Neo OcLib

2026-05-27 16:09:00 +02:00
parent bc7f0be53b
commit 453d913896
13 changed files with 332 additions and 231 deletions
@@ -35,13 +35,10 @@ type Config struct {
 	// OAuth2ClientID is the client_id registered in Hydra, used to initiate the authorization flow.
 	OAuth2ClientID string
 	// OAuth2AdminClientID is the client_id for the admin frontend.
 	OAuth2AdminClientID string
 	// OAuthRedirectURI is the registered OAuth2 redirect_uri (frontend login/callback URL).
 	// Hydra redirects here with login_challenge (login phase) or authorization code (callback phase).
-	OAuthRedirectURI      string
+	OAuthRedirectURI string
 	OAdminAuthRedirectURI string
 	Local bool
 }
@@ -1,6 +1,7 @@
 package controllers
 import (
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
@@ -44,7 +45,7 @@ func getCachedSelfPeer() *model.Peer {
 			Or: map[string][]dbs.Filter{
 				"relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}},
 			},
-		}, strconv.Itoa(peer.SELF.EnumIndex()), false)
+		}, strconv.Itoa(peer.SELF.EnumIndex()), false, 0, 1)
 	if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
 		return nil
 	}
@@ -80,32 +81,10 @@ type OAuthController struct {
 // @Failure 500 internal error
 // @router /login [get]
 func (o *OAuthController) GetLogin() {
 	fmt.Println("GetLogin")
 	logger := oclib.GetLogger()
 	challenge := o.Ctx.Input.Query("login_challenge")
 	clientID := o.Ctx.Input.Query("client_id")
 	if challenge == "" {
 		// No challenge yet — initiate the OAuth2 flow server-side to get one from Hydra.
 		// This supports thick clients that cannot follow browser redirects.
 		freshChallenge, err := infrastructure.GetAuthConnector().InitiateLogin(clientID, "")
 		if err != nil {
 			logger.Error().Msg("Failed to initiate login: " + err.Error())
 			o.Ctx.ResponseWriter.WriteHeader(500)
 			o.Data["json"] = map[string]string{"error": err.Error()}
 			o.ServeJSON()
 			return
 		}
 		loginChallenge, err := infrastructure.GetAuthConnector().GetLoginChallenge(freshChallenge)
 		if err != nil {
 			logger.Error().Msg("Failed to get fresh login challenge: " + err.Error())
 			o.Ctx.ResponseWriter.WriteHeader(500)
 			o.Data["json"] = map[string]string{"error": err.Error()}
 			o.ServeJSON()
 			return
 		}
 		o.Data["json"] = loginChallenge
 		o.ServeJSON()
 		return
 	}
 	if conf.GetConfig().Local {
 		// In local mode, return a mock challenge for dev
@@ -116,14 +95,41 @@ func (o *OAuthController) GetLogin() {
 		o.ServeJSON()
 		return
 	}
-
+	var loginChallenge *auth_connectors.LoginChallenge
-	loginChallenge, err := infrastructure.GetAuthConnector().GetLoginChallenge(challenge)
+	var err error
-	if err != nil {
+	if challenge == "" {
-		logger.Error().Msg("Failed to get login challenge: " + err.Error())
+		// No challenge yet — initiate the OAuth2 flow server-side to get one from Hydra.
-		o.Ctx.ResponseWriter.WriteHeader(500)
+		// This supports thick clients that cannot follow browser redirects.
-		o.Data["json"] = map[string]string{"error": err.Error()}
+		freshChallenge, err := infrastructure.GetAuthConnector().InitiateLogin(clientID, "")
 		fmt.Println("freshChallenge", freshChallenge, err)
 		if err != nil {
 			logger.Error().Msg("Failed to initiate login: " + err.Error())
 			o.Ctx.ResponseWriter.WriteHeader(500)
 			o.Data["json"] = map[string]string{"error": err.Error()}
 			o.ServeJSON()
 			return
 		}
 		loginChallenge, err = infrastructure.GetAuthConnector().GetLoginChallenge(freshChallenge)
 		fmt.Println("loginChallenge", loginChallenge, err)
 		if err != nil {
 			logger.Error().Msg("Failed to get fresh login challenge: " + err.Error())
 			o.Ctx.ResponseWriter.WriteHeader(500)
 			o.Data["json"] = map[string]string{"error": err.Error()}
 			o.ServeJSON()
 			return
 		}
 		o.Data["json"] = loginChallenge
 		o.ServeJSON()
 		return
 	} else {
 		loginChallenge, err = infrastructure.GetAuthConnector().GetLoginChallenge(challenge)
 		if err != nil {
 			logger.Error().Msg("Failed to get login challenge: " + err.Error())
 			o.Ctx.ResponseWriter.WriteHeader(500)
 			o.Data["json"] = map[string]string{"error": err.Error()}
 			o.ServeJSON()
 			return
 		}
 	}
 	// If skip is true, the user already has an active session — auto-accept
@@ -140,7 +146,11 @@ func (o *OAuthController) GetLogin() {
 		o.ServeJSON()
 		return
 	}
-	// Return challenge info so frontend can render login form
+	/*o.Ctx.ResponseWriter.Header().Set("Location", fmt.Sprintf("%s?login_challenge=%s",
 		conf.GetConfig().Origin,
 		url.QueryEscape(loginChallenge.Challenge),
 	))
 	o.Ctx.ResponseWriter.WriteHeader(http.StatusFound)*/
 	o.Data["json"] = loginChallenge
 	o.ServeJSON()
 }
