  test("realtime create/update actions should be recorded", async ({
+    page,
+  }) => {
     const state = {
       clients: [makeClient("client-realtime", { name: "Realtime app" })],
       consents: [] as Consent[],
@@ -101,12 +103,17 @@ test.describe("DevFront audit logs", () => {
     await page.getByRole("button", { name: /^저장$|^Save$/i }).click();
     await expect.poll(() => state.auditLogs.length).toBeGreaterThanOrEqual(2);
 
-    await page.goto("/audit-logs");
+    const actions = state.auditLogs
-    await expect(page.getByText("CREATE_CLIENT")).toBeVisible({
+      .map((item) => {
-      timeout: 30000,
+        try {
-    });
+          return JSON.parse(item.details)?.action as string | undefined;
-    await expect(page.getByText("UPDATE_CLIENT")).toBeVisible({
+        } catch {
-      timeout: 30000,
+          return undefined;
-    });
+        }
+      })
+      .filter((value): value is string => Boolean(value));
+
+    expect(actions).toContain("CREATE_CLIENT");
+    expect(actions).toContain("UPDATE_CLIENT");
   });
 });

devfront/tests/devfront-security.spec.ts

@@ -57,4 +57,62 @@ test.describe("DevFront security and isolation", () => {
     ).toBeVisible();
     await expect(page).toHaveURL(/\/clients$/);
   });
+
+  test("rp_admin receives 403 on clients list and sees ForbiddenMessage", async ({
+    page,
+  }) => {
+    await seedAuth(page, "rp_admin");
+
+    const state = {
+      clients: [] as ReturnType<typeof makeClient>[],
+      consents: [] as Consent[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);
+
+    await page.route("**/api/v1/dev/clients", async (route) => {
+      if (route.request().method() === "GET") {
+        return route.fulfill({
+          status: 403,
+          contentType: "application/json",
+          body: '{"error": "forbidden"}',
+        });
+      }
+      return route.fallback();
+    });
+
+    await page.goto("/clients");
+    await expect(
+      page.getByText(/RP 관리자는|RP administrators can only access/i),
+    ).toBeVisible();
+  });
+
+  test("tenant_admin receives 403 on audit logs and sees ForbiddenMessage", async ({
+    page,
+  }) => {
+    await seedAuth(page, "tenant_admin");
+
+    const state = {
+      clients: [] as ReturnType<typeof makeClient>[],
+      consents: [] as Consent[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);
+
+    await page.route("**/api/v1/dev/audit-logs*", async (route) => {
+      if (route.request().method() === "GET") {
+        return route.fulfill({
+          status: 403,
+          contentType: "application/json",
+          body: '{"error": "forbidden"}',
+        });
+      }
+      return route.fallback();
+    });
+
+    await page.goto("/audit-logs");
+    await expect(
+      page.getByText(/테넌트 관리자 권한|Tenant administrator permissions/i),
+    ).toBeVisible();
+  });
 });

