feat(headless-login): add jwks cache visibility and refresh flow

- replace inline headless jwks support with jwksUri-only validation - add cached jwks refresh worker, manual refresh/revoke endpoints, and parsed key summaries - expose allowed algorithms and key previews in DevFront with regression coverage
2026-04-01 18:33:22 +09:00
parent f51cdba51a
commit 9facd24a00
20 changed files with 2393 additions and 499 deletions
--- a/backend/cmd/server/main.go
+++ b/backend/cmd/server/main.go
@@ -270,14 +270,20 @@ func main() {
 	tenantService.SetKetoService(ketoService) // Keto 주입

 	hydraService := service.NewHydraAdminService()
+	headlessJWKSCache := service.NewHeadlessJWKSCacheService(redisService, nil)
+	headlessJWKSWorker := service.NewHeadlessJWKSCacheWorker(hydraService, headlessJWKSCache)
+	go headlessJWKSWorker.Start(context.Background())
+	slog.Info("✅ Headless JWKS Cache Worker started")
 	relyingPartyService := service.NewRelyingPartyService(hydraService, ketoService, ketoOutboxRepo)
 	secretRepo := repository.NewClientSecretRepository(db)
 	consentRepo := repository.NewClientConsentRepository(db)

 	auditHandler := handler.NewAuditHandler(auditRepo)
 	authHandler := handler.NewAuthHandler(redisService, idpProvider, auditRepo, oathkeeperRepo, tenantService, ketoService, ketoOutboxRepo, userRepo, consentRepo, kratosAdminService)
+	authHandler.HeadlessJWKS = headlessJWKSCache
 	adminHandler := handler.NewAdminHandler(ketoService)
 	devHandler := handler.NewDevHandler(redisService, secretRepo, consentRepo, relyingPartyService, ketoService, tenantService, authHandler)
+	devHandler.HeadlessJWKS = headlessJWKSCache
 	devHandler.AuditRepo = auditRepo
 	tenantHandler := handler.NewTenantHandler(db, tenantService, userRepo, ketoService, ketoOutboxRepo, kratosAdminService)
 	userGroupHandler := handler.NewUserGroupHandler(userGroupService)
@@ -673,6 +679,8 @@ func main() {
 	dev.Post("/clients", devHandler.CreateClient)
 	dev.Get("/clients/:id", devHandler.GetClient)
 	dev.Put("/clients/:id", devHandler.UpdateClient)
+	dev.Post("/clients/:id/headless-jwks/refresh", devHandler.RefreshHeadlessJWKSCache)
+	dev.Delete("/clients/:id/headless-jwks/cache", devHandler.RevokeHeadlessJWKSCache)
 	dev.Post("/clients/:id/secret/rotate", devHandler.RotateClientSecret)
 	dev.Patch("/clients/:id/status", devHandler.UpdateClientStatus)
 	dev.Delete("/clients/:id", devHandler.DeleteClient)