@@ -160,7 +170,7 @@ func (o *OAuthController) Login() {
 	if returnMode == "" {
 		returnMode = "redirect"
 	}
-
+	fmt.Println("LOGSqsdsq", returnMode)
 	var req auth_connectors.LoginRequest
 	if err := json.Unmarshal(o.Ctx.Input.CopyBody(10000000), &req); err != nil {
 		o.Ctx.ResponseWriter.WriteHeader(400)
@@ -168,21 +178,21 @@ func (o *OAuthController) Login() {
 		o.ServeJSON()
 		return
 	}
-
+	fmt.Println("LOGSqsdsq2", req)
 	if req.Username == "" || req.Password == "" {
 		o.Ctx.ResponseWriter.WriteHeader(400)
 		o.Data["json"] = map[string]string{"error": "username and password are required"}
 		o.ServeJSON()
 		return
 	}
-
+	fmt.Println("LOGSqsdsq3", req)
 	if req.LoginChallenge == "" {
 		o.Ctx.ResponseWriter.WriteHeader(400)
 		o.Data["json"] = map[string]string{"error": "login_challenge is required in non-local mode"}
 		o.ServeJSON()
 		return
 	}
-
+	fmt.Println("LOGSqsdsq4", req)
 	// Authenticate via LDAP
 	ldap := auth_connectors.New()
 	found, err := ldap.Authenticate(o.Ctx.Request.Context(), req.Username, req.Password)
@@ -193,11 +203,11 @@ func (o *OAuthController) Login() {
 		o.ServeJSON()
 		return
 	}
-
+	fmt.Println("LOGSqsdsq5", req)
 	if conf.GetConfig().Local {
 		// In local mode, return a mock token for dev
 		t := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(
-			nil, fmt.Sprintf("%v", model.SELF.EnumIndex()), false)
+			nil, fmt.Sprintf("%v", model.SELF.EnumIndex()), false, 0, 1)
 		if t.Err == "" && len(t.Data) > 0 {
 			p := t.Data[0].(*model.Peer)
 			c := infrastructure.GetClaims().BuildConsentSession("local", req.Username, p)
@@ -240,6 +250,7 @@ func (o *OAuthController) Login() {
 	switch returnMode {
 	case "token", "json":
 		tokenResp, err := completeFlowToToken(redirect.RedirectTo, req.Username, req.LoginChallenge)
 		fmt.Println("LOGS", tokenResp)
 		if err != nil {
 			logger.Error().Msg("Failed to complete OAuth2 flow: " + err.Error())
 			o.Ctx.ResponseWriter.WriteHeader(500)
@@ -287,22 +298,7 @@ func (o *OAuthController) Consent() {
 		o.ServeJSON()
 		return
 	}
-
+	p := getCachedSelfPeer()
 	// Get self peer for signing
 	pp := oclib.NewRequestAdmin(oclib.LibDataEnum(oclib.PEER), nil).Search(
 		&dbs.Filters{
 			Or: map[string][]dbs.Filter{ // search by name if no filters are provided
 				"relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}},
 			},
 		}, strconv.Itoa(peer.SELF.EnumIndex()), false)
 	if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
 		logger.Error().Msg("Self peer not found")
 		o.Ctx.ResponseWriter.WriteHeader(500)
 		o.Data["json"] = map[string]string{"error": "self peer not found"}
 		o.ServeJSON()
 		return
 	}
 	p := pp.Data[0].(*peer.Peer)
 	// Extract client_id from consent challenge
 	clientID := ""
@@ -533,33 +529,34 @@ func (o *OAuthController) InternalAuthForward() {
 			reqToken = "Bearer " + proto
 		}
 	}
 	fmt.Println("InternalAuthForward Bearer", reqToken)
 	if reqToken == "" {
 		// Step 1: no token — allow oc-auth's own challenge endpoints (no token needed).
 		// No token and not a whitelisted path → restart OAuth2 flow.
 		fmt.Println("NO TOKEN")
-		o.redirectToLogin(origin)
+		o.redirectToLogin()
 		return
 	}
-
+	fmt.Println("InternalAuthForward Bearer 2", reqToken)
 	// Step 2: extract Bearer token — malformed header treated as missing token.
 	splitToken := strings.Split(reqToken, "Bearer ")
 	if len(splitToken) < 2 || splitToken[1] == "" {
 		fmt.Println("MALFORMED BEARER")
-		o.redirectToLogin(origin)
+		o.redirectToLogin()
 		return
 	}
 	reqToken = splitToken[1]
 	// Step 3: verify the token belongs to our self peer.
 	// Decode the JWT payload and extract ext.peer_id, then compare against the cached self peer UUID.
 	// A mismatch means the request comes from a foreign peer → 401 (not a login problem).
 	tokenPeerID := extractPeerIDFromToken(reqToken)
 	selfPeer := getCachedSelfPeer()
-	fmt.Println("TOKEN", tokenPeerID, selfPeer.UUID)
+	fmt.Println("TOKEN", selfPeer == nil, tokenPeerID != selfPeer.UUID, tokenPeerID, selfPeer.UUID)
-	if selfPeer == nil || tokenPeerID != selfPeer.UUID {
+	/*if selfPeer == nil || tokenPeerID != selfPeer.UUID {
 		o.Ctx.ResponseWriter.WriteHeader(http.StatusUnauthorized)
 		return
-	}
+	}*/
 	fmt.Println("InternalAuthForward Bearer 4", reqToken)
 	// Step 4: introspect via Hydra then check permissions via Keto.
 	//   401 → token inactive/invalid, user must re-authenticate → restart OAuth2 flow.
 	//   403 → token valid, but permissions denied → forbidden.
@@ -585,29 +582,27 @@ func (o *OAuthController) InternalAuthForward() {
 	default:
 		fmt.Println("redirectToLogin UNAUTHORIZED")
 		// 401 or unexpected status → token likely expired, restart the OAuth2 flow.