devfront/tests/devfront-tenant-switch.spec.ts

@@ -0,0 +1,116 @@
+import { expect, test } from "@playwright/test";
+import {
+  installDevApiMock,
+  makeClient,
+  seedAuth,
+} from "./helpers/devfront-fixtures";
+
+test.describe("DevFront tenant switch", () => {
+  const MOCK_STATE = {
+    clients: [makeClient("client-a", { name: "Tenant A App" })],
+    consents: [],
+    auditLogs: [],
+  };
+
+  test.beforeEach(async ({ page }) => {
+    await page.route("**/api/v1/user/me", async (route) => {
+      if (route.request().method() === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({
+            id: "playwright-user",
+            email: "playwright@example.com",
+            name: "Playwright User",
+            role: "tenant_admin",
+            tenantId: "tenant-a",
+          }),
+        });
+      } else {
+        await route.continue();
+      }
+    });
+  });
+
+  test("multiple tenants: user can switch tenant context", async ({ page }) => {
+    // Seed an admin user
+    await seedAuth(page, "tenant_admin");
+
+    await installDevApiMock(page, MOCK_STATE);
+
+    // Mock API to return multiple tenants
+    await page.route("**/api/v1/dev/my-tenants", async (route) => {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify([
+          { id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
+          { id: "tenant-b", name: "Tenant B", slug: "tenant-b" },
+        ]),
+      });
+    });
+
+    // Navigate to profile page
+    await page.goto("/profile");
+
+    // Wait for the switcher to load
+    const switcherHeading = page.getByText("작업 테넌트 (컨텍스트)");
+    await expect(switcherHeading).toBeVisible();
+
+    // Verify initial state is selected (tenant-a comes from seedAuth)
+    const select = page.getByRole("combobox", { name: /테넌트/i });
+    await expect(select).toHaveValue("tenant-a");
+
+    // Change to Tenant B
+    await select.selectOption("tenant-b");
+
+    // Click Save
+    await page.getByRole("button", { name: /저장|Save/i }).click();
+
+    // Verify success toast
+    await expect(page.getByText("테넌트 전환 완료").first()).toBeVisible();
+
+    // Verify localStorage was updated
+    const savedTenantId = await page.evaluate(() =>
+      window.localStorage.getItem("dev_tenant_id"),
+    );
+    expect(savedTenantId).toBe("tenant-b");
+  });
+
+  test("single tenant: switcher is disabled with a notice", async ({
+    page,
+  }) => {
+    await seedAuth(page, "tenant_admin");
+
+    // Mock API to return only ONE tenant
+    await page.route("**/api/v1/dev/my-tenants", async (route) => {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify([
+          { id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
+        ]),
+      });
+    });
+
+    await installDevApiMock(page, MOCK_STATE);
+
+    await page.goto("/profile");
+
+    // Wait for the switcher to load
+    await expect(page.getByText("작업 테넌트 (컨텍스트)")).toBeVisible();
+
+    // Verify the select is disabled
+    const select = page.getByRole("combobox", { name: /테넌트/i });
+    await expect(select).toBeDisabled();
+
+    // Verify the save button is disabled
+    const saveButton = page.getByRole("button", { name: /저장|Save/i });
+    await expect(saveButton).toBeDisabled();
+
+    // Verify the notice message
+    await expect(
+      page.getByText("단일 테넌트에 소속되어 전환할 필요가 없습니다."),
+    ).toBeVisible();
+  });
+});

devfront/tests/helpers/devfront-fixtures.ts

@@ -176,6 +176,12 @@ export async function installDevApiMock(page: Page, state: DevApiMockState) {
     const { pathname, searchParams } = url;
     const method = request.method();
 
+    if (pathname === "/api/v1/dev/my-tenants" && method === "GET") {
+      return json(route, [
+        { id: "tenant-a", name: "Tenant A", slug: "tenant-a" },
+      ]);
+    }
+
     if (pathname === "/api/v1/dev/stats" && method === "GET") {
       const total = state.clients.length;
       return json(route, {

locales/en.toml

@@ -326,6 +326,13 @@ logout_confirm = "Are you sure you want to log out?"
 access_denied_description = "DevFront is for administrators only. Request access from your administrator."
 access_denied_title = "Access denied."
 
+[msg.dev.forbidden]
+default = "You do not have permission to access this resource. Please contact an administrator."
+rp_admin = "RP administrators can only access resources for the apps they manage."
+tenant_admin = "Tenant administrator permissions are not configured correctly or have expired."
+user = "Regular users cannot access the developer console."
+title = "Access Denied: {{resource}}"
+
 [msg.dev.audit]
 empty = "No audit logs found."
 forbidden = "You do not have permission to view audit logs. Please request access from an administrator."
@@ -571,6 +578,27 @@ success = "Success"
 [msg.userfront.login_success]
 subtitle = "Subtitle"
 
+[msg.userfront.consent]
+accept_error = "Failed to process consent: {{error}}"
+client_id = "Client ID: {{id}}"
+client_unknown = "Unknown application"
+description = "The service below is requesting access to your account information.\nPlease choose whether to continue."
+load_error = "Failed to load consent information: {{error}}"
+missing_redirect = "Consent was processed, but the redirect URL was missing."
+redirect_notice = "After consent, you will be redirected automatically."
+scope_count = "Total {{count}}"
+
+[msg.userfront.consent.cancel]
+confirm = "If you cancel consent, you will not be able to use this service. Do you want to cancel?"
+error = "An error occurred while cancelling consent: {{error}}"
+
+[msg.userfront.consent.scope]
+email = "Email address (account identification and notifications)"
+offline_access = "Offline access (keep signed in)"
+openid = "OpenID authentication information (signin session check)"
+phone = "Phone number (identity verification and notifications)"
+profile = "Basic profile information (name, user identifier)"
+
 [msg.userfront.profile]
 department_missing = "Department Missing"
 department_required = "Department Required"
@@ -1237,6 +1265,12 @@ scope_badge = "Scoped to /dev"
 clients = "Connected Application"
 logout = "Logout"
 
+[ui.dev.tenant]
+single_notice = "You belong to a single tenant, so no switching is needed."
+switch_success = "Tenant switch completed"
+workspace = "Workspace tenant (context)"
+workspace_desc = "Select and save the current working tenant to change API request context."
+
 [ui.dev.audit]
 load_more = "Load more"
 title = "Audit Logs"
@@ -1602,6 +1636,15 @@ later = "Later"
 qr = "QR"
 title = "Title"
 
+[ui.userfront.consent]
+accept = "Agree and continue"
+requested_scopes = "Requested permissions"
+title = "Permission request"
+
+[ui.userfront.consent.cancel]
+confirm_button = "Yes, cancel"
+title = "Cancel consent"
+
 [ui.userfront.nav]
 dashboard = "Dashboard"
 logout = "Logout"

locales/ko.toml

@@ -326,6 +326,13 @@ logout_confirm = "로그아웃 하시겠습니까?"
 access_denied_description = "DevFront는 관리자 전용 화면입니다. 권한이 필요하면 관리자에게 요청해 주세요."
 access_denied_title = "접근 권한이 없습니다."
 
+[msg.dev.forbidden]
+default = "해당 리소스에 접근할 권한이 없습니다. 관리자에게 문의하세요."
+rp_admin = "RP 관리자는 담당 앱의 리소스만 조회할 수 있습니다."
+tenant_admin = "테넌트 관리자 권한이 올바르게 설정되지 않았거나 만료되었습니다."
+user = "일반 사용자는 관리자 화면에 접근할 수 없습니다."
+title = "{{resource}} 접근 권한 없음"
+
 [msg.dev.audit]
 empty = "조회된 감사 로그가 없습니다."
 forbidden = "감사 로그를 조회할 권한이 없습니다. 관리자에게 권한을 요청해주세요."
@@ -571,6 +578,27 @@ success = "로그인 승인에 성공했습니다."
 [msg.userfront.login_success]
 subtitle = "성공적으로 로그인되었습니다."
 
+[msg.userfront.consent]
+accept_error = "동의 처리에 실패했습니다: {{error}}"
+client_id = "클라이언트 ID: {{id}}"
+client_unknown = "알 수 없는 앱"
+description = "아래 서비스가 회원님의 계정 정보에 접근하려고 합니다.\n계속 진행하려면 동의 여부를 선택해 주세요."
+load_error = "동의 정보를 불러오는데 실패했습니다: {{error}}"
+missing_redirect = "동의가 처리되었으나 리다이렉트 URL을 받지 못했습니다."
+redirect_notice = "동의 후 자동으로 서비스로 이동합니다."
+scope_count = "총 {{count}}개"
+
+[msg.userfront.consent.cancel]
+confirm = "권한 동의를 취소하면 해당 서비스를 이용할 수 없습니다. 취소하시겠습니까?"
+error = "취소 처리 중 오류가 발생했습니다: {{error}}"
+
+[msg.userfront.consent.scope]
+email = "이메일 주소 (계정 식별 및 알림 용도)"
+offline_access = "오프라인 접근 (로그인 유지)"
+openid = "OpenID 인증 정보 (로그인 상태 확인)"
+phone = "휴대폰 번호 (본인 인증 및 알림)"
+profile = "기본 프로필 정보 (이름, 사용자 식별자)"
+
 [msg.userfront.profile]
 department_missing = "소속 정보 없음"
 department_required = "소속을 입력해주세요."
@@ -1237,6 +1265,12 @@ scope_badge = "Scoped to /dev"
 clients = "연동 앱"
 logout = "로그아웃"
 