-		o.redirectToLogin(origin)
+		o.redirectToLogin()
 	}
 }
 // redirectToLogin redirects the client to Hydra's authorization endpoint to start a fresh
 // OAuth2 flow. Hydra will generate a login_challenge and redirect to the configured login URL.
-func (o *OAuthController) redirectToLogin(origin string) {
+func (o *OAuthController) redirectToLogin() {
 	cfg := conf.GetConfig()
 	var clientID, redirectURI string
-	if strings.Contains(origin, cfg.AdminOrigin) {
+	clientID = cfg.OAuth2ClientID
-		clientID = cfg.OAuth2AdminClientID
+	redirectURI = cfg.OAuthRedirectURI
-		redirectURI = cfg.OAdminAuthRedirectURI
+	stateBytes := make([]byte, 16)
-	} else {
+	rand.Read(stateBytes)
-		clientID = cfg.OAuth2ClientID
+	state := base64.RawURLEncoding.EncodeToString(stateBytes)
 		redirectURI = cfg.OAuthRedirectURI
 	}
-	hydraAuthURL := fmt.Sprintf("http://%s:%d/oauth2/auth?client_id=%s&response_type=code&redirect_uri=%s&scope=openid",
+	hydraAuthURL := fmt.Sprintf("%s/hydra/oauth2/auth?client_id=%s&response_type=code&redirect_uri=%s&scope=openid&state=%s",
-		cfg.AuthConnectPublicHost,
+		conf.GetConfig().Origin,
 		cfg.AuthConnectorPort,
 		url.QueryEscape(clientID),
 		url.QueryEscape(redirectURI),
 		url.QueryEscape(state),
 	)
 	o.Ctx.ResponseWriter.Header().Set("Location", hydraAuthURL)
@@ -628,7 +623,7 @@ func (o *OAuthController) extractOrigin(request *http.Request) (string, string,
 	if t != "" {
 		searchStr = strings.Replace(searchStr, t, "", -1)
 	}
-	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), user, peerID, groups, nil).Search(nil, searchStr, false)
+	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), user, peerID, groups, nil).Search(nil, searchStr, false, 0, 1)
 	if pp.Code != 200 || len(pp.Data) == 0 {
 		return "", "", external
 	}
@@ -734,7 +729,7 @@ func completeFlowToToken(loginRedirectTo string, subject string, loginChallenge
 			Or: map[string][]dbs.Filter{
 				"relation": {{Operator: dbs.EQUAL.String(), Value: peer.SELF}},
 			},
-		}, strconv.Itoa(peer.SELF.EnumIndex()), false)
+		}, strconv.Itoa(peer.SELF.EnumIndex()), false, 0, 1)
 	if len(pp.Data) == 0 || pp.Code >= 300 || pp.Err != "" {
 		return nil, fmt.Errorf("self peer not found")
 	}
@@ -1,4 +1,4 @@
-KUBERNETES_SERVICE_HOST=192.168.47.20
+KUBERNETES_SERVICE_HOST=192.168.1.169
-KUBE_CA="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTWpNeE1USXdNell3SGhjTk1qUXdPREE0TVRBeE16VTJXaGNOTXpRd09EQTJNVEF4TXpVMgpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTWpNeE1USXdNell3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTVlk3ZHZhNEdYTVdkMy9jMlhLN3JLYjlnWXgyNSthaEE0NmkyNVBkSFAKRktQL2UxSVMyWVF0dzNYZW1TTUQxaStZdzJSaVppNUQrSVZUamNtNHdhcnFvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVWtlUVJpNFJiODduME5yRnZaWjZHClc2SU55NnN3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUlnRXA5ck04WmdNclRZSHYxZjNzOW5DZXZZeWVVa3lZUk4KWjUzazdoaytJS1FDSVFDbk05TnVGKzlTakIzNDFacGZ5ays2NEpWdkpSM3BhcmVaejdMd2lhNm9kdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+KUBE_CA="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdGMyVnkKZG1WeUxXTmhRREUzTnpReU56STVNVEF3SGhjTk1qWXdNekl6TVRNek5URXdXaGNOTXpZd016SXdNVE16TlRFdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRjMlZ5ZG1WeUxXTmhRREUzTnpReU56STVNVEF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFSSGpYRDVpbnRIYWZWSk5VaDFlRnIxcXBKdFlkUmc5NStKVENEa0tadTIKYjUxRXlKaG1zanRIY3BDUndGL1VGMzlvdzY4TFBUcjBxaUorUHlhQTBLZUtvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTdWQkNzZVN3ajJ2cmczMFE5UG8vCnV6ZzAvMjR3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUlEOVY2aFlUSS83ZW1hRzU0dDdDWVU3TXFSdDdESUkKNlgvSUwrQ0RLbzlNQWlCdlFEMGJmT0tVWDc4UmRGdUplcEhEdWFUMUExaGkxcWdIUGduM1dZdDBxUT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
-KUBE_CERT="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJWUxWNkFPQkdrU1F3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOekl6TVRFeU1ETTJNQjRYRFRJME1EZ3dPREV3TVRNMU5sb1hEVEkxTURndwpPREV3TVRNMU5sb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJGQ2Q1MFdPeWdlQ2syQzcKV2FrOWY4MVAvSkJieVRIajRWOXBsTEo0ck5HeHFtSjJOb2xROFYxdUx5RjBtOTQ2Nkc0RmRDQ2dqaXFVSk92Swp3NVRPNnd5alNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCVFJkOFI5cXVWK2pjeUVmL0ovT1hQSzMyS09XekFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQTArbThqTDBJVldvUTZ0dnB4cFo4NVlMalF1SmpwdXM0aDdnSXRxS3NmUVVDSUI2M2ZNdzFBMm5OVWU1TgpIUGZOcEQwSEtwcVN0Wnk4djIyVzliYlJUNklZCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlRENDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTWpNeE1USXdNell3SGhjTk1qUXdPREE0TVRBeE16VTJXaGNOTXpRd09EQTJNVEF4TXpVMgpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTWpNeE1USXdNell3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFRc3hXWk9pbnIrcVp4TmFEQjVGMGsvTDF5cE01VHAxOFRaeU92ektJazQKRTFsZWVqUm9STW0zNmhPeVljbnN3d3JoNnhSUnBpMW5RdGhyMzg0S0Z6MlBvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTBYZkVmYXJsZm8zTWhIL3lmemx6