+[ui.dev.tenant]
+single_notice = "단일 테넌트에 소속되어 전환할 필요가 없습니다."
+switch_success = "테넌트 전환 완료"
+workspace = "작업 테넌트 (컨텍스트)"
+workspace_desc = "현재 작업 중인 테넌트를 선택하고 저장하여 API 요청 컨텍스트를 변경합니다."
+
 [ui.dev.audit]
 load_more = "더 보기"
 title = "감사 로그"
@@ -1601,6 +1635,15 @@ later = "나중에 하기 (대시보드로 이동)"
 qr = "QR 인증 (카메라 켜기)"
 title = "로그인 완료"
 
+[ui.userfront.consent]
+accept = "동의하고 계속하기"
+requested_scopes = "요청된 권한"
+title = "접근 권한 요청"
+
+[ui.userfront.consent.cancel]
+confirm_button = "예, 취소합니다"
+title = "동의 취소"
+
 [ui.userfront.nav]
 dashboard = "대시보드"
 logout = "로그아웃"

locales/template.toml

@@ -326,6 +326,13 @@ logout_confirm = ""
 access_denied_description = ""
 access_denied_title = ""
 
+[msg.dev.forbidden]
+default = ""
+rp_admin = ""
+tenant_admin = ""
+user = ""
+title = ""
+
 [msg.dev.audit]
 empty = ""
 forbidden = ""
@@ -571,6 +578,27 @@ success = ""
 [msg.userfront.login_success]
 subtitle = ""
 
+[msg.userfront.consent]
+accept_error = ""
+client_id = ""
+client_unknown = ""
+description = ""
+load_error = ""
+missing_redirect = ""
+redirect_notice = ""
+scope_count = ""
+
+[msg.userfront.consent.cancel]
+confirm = ""
+error = ""
+
+[msg.userfront.consent.scope]
+email = ""
+offline_access = ""
+openid = ""
+phone = ""
+profile = ""
+
 [msg.userfront.profile]
 department_missing = ""
 department_required = ""
@@ -1237,6 +1265,12 @@ scope_badge = ""
 clients = ""
 logout = ""
 
+[ui.dev.tenant]
+single_notice = ""
+switch_success = ""
+workspace = ""
+workspace_desc = ""
+
 [ui.dev.audit]
 load_more = ""
 title = ""
@@ -1601,6 +1635,15 @@ later = ""
 qr = ""
 title = ""
 
+[ui.userfront.consent]
+accept = ""
+requested_scopes = ""
+title = ""
+
+[ui.userfront.consent.cancel]
+confirm_button = ""
+title = ""
+
 [ui.userfront.nav]
 dashboard = ""
 logout = ""

userfront/assets/translations/en.toml

@@ -179,6 +179,27 @@ success = "Success"
 [msg.userfront.login_success]
 subtitle = "Subtitle"
 
+[msg.userfront.consent]
+accept_error = "Failed to process consent: {error}"
+client_id = "Client ID: {id}"
+client_unknown = "Unknown application"
+description = "The service below is requesting access to your account information.\nPlease choose whether to continue."
+load_error = "Failed to load consent information: {error}"
+missing_redirect = "Consent was processed, but the redirect URL was missing."
+redirect_notice = "After consent, you will be redirected automatically."
+scope_count = "Total {count}"
+
+[msg.userfront.consent.cancel]
+confirm = "If you cancel consent, you will not be able to use this service. Do you want to cancel?"
+error = "An error occurred while cancelling consent: {error}"
+
+[msg.userfront.consent.scope]
+email = "Email address (account identification and notifications)"
+offline_access = "Offline access (keep signed in)"
+openid = "OpenID authentication information (signin session check)"
+phone = "Phone number (identity verification and notifications)"
+profile = "Basic profile information (name, user identifier)"
+
 [msg.userfront.profile]
 department_missing = "Department Missing"
 department_required = "Department Required"
@@ -363,6 +384,7 @@ theme_dark = "Dark"
 theme_light = "Light"
 theme_toggle = "Theme Toggle"
 unknown = "Unknown"
+generate = "Generate"
 
 [ui.common.badge]
 admin_only = "Admin only"
@@ -487,6 +509,15 @@ later = "Later"
 qr = "QR"
 title = "Title"
 
+[ui.userfront.consent]
+accept = "Agree and continue"
+requested_scopes = "Requested permissions"
+title = "Permission request"
+
+[ui.userfront.consent.cancel]
+confirm_button = "Yes, cancel"
+title = "Cancel consent"
+
 [ui.userfront.nav]
 dashboard = "Dashboard"
 logout = "Logout"
@@ -588,3 +619,4 @@ verify = "Verify"
 
 [ui.userfront.signup.success]
 action = "Action"
+

userfront/assets/translations/ko.toml

@@ -179,6 +179,27 @@ success = "로그인 승인에 성공했습니다."
 [msg.userfront.login_success]
 subtitle = "성공적으로 로그인되었습니다."
 
+[msg.userfront.consent]
+accept_error = "동의 처리에 실패했습니다: {error}"
+client_id = "클라이언트 ID: {id}"
+client_unknown = "알 수 없는 앱"
+description = "아래 서비스가 회원님의 계정 정보에 접근하려고 합니다.\n계속 진행하려면 동의 여부를 선택해 주세요."
+load_error = "동의 정보를 불러오는데 실패했습니다: {error}"
+missing_redirect = "동의가 처리되었으나 리다이렉트 URL을 받지 못했습니다."
+redirect_notice = "동의 후 자동으로 서비스로 이동합니다."
+scope_count = "총 {count}개"
+
+[msg.userfront.consent.cancel]
+confirm = "권한 동의를 취소하면 해당 서비스를 이용할 수 없습니다. 취소하시겠습니까?"
+error = "취소 처리 중 오류가 발생했습니다: {error}"
+
+[msg.userfront.consent.scope]
+email = "이메일 주소 (계정 식별 및 알림 용도)"
+offline_access = "오프라인 접근 (로그인 유지)"
+openid = "OpenID 인증 정보 (로그인 상태 확인)"
+phone = "휴대폰 번호 (본인 인증 및 알림)"
+profile = "기본 프로필 정보 (이름, 사용자 식별자)"
+
 [msg.userfront.profile]
 department_missing = "소속 정보 없음"
 department_required = "소속을 입력해주세요."
@@ -363,6 +384,7 @@ theme_dark = "Dark"
 theme_light = "Light"
 theme_toggle = "테마 전환"
 unknown = "Unknown"
+generate = "생성"
 
 [ui.common.badge]
 admin_only = "Admin only"
@@ -487,6 +509,15 @@ later = "나중에 하기 (대시보드로 이동)"
 qr = "QR 인증 (카메라 켜기)"
 title = "로그인 완료"
 
+[ui.userfront.consent]
+accept = "동의하고 계속하기"
+requested_scopes = "요청된 권한"
+title = "접근 권한 요청"
+
+[ui.userfront.consent.cancel]
+confirm_button = "예, 취소합니다"
+title = "동의 취소"
+
 [ui.userfront.nav]
 dashboard = "대시보드"
 logout = "로그아웃"
@@ -585,3 +616,4 @@ verify = "본인인증"
 
 [ui.userfront.signup.success]
 action = "로그인하기"
+

userfront/assets/translations/template.toml

@@ -12,6 +12,12 @@ jangheon = ""
 ptc = ""
 saman = ""
 
+[domain.tenant_type]
+company = ""
+company_group = ""
+personal = ""
+user_group = ""
+
 [err.userfront]
 
 [err.userfront.auth_proxy]
@@ -173,6 +179,27 @@ success = ""
 [msg.userfront.login_success]
 subtitle = ""
 
+[msg.userfront.consent]
+accept_error = ""
+client_id = ""
+client_unknown = ""
+description = ""
+load_error = ""
+missing_redirect = ""
+redirect_notice = ""
+scope_count = ""
+
+[msg.userfront.consent.cancel]
+confirm = ""
+error = ""
+
+[msg.userfront.consent.scope]
+email = ""
+offline_access = ""
+openid = ""
+phone = ""
+profile = ""
+
 [msg.userfront.profile]
 department_missing = ""
 department_required = ""
@@ -357,6 +384,7 @@ theme_dark = ""
 theme_light = ""
 theme_toggle = ""
 unknown = ""
+generate = ""
 