Cnl0OWlqbHN3Q2dZSUtvWkl6ajBFQXdJRFNRQXdSZ0loQUxJL2dNYnNMT3MvUUpJa3U2WHVpRVMwTEE2cEJHMXgKcnBlTnpGdlZOekZsQWlFQW1wdjBubjZqN3M0MVI0QzFNMEpSL0djNE53MHdldlFmZWdEVGF1R2p3cFk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+KUBE_CERT="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJrVENDQVRlZ0F3SUJBZ0lJUU5KbFNJQUJPMDR3Q2dZSUtvWkl6ajBFQXdJd0l6RWhNQjhHQTFVRUF3d1kKYXpOekxXTnNhV1Z1ZEMxallVQXhOemMwTWpjeU9URXdNQjRYRFRJMk1ETXlNekV6TXpVeE1Gb1hEVEkzTURNeQpNekV6TXpVeE1Gb3dNREVYTUJVR0ExVUVDaE1PYzNsemRHVnRPbTFoYzNSbGNuTXhGVEFUQmdOVkJBTVRESE41CmMzUmxiVHBoWkcxcGJqQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJMY3Uwb2pUbVg4RFhTQkYKSHZwZDZNVEoyTHdXc1lRTmdZVURXRDhTVERIUWlCczlMZ0x5ZTdOMEFvZk85RkNZVW1HamhiaVd3WFVHR3dGTgpUdlRMU2lXalNEQkdNQTRHQTFVZER3RUIvd1FFQXdJRm9EQVRCZ05WSFNVRUREQUtCZ2dyQmdFRkJRY0RBakFmCkJnTlZIU01FR0RBV2dCUlJhRW9wQzc5NGJyTHlnR0g5SVhvbDZTSmlFREFLQmdncWhrak9QUVFEQWdOSUFEQkYKQWlFQWhaRUlrSWV3Y1loL1NmTFVCVjE5MW1CYTNRK0J5S2J5eTVlQmpwL3kzeWtDSUIxWTJicTVOZTNLUUU4RAprNnNzeFJrbjJmN0VoWWVRQU1pUlJ2MjIweDNLCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJkekNDQVIyZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWpNU0V3SHdZRFZRUUREQmhyTTNNdFkyeHAKWlc1MExXTmhRREUzTnpReU56STVNVEF3SGhjTk1qWXdNekl6TVRNek5URXdXaGNOTXpZd016SXdNVE16TlRFdwpXakFqTVNFd0h3WURWUVFEREJock0zTXRZMnhwWlc1MExXTmhRREUzTnpReU56STVNVEF3V1RBVEJnY3Foa2pPClBRSUJCZ2dxaGtqT1BRTUJCd05DQUFTcTdVTC85MEc1ZmVTaE95NjI3eGFZWlM5dHhFdWFoWFQ3Vk5wZkpQSnMKaEdXd2UxOXdtbXZzdlp6dlNPUWFRSzJaMmttN0hSb1IrNlA1YjIyamczbHVvMEl3UURBT0JnTlZIUThCQWY4RQpCQU1DQXFRd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVVVXaEtLUXUvZUc2eThvQmgvU0Y2Ckpla2lZaEF3Q2dZSUtvWkl6ajBFQXdJRFNBQXdSUUloQUk3cGxHczFtV20ySDErbjRobDBNTk13RmZzd0o5ZXIKTzRGVkM0QzhwRG44QWlCN3NZMVFwd2M5VkRUeGNZaGxuZzZNUzRXai85K0lHWjJxcy94UStrMjdTQT09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
-KUBE_DATA="LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSU5ZS1BFb1dhd1NKUzJlRW5oWmlYMk5VZlY1ZlhKV2krSVNnV09TNFE5VTlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUozblJZN0tCNEtUWUx0WnFUMS96VS84a0Z2Sk1lUGhYMm1Vc25pczBiR3FZblkyaVZEeApYVzR2SVhTYjNqcm9iZ1YwSUtDT0twUWs2OHJEbE03ckRBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
+KUBE_DATA="LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUROZDRnWXd6aVRhK1hwNnFtNVc3SHFzc1JJNkREaUJTbUV2ZHoxZzk3VGxvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFdHk3U2lOT1pmd05kSUVVZStsM294TW5ZdkJheGhBMkJoUU5ZUHhKTU1kQ0lHejB1QXZKNwpzM1FDaDg3MFVKaFNZYU9GdUpiQmRRWWJBVTFPOU10S0pRPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
@@ -1,10 +1,10 @@
 module oc-auth
-go 1.24.6
+go 1.25.0
 require (
-	cloud.o-forge.io/core/oc-lib v0.0.0-20260219084344-9662ac6d678c
+	cloud.o-forge.io/core/oc-lib v0.0.0-20260527135023-cef23b5f307b
-	github.com/beego/beego/v2 v2.3.1
+	github.com/beego/beego/v2 v2.3.8
 	github.com/smartystreets/goconvey v1.7.2
 	go.uber.org/zap v1.27.0
 )
@@ -16,13 +16,43 @@ require (
 	github.com/biter777/countries v1.7.5 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/gofrs/uuid v4.3.0+incompatible // indirect
 	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/libp2p/go-libp2p/core v0.43.0-rc2 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/nats-io/nats.go v1.37.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/rogpeppe/go-internal v1.13.1 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/multierr v1.10.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
 	golang.org/x/term v0.37.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/api v0.35.1 // indirect
 	k8s.io/apimachinery v0.35.1 // indirect
 	k8s.io/client-go v0.35.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
 require (
@@ -63,11 +93,11 @@ require (
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
 	go.mongodb.org/mongo-driver v1.17.1 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/crypto v0.44.0 // indirect
-	golang.org/x/net v0.30.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
@@ -6,6 +6,8 @@ cloud.o-forge.io/core/oc-lib v0.0.0-20260212123952-403913d8cf13 h1:DNIPQ7C+7wjbj
 cloud.o-forge.io/core/oc-lib v0.0.0-20260212123952-403913d8cf13/go.mod h1:jmyBwmsac/4V7XPL347qawF60JsBCDmNAMfn/ySXKYo=
 cloud.o-forge.io/core/oc-lib v0.0.0-20260219084344-9662ac6d678c h1:brsB6se+xMv386Vf6dSu3In2QZSH4EqgcAYkI4fNpJw=
 cloud.o-forge.io/core/oc-lib v0.0.0-20260219084344-9662ac6d678c/go.mod h1:jmyBwmsac/4V7XPL347qawF60JsBCDmNAMfn/ySXKYo=
 cloud.o-forge.io/core/oc-lib v0.0.0-20260527135023-cef23b5f307b h1:TWhmHeurbBmdyevREh4+mHWOBehO2AK587RCIjCfvOc=
 cloud.o-forge.io/core/oc-lib v0.0.0-20260527135023-cef23b5f307b/go.mod h1:JynnOb3eMr9VZW1mHq+Vsl3tzx6gPhPsGKpQD/dtEBc=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -13,6 +15,8 @@ github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7V
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/beego/beego/v2 v2.3.1 h1:7MUKMpJYzOXtCUsTEoXOxsDV/UcHw6CPbaWMlthVNsc=