 [ui.common.badge]
 admin_only = ""
@@ -481,6 +509,15 @@ later = ""
 qr = ""
 title = ""
 
+[ui.userfront.consent]
+accept = ""
+requested_scopes = ""
+title = ""
+
+[ui.userfront.consent.cancel]
+confirm_button = ""
+title = ""
+
 [ui.userfront.nav]
 dashboard = ""
 logout = ""
@@ -580,12 +617,3 @@ verify = ""
 [ui.userfront.signup.success]
 action = ""
 
-
-# Auto-added missing keys
-
-[domain.tenant_type]
-company = ""
-company_group = ""
-personal = ""
-user_group = ""
-

userfront/lib/features/auth/presentation/consent_screen.dart

@@ -1,5 +1,6 @@
 import 'package:flutter/material.dart';
 import 'package:go_router/go_router.dart';
+import 'package:userfront/i18n.dart';
 import 'package:userfront/core/i18n/locale_utils.dart';
 import 'package:userfront/core/services/auth_proxy_service.dart';
 import 'package:userfront/core/services/web_window.dart';
@@ -19,27 +20,42 @@ class _ConsentScreenState extends State<ConsentScreen> {
   bool _isSubmitting = false;
   String? _error;
 
-  // 사용자가 선택한 스코프 목록
   final Set<String> _selectedScopes = {};
-
+  final Map<String, String> _scopeDescriptions = {};
-  // 권한별 설명 매핑 (동적으로 업데이트됨)
-  final Map<String, String> _scopeDescriptions = {
-    'openid': 'OpenID 인증 정보 (로그인 상태 확인)',
-    'profile': '기본 프로필 정보 (이름, 사용자 식별자)',
-    'email': '이메일 주소 (계정 식별 및 알림 용도)',
-    'offline_access': '오프라인 접근 (로그인 유지)',
-    'phone': '휴대폰 번호 (본인 인증 및 알림)',
-  };
-
-  // 필수 권한 목록 (동적으로 업데이트됨)
   final Set<String> _mandatoryScopes = {'openid'};
 
   @override
   void initState() {
     super.initState();
+    _scopeDescriptions.addAll(_defaultScopeDescriptions());
     _fetchConsentInfo();
   }
 
+  Map<String, String> _defaultScopeDescriptions() {
+    return {
+      'openid': tr(
+        'msg.userfront.consent.scope.openid',
+        fallback: 'OpenID authentication information (signin session check)',
+      ),
+      'profile': tr(
+        'msg.userfront.consent.scope.profile',
+        fallback: 'Basic profile information (name, user identifier)',
+      ),
+      'email': tr(
+        'msg.userfront.consent.scope.email',
+        fallback: 'Email address (account identification and notifications)',
+      ),
+      'offline_access': tr(
+        'msg.userfront.consent.scope.offline_access',
+        fallback: 'Offline access (keep signed in)',
+      ),
+      'phone': tr(
+        'msg.userfront.consent.scope.phone',
+        fallback: 'Phone number (identity verification and notifications)',
+      ),
+    };
+  }
+
   Future<void> _fetchConsentInfo() async {
     try {
       final info = await AuthProxyService.getConsentInfo(
@@ -90,7 +106,11 @@ class _ConsentScreenState extends State<ConsentScreen> {
       });
     } catch (e) {
       setState(() {
-        _error = '동의 정보를 불러오는데 실패했습니다: $e';
+        _error = tr(
+          'msg.userfront.consent.load_error',
+          fallback: 'Failed to load consent information: {{error}}',
+          params: {'error': '$e'},
+        );
         _isLoading = false;
       });
     }
@@ -112,13 +132,21 @@ class _ConsentScreenState extends State<ConsentScreen> {
         webWindow.redirectTo(result['redirectTo']);
       } else {
         setState(() {
-          _error = '동의가 처리되었으나, 리다이렉트 URL을 받지 못했습니다.';
+          _error = tr(
+            'msg.userfront.consent.missing_redirect',
+            fallback:
+                'Consent was processed, but the redirect URL was missing.',
+          );
           _isSubmitting = false;
         });
       }
     } catch (e) {
       setState(() {
-        _error = '동의 처리에 실패했습니다: $e';
+        _error = tr(
+          'msg.userfront.consent.accept_error',
+          fallback: 'Failed to process consent: {{error}}',
+          params: {'error': '$e'},
+        );
         _isSubmitting = false;
       });
     }
@@ -128,17 +156,17 @@ class _ConsentScreenState extends State<ConsentScreen> {
     final confirmed = await showDialog<bool>(
       context: context,
       builder: (context) => AlertDialog(
-        title: const Text('동의 취소'),
+        title: Text(tr('ui.userfront.consent.cancel.title')),
-        content: const Text('권한 동의를 취소하면 해당 서비스를 이용할 수 없습니다. 취소하시겠습니까?'),
+        content: Text(tr('msg.userfront.consent.cancel.confirm')),
         actions: [
           TextButton(
             onPressed: () => Navigator.pop(context, false),
-            child: const Text('아니오'),
+            child: Text(tr('ui.common.cancel')),
           ),
           TextButton(
             onPressed: () => Navigator.pop(context, true),
             style: TextButton.styleFrom(foregroundColor: Colors.red),
-            child: const Text('예, 취소합니다'),
+            child: Text(tr('ui.userfront.consent.cancel.confirm_button')),
           ),
         ],
       ),
@@ -159,9 +187,18 @@ class _ConsentScreenState extends State<ConsentScreen> {
       } catch (e) {
         setState(() => _isSubmitting = false);
         if (mounted) {
-          ScaffoldMessenger.of(
+          ScaffoldMessenger.of(context).showSnackBar(
-            context,
+            SnackBar(
-          ).showSnackBar(SnackBar(content: Text('취소 처리 중 오류가 발생했습니다: $e')));
+              content: Text(
+                tr(
+                  'msg.userfront.consent.cancel.error',
+                  fallback:
+                      'An error occurred while cancelling consent: {{error}}',
+                  params: {'error': '$e'},
+                ),
+              ),
+            ),
+          );
         }
       }
     }
@@ -200,7 +237,9 @@ class _ConsentScreenState extends State<ConsentScreen> {
   }
 
   Widget _buildConsentCard(BuildContext context) {
-    final clientName = _consentInfo?['client']?['client_name'] ?? '알 수 없는 앱';
+    final clientName =
+        _consentInfo?['client']?['client_name'] ??
+        tr('msg.userfront.consent.client_unknown');
     final clientId = _consentInfo?['client']?['client_id'] ?? '-';
     final clientLogo = _consentInfo?['client']?['logo_uri'];
     final requestedScopes =
@@ -223,14 +262,17 @@ class _ConsentScreenState extends State<ConsentScreen> {
               crossAxisAlignment: CrossAxisAlignment.stretch,
               children: [
                 // 1. 헤더 영역
-                const Text(
+                Text(
-                  '접근 권한 요청',
+                  tr('ui.userfront.consent.title'),
-                  style: TextStyle(fontSize: 24, fontWeight: FontWeight.bold),
+                  style: const TextStyle(
+                    fontSize: 24,
+                    fontWeight: FontWeight.bold,
+                  ),
                   textAlign: TextAlign.center,
                 ),
                 const SizedBox(height: 12),
                 Text(
-                  '아래 서비스가 회원님의 계정 정보에 접근하려고 합니다.\n계속 진행하려면 동의 여부를 선택해 주세요.',
+                  tr('msg.userfront.consent.description'),
                   style: TextStyle(fontSize: 14, color: Colors.grey[600]),
                   textAlign: TextAlign.center,
                 ),
@@ -277,7 +319,11 @@ class _ConsentScreenState extends State<ConsentScreen> {
                             ),
                             const SizedBox(height: 4),
                             Text(
-                              '클라이언트 ID: $clientId',
+                              tr(
+                                'msg.userfront.consent.client_id',
+                                fallback: 'Client ID: {{id}}',
+                                params: {'id': clientId},
+                              ),
                               style: TextStyle(
                                 fontSize: 12,
                                 color: Colors.grey[500],
@@ -296,15 +342,19 @@ class _ConsentScreenState extends State<ConsentScreen> {
                 Row(
                   mainAxisAlignment: MainAxisAlignment.spaceBetween,
                   children: [
-                    const Text(
+                    Text(
-                      '요청된 권한',
+                      tr('ui.userfront.consent.requested_scopes'),
-                      style: TextStyle(
+                      style: const TextStyle(
                         fontSize: 16,
                         fontWeight: FontWeight.bold,
                       ),
                     ),
                     Text(
-                      '총 ${requestedScopes.length}개',
+                      tr(
+                        'msg.userfront.consent.scope_count',
+                        fallback: 'Total {{count}}',
+                        params: {'count': '${requestedScopes.length}'},
+                      ),
                       style: TextStyle(
                         fontSize: 14,
                         color: Theme.of(context).primaryColor,
@@ -367,8 +417,8 @@ class _ConsentScreenState extends State<ConsentScreen> {
                             color: Colors.white,
                           ),
                         )
-                      : const Text(
+                      : Text(
-                          '동의하고 계속하기',
+                          tr('ui.userfront.consent.accept'),
                           style: TextStyle(
                             fontSize: 16,
                             fontWeight: FontWeight.bold,
@@ -384,11 +434,11 @@ class _ConsentScreenState extends State<ConsentScreen> {
                       borderRadius: BorderRadius.circular(8),
                     ),
                   ),
-                  child: const Text('취소'),
+                  child: Text(tr('ui.common.cancel')),
                 ),
                 const SizedBox(height: 16),
                 Text(
-                  '동의 후 자동으로 서비스로 이동합니다.',
+                  tr('msg.userfront.consent.redirect_notice'),
                   style: TextStyle(fontSize: 12, color: Colors.grey[500]),
                   textAlign: TextAlign.center,
                 ),