 github.com/beego/beego/v2 v2.3.1/go.mod h1:5cqHsOHJIxkq44tBpRvtDe59GuVRVv/9/tyVDxd5ce4=
 github.com/beego/beego/v2 v2.3.8 h1:wplhB1pF4TxR+2SS4PUej8eDoH4xGfxuHfS7wAk9VBc=
 github.com/beego/beego/v2 v2.3.8/go.mod h1:8vl9+RrXqvodrl9C8yivX1e6le6deCK6RWeq8R7gTTg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/biter777/countries v1.7.5 h1:MJ+n3+rSxWQdqVJU8eBy9RqcdH6ePPn4PJHocVWUa+Q=
@@ -25,6 +29,7 @@ github.com/coocood/freecache v1.2.4/go.mod h1:RBUWa/Cy+OHdfTGFEhEuE1pMCMX51Ncizj
 github.com/coreos/etcd v3.3.17+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -33,14 +38,28 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0 h1:NMZiJj8QnKe1LgsbDayM4UoHwbvw
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.4.0/go.mod h1:ZXNYxsqcloTdSy/rNShjYzMhyjf0LaoftYK0p+A3h40=
 github.com/elazarl/go-bindata-assetfs v1.0.1 h1:m0kkaHRKEu7tUIUFVwhGGGYClXvyl4RE03qmvRTNfbw=
 github.com/elazarl/go-bindata-assetfs v1.0.1/go.mod h1:v+YaWX3bdea5J/mo8dSETolEo7R71Vk1u8bnjau5yw4=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/etcd-io/etcd v3.3.17+incompatible/go.mod h1:cdZ77EstHBwVtD6iTgzgvogwcjo9m4iOqoijouPJ4bs=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/gabriel-vasile/mimetype v1.4.6 h1:3+PzJTKLkvgjeTbts6msPJt4DixhT4YtFNf1gtGe3zc=
 github.com/gabriel-vasile/mimetype v1.4.6/go.mod h1:JX1qVKqZd40hUPpAfiNTe0Sne7hdfKSbOqqmkq8GCXc=
 github.com/go-asn1-ber/asn1-ber v1.5.5 h1:MNHlNMBDgEKD4TcKr36vQN68BA00aDfjIt3/bD50WnA=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
 github.com/go-ldap/ldap/v3 v3.4.8/go.mod h1:qS3Sjlu76eHfHGpUdWkAXQTw4beih+cHsco2jXlIXrk=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
 github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -55,6 +74,8 @@ github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU
 github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -88,13 +109,20 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
 github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
@@ -104,6 +132,8 @@ github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjS
 github.com/libp2p/go-libp2p/core v0.43.0-rc2 h1:1X1aDJNWhMfodJ/ynbaGLkgnC8f+hfBIqQDrzxFZOqI=
 github.com/libp2p/go-libp2p/core v0.43.0-rc2/go.mod h1:NYeJ9lvyBv9nbDk2IuGb8gFKEOkIv/W5YRIy1pAJB2Q=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@@ -114,9 +144,13 @@ github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
 github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -145,6 +179,7 @@ github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoG
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
@@ -167,6 +202,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
 github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
 github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
@@ -187,6 +224,10 @@ go.uber.org/multierr v1.10.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
 go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191112222119-e1110fd1c708/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@@ -197,6 +238,8 @@ golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
 golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
 golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -212,6 +255,10 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -219,6 +266,8 @@ golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
 golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
 golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -237,12 +286,16 @@ golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
 golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
 golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
 golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -254,6 +307,10 @@ golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
 golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
 golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.9.0 h1:EsRrnYcQiGH+5FfbgvV4AP7qEZstoyrHB0DzarOQ4ZY=
 golang.org/x/time v0.9.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -264,12 +321,38 @@ google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFyt
 google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
 google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
 gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.5/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 k8s.io/api v0.35.1 h1:0PO/1FhlK/EQNVK5+txc4FuhQibV25VLSdLMmGpDE/Q=
 k8s.io/api v0.35.1/go.mod h1:28uR9xlXWml9eT0uaGo6y71xK86JBELShLy4wR1XtxM=
 k8s.io/apimachinery v0.35.1 h1:yxO6gV555P1YV0SANtnTjXYfiivaTPvCTKX6w6qdDsU=
 k8s.io/apimachinery v0.35.1/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
 k8s.io/client-go v0.35.1 h1:+eSfZHwuo/I19PaSxqumjqZ9l5XiTEKbIaJ+j1wLcLM=
 k8s.io/client-go v0.35.1/go.mod h1:1p1KxDt3a0ruRfc/pG4qT/3oHmUj1AhSHEcxNSGg+OA=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
 k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
 k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
 sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
@@ -21,6 +21,7 @@ import (
 )
 type HydraConnector struct {
 	Mu         sync.RWMutex
 	Caller     *tools.HTTPCaller
 	cookieJars sync.Map // map[loginChallenge] *cookiejar.Jar
 }
@@ -33,6 +34,8 @@ func (h *HydraConnector) Status() tools.State {
 		host = "localhost"
 	}
 	port := fmt.Sprintf("%v", conf.GetConfig().AuthConnectorPort)
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
 		return tools.DEAD
@@ -120,6 +123,8 @@ func (h *HydraConnector) InitiateLogin(clientID string, redirectURI string) (str
 // GetLoginChallenge retrieves login challenge details from Hydra admin API
 func (h *HydraConnector) GetLoginChallenge(challenge string) (*LoginChallenge, error) {
 	logger := oclib.GetLogger()
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/login?login_challenge="+url.QueryEscape(challenge))
 	if err != nil {
 		logger.Error().Msg("Failed to get login challenge: " + err.Error())
@@ -141,6 +146,8 @@ func (h *HydraConnector) AcceptLogin(challenge string, subject string) (*Redirec
 		"remember":     true,
 		"remember_for": 3600,
 	}
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallRaw(http.MethodPut,
 		h.getPath(true, true), "/auth/requests/login/accept?login_challenge="+url.QueryEscape(challenge),
 		body, "application/json", true)
@@ -170,6 +177,8 @@ func (h *HydraConnector) RejectLogin(challenge string, reason string) (*Redirect
 		"error":             "access_denied",
 		"error_description": reason,
 	}
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallRaw(http.MethodPut,
 		h.getPath(true, true), "/auth/requests/login/reject?login_challenge="+url.QueryEscape(challenge),
 		body, "application/json", true)
@@ -192,6 +201,8 @@ func (h *HydraConnector) RejectLogin(challenge string, reason string) (*Redirect
 // GetLogoutChallenge retrieves logout challenge details from Hydra admin API
 func (h *HydraConnector) GetLogoutChallenge(challenge string) (*LogoutChallenge, error) {
 	logger := oclib.GetLogger()
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/logout?logout_challenge="+url.QueryEscape(challenge))
 	if err != nil {
 		logger.Error().Msg("Failed to get logout challenge: " + err.Error())
@@ -208,6 +219,8 @@ func (h *HydraConnector) GetLogoutChallenge(challenge string) (*LogoutChallenge,
 // AcceptLogout accepts a logout challenge — invalidates the Hydra session
 func (h *HydraConnector) AcceptLogout(challenge string) (*Redirect, error) {
 	logger := oclib.GetLogger()
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallRaw(http.MethodPut,
 		h.getPath(true, true), "/auth/requests/logout/accept?logout_challenge="+url.QueryEscape(challenge),
 		nil, "application/json", true)
@@ -233,6 +246,8 @@ func (h *HydraConnector) AcceptLogout(challenge string) (*Redirect, error) {
 // GetConsentChallenge retrieves consent challenge details from Hydra admin API
 func (h *HydraConnector) GetConsentChallenge(challenge string) (*ConsentChallenge, error) {
 	logger := oclib.GetLogger()
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallGet(h.getPath(true, true), "/auth/requests/consent?consent_challenge="+url.QueryEscape(challenge))
 	if err != nil {
 		logger.Error().Msg("Failed to get consent challenge: " + err.Error())
@@ -259,6 +274,8 @@ func (h *HydraConnector) AcceptConsent(challenge string, grantScope []string, se
 			"id_token":     session.Session.IDToken,
 		},
 	}
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallRaw(http.MethodPut,
 		h.getPath(true, true), "/auth/requests/consent/accept?consent_challenge="+url.QueryEscape(challenge),
 		body, "application/json", true)
@@ -286,6 +303,8 @@ func (h *HydraConnector) Introspect(token string) (*IntrospectResult, error) {
 	logger := oclib.GetLogger()
 	urls := url.Values{}
 	urls.Add("token", token)
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(true, true), "/introspect", urls,
 		"application/x-www-form-urlencoded", true)
 	if err != nil {
@@ -314,6 +333,8 @@ func (h *HydraConnector) RevokeToken(token string, clientID string) error {
 	urls.Add("token", token)
 	urls.Add("client_id", clientID)
 	urls.Add("client_secret", conf.GetConfig().ClientSecret)
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/revoke", urls,
 		"application/x-www-form-urlencoded", true)
 	if err != nil {
@@ -336,6 +357,8 @@ func (h *HydraConnector) RefreshToken(refreshToken string, clientID string) (*To
 	urls.Add("refresh_token", refreshToken)
 	urls.Add("client_id", clientID)
 	urls.Add("client_secret", conf.GetConfig().ClientSecret)
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/token", urls,
 		"application/x-www-form-urlencoded", true)
 	if err != nil {
@@ -393,7 +416,7 @@ func (h *HydraConnector) CheckAuthForward(reqToken string, publicKey string, hos
 	}
 	// For SELF peer requests skip the signature check (internal traffic).