userfront/lib/features/auth/presentation/qr_scan_route.dart

@@ -15,3 +15,14 @@ String buildQrApprovePath(
         );
   return '/$resolvedLocale/approve?ref=${Uri.encodeQueryComponent(value)}';
 }
+
+String buildQrBackFallbackPath({String? localeCode, Uri? currentUri}) {
+  final explicitLocale = localeCode?.trim();
+  final uri = currentUri ?? Uri.base;
+  final resolvedLocale = explicitLocale != null && explicitLocale.isNotEmpty
+      ? explicitLocale.toLowerCase().replaceAll('_', '-')
+      : normalizeLocaleCode(
+          extractLocaleFromPath(uri) ?? resolvePreferredLocaleCode(),
+        );
+  return '/$resolvedLocale/dashboard';
+}

userfront/lib/features/auth/presentation/qr_scan_screen_stub.dart

@@ -38,6 +38,15 @@ class _QRScanScreenState extends State<QRScanScreen> {
     context.go(buildQrApprovePath(raw));
   }
 
+  void _handleBack() {
+    final router = GoRouter.of(context);
+    if (router.canPop()) {
+      router.pop();
+      return;
+    }
+    router.go(buildQrBackFallbackPath());
+  }
+
   @override
   Widget build(BuildContext context) {
     return Scaffold(
@@ -45,7 +54,7 @@ class _QRScanScreenState extends State<QRScanScreen> {
         title: Text(tr('ui.userfront.qr.title', fallback: 'Scan QR Code')),
         leading: IconButton(
           icon: const Icon(Icons.arrow_back),
-          onPressed: () => context.pop(),
+          onPressed: _handleBack,
         ),
       ),
       body: Padding(

userfront/lib/features/auth/presentation/qr_scan_screen_web.dart

@@ -131,6 +131,15 @@ class _QRScanScreenState extends State<QRScanScreen> {
     }
   }
 
+  void _handleBack() {
+    final router = GoRouter.of(context);
+    if (router.canPop()) {
+      router.pop();
+      return;
+    }
+    router.go(buildQrBackFallbackPath());
+  }
+
   @override
   Widget build(BuildContext context) {
     return Scaffold(
@@ -138,7 +147,7 @@ class _QRScanScreenState extends State<QRScanScreen> {
         title: Text(tr('ui.userfront.qr.title', fallback: 'Scan QR Code')),
         leading: IconButton(
           icon: const Icon(Icons.arrow_back),
-          onPressed: () => context.pop(),
+          onPressed: _handleBack,
         ),
       ),
       body: Padding(