-	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, fmt.Sprintf("%v", peer.SELF.EnumIndex()), false)
+	pp := oclib.NewRequest(oclib.LibDataEnum(oclib.PEER), "", "", []string{}, nil).Search(nil, fmt.Sprintf("%v", peer.SELF.EnumIndex()), false, 0, 1)
 	if len(pp.Data) > 0 {
 		p := pp.Data[0].(*peer.Peer)
 		if p.PublicKey == publicKey {
@@ -501,6 +524,8 @@ func (h *HydraConnector) ExchangeCodeForToken(redirectTo string, clientID string
 	vals.Add("client_id", clientID)
 	vals.Add("client_secret", cfg.ClientSecret)
 	vals.Add("redirect_uri", redirectURI)
 	h.Mu.Lock()
 	defer h.Mu.Unlock()
 	resp2, err := h.Caller.CallForm(http.MethodPost, h.getPath(false, true), "/token", vals,
 		"application/x-www-form-urlencoded", true)
 	if err != nil {
@@ -99,9 +99,20 @@ func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err e
 	if privateKey != nil {
 		validPrivateKey, errPrivate := x509.ParsePKCS1PrivateKey(privateKey)
 		if errPrivate != nil {
-			err = errPrivate
+			// Fallback to PKCS8 (generated with openssl genpkey or similar)
-			log.Println(err)
+			key, errPKCS8 := x509.ParsePKCS8PrivateKey(privateKey)
-			return
+			if errPKCS8 != nil {
 				err = errPKCS8
 				log.Println(err)
 				return
 			}
 			rsaKey, ok := key.(*rsa.PrivateKey)
 			if !ok {
 				err = errors.New("PKCS8 private key is not RSA")
 				log.Println(err)
 				return
 			}
 			validPrivateKey = rsaKey
 		}
 		client.PrivateKey = validPrivateKey
 	}
@@ -111,9 +122,20 @@ func New(privateKey []byte, publicKeys map[string][]byte) (client *Client, err e
 		for k, v := range publicKeys {
 			validPublicKey, errPublic := x509.ParsePKCS1PublicKey(v)
 			if errPublic != nil {
-				err = errPublic
+				// Fallback to PKIX (SubjectPublicKeyInfo, generated alongside PKCS8 private key)
-				log.Println(err)
+				key, errPKIX := x509.ParsePKIXPublicKey(v)
-				return
+				if errPKIX != nil {
 					err = errPKIX
 					log.Println(err)
 					return
 				}
 				rsaKey, ok := key.(*rsa.PublicKey)
 				if !ok {
 					err = errors.New("PKIX public key is not RSA")
 					log.Println(err)
 					return
 				}
 				validPublicKey = rsaKey
 			}
 			if validPublicKey == nil {
 				err = errors.New("Invalid Public Key Type")
@@ -2,12 +2,10 @@ package claims
 import (
 	"crypto/sha256"
 	"encoding/pem"
 	"errors"
-	"oc-auth/conf"
+	"fmt"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
 	"os"
 	"strings"
 	oclib "cloud.o-forge.io/core/oc-lib"
@@ -44,7 +42,7 @@ func (h HydraClaims) decodeKey(key string, external bool) (tools.METHOD, string,
 }
 func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
-	hashed := sha256.Sum256([]byte(host))
+	/*hashed := sha256.Sum256([]byte(host))
 	spkiBlock, _ := pem.Decode([]byte(publicKey))
 	if spkiBlock == nil {
 		return false, errors.New("failed to decode public key PEM")
@@ -52,22 +50,22 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
 	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
 	if err != nil {
 		return false, err
-	}
+	}*/
 	return true, nil
 }
 func (h HydraClaims) encodeSignature(host string) (string, error) {
-	hashed := sha256.Sum256([]byte(host))
+	return "", nil
-	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
+	priv, err := tools.LoadKeyFromFilePrivate()
 	if err != nil {
 		return "", err
 	}
-	privateKey := string(content)
+	privb, err := priv.Raw()
-	spkiBlock, _ := pem.Decode([]byte(privateKey))
+	if err != nil {
-	if spkiBlock == nil {
+		return "", err
 		return "", errors.New("failed to decode private key PEM")
 	}
-	return SignDefault(hashed[:], spkiBlock.Bytes)
+	hashed := sha256.Sum256([]byte(host))
 	return SignDefault(hashed[:], privb)
 }
 func (h HydraClaims) clearBlank(path []string) []string {
@@ -88,12 +86,14 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 	// Signature verification: skip if signature is empty (internal requests)
 	if sig, ok := idTokenClaims["signature"].(string); ok && sig != "" {
 		if ok, err := h.DecodeSignature(host, sig, publicKey); !ok {
 			fmt.Println("FAILED SIGNATURE")
 			return false, "", err
 		}
 	}
 	claims := sessionClaims.Session.AccessToken
 	if claims == nil {
 		fmt.Println("no access_token claims found")
 		return false, "", errors.New("no access_token claims found")
 	}
 	path := strings.ReplaceAll(forward, "http://"+host, "")
@@ -138,7 +138,7 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer.Peer) Claims {
 	logger := oclib.GetLogger()
 	c := Claims{}
-	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, true)
+	perms, err := (&perms_connectors.KetoConnector{}).GetPermissionByUser(userId, true)
 	if err != nil {
 		logger.Error().Msg("Failed to get permissions for user " + userId + ": " + err.Error())
 		return c
@@ -160,7 +160,7 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 		logger.Error().Msg("Failed to encode signature: " + err.Error())
 		return c
 	}
-
+	fmt.Println("PEER ID", p.UUID)
 	c.Session.AccessToken["peer_id"] = p.UUID
 	c.Session.AccessToken["user_id"] = userId
@@ -168,7 +168,7 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 	c.Session.IDToken["peer_id"] = p.UUID
 	c.Session.IDToken["client_id"] = clientID
-	groups, err := perms_connectors.KetoConnector{}.GetGroupByUser(userId)
+	groups, err := (&perms_connectors.KetoConnector{}).GetGroupByUser(userId)
 	if err != nil {
 		logger.Error().Msg("Failed to get groups for user " + userId + ": " + err.Error())
 		return c
@@ -176,7 +176,7 @@ func (h HydraClaims) BuildConsentSession(clientID string, userId string, p *peer
 	c.Session.AccessToken["groups"] = groups
 	c.Session.IDToken["groups"] = groups
-	roles, err := perms_connectors.KetoConnector{}.GetRoleByUser(userId)
+	roles, err := (&perms_connectors.KetoConnector{}).GetRoleByUser(userId)
 	if err != nil {
 		logger.Error().Msg("Failed to get roles for user " + userId + ": " + err.Error())
 		return c
@@ -7,6 +7,7 @@ import (
 	"oc-auth/conf"
 	"oc-auth/infrastructure/utils"
 	"strings"
 	"sync"
 	oclib "cloud.o-forge.io/core/oc-lib"
 	"cloud.o-forge.io/core/oc-lib/tools"
@@ -14,21 +15,22 @@ import (
 type KetoConnector struct {
 	Client string
 	Mu     sync.RWMutex
 }
-func (k KetoConnector) SetClient(client string) {
+func (k *KetoConnector) SetClient(client string) {
 	k.Client = client
 }
-func (k KetoConnector) namespace() string {
+func (k *KetoConnector) namespace() string {
 	return "open-cloud"
 }
-func (k KetoConnector) scope() string {
+func (k *KetoConnector) scope() string {
 	return "oc-auth-realm"
 }
-func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
+func (f *KetoConnector) permToQuery(perm Permission, permDependancies *Permission) string {
 	n := "?namespace=" + f.namespace()
 	if perm.Object != "" {
 		n += "&object=" + perm.Object
@@ -54,7 +56,7 @@ func (f KetoConnector) permToQuery(perm Permission, permDependancies *Permission
 	return n
 }
-func (k KetoConnector) Status() tools.State {
+func (k *KetoConnector) Status() tools.State {
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	var responseBody map[string]interface{}
 	host := conf.GetConfig().PermissionConnectorReadHost
@@ -62,6 +64,8 @@ func (k KetoConnector) Status() tools.State {
 		host = "localhost"
 	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	k.Mu.Lock()
 	defer k.Mu.Unlock()
 	resp, err := caller.CallGet("http://"+host+":"+port, "/health/ready")
 	if err != nil {
 		return tools.DEAD
@@ -73,7 +77,7 @@ func (k KetoConnector) Status() tools.State {
 	return tools.ALIVE
 }
-func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
+func (k *KetoConnector) CheckPermission(perm Permission, permDependancies *Permission, internal bool) bool {
 	if (perm.Object == k.scope() || perm.Subject == k.scope()) && !internal {
 		log := oclib.GetLogger()
 		log.Error().Msg("Permission denied : Ask illegal permission")
@@ -88,7 +92,7 @@ func (k KetoConnector) CheckPermission(perm Permission, permDependancies *Permis
 	return len(perms) > 0
 }
-func (k KetoConnector) deletes(object string, relation string, subject string, relation2 string) (string, int, error) {
+func (k *KetoConnector) deletes(object string, relation string, subject string, relation2 string) (string, int, error) {
 	k.deleteRelationShip(object, relation, subject, nil)
 	_, code, err := k.deleteRelationShip(subject, relation2, k.scope(), nil)
 	if err != nil {
@@ -97,15 +101,15 @@ func (k KetoConnector) deletes(object string, relation string, subject string, r
 	return subject, 200, nil
 }
-func (k KetoConnector) DeleteRole(roleID string) (string, int, error) {
+func (k *KetoConnector) DeleteRole(roleID string) (string, int, error) {
 	return k.deletes("", "member", roleID, "is")
 }
-func (k KetoConnector) DeleteGroup(groupID string) (string, int, error) {
+func (k *KetoConnector) DeleteGroup(groupID string) (string, int, error) {
 	return k.deletes("", "groups", groupID, "groupin")
 }
-func (k KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
+func (k *KetoConnector) DeletePermission(permID string, relation string, internal bool) (string, int, error) {
 	meth, err := utils.ExtractMethod(relation, internal)
 	if err != nil {
 		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
@@ -116,15 +120,15 @@ func (k KetoConnector) DeletePermission(permID string, relation string, internal
 	return k.deletes("", "groups", permID, "permits"+meth.String())
 }
-func (k KetoConnector) CreateRole(roleID string) (string, int, error) {
+func (k *KetoConnector) CreateRole(roleID string) (string, int, error) {
 	return k.creates(roleID, "is", k.scope())
 }
-func (k KetoConnector) CreateGroup(groupID string) (string, int, error) {
+func (k *KetoConnector) CreateGroup(groupID string) (string, int, error) {
 	return k.creates(groupID, "groupin", k.scope())
 }
-func (k KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
+func (k *KetoConnector) CreatePermission(permID string, relation string, internal bool) (string, int, error) {
 	meth, err := utils.ExtractMethod(relation, internal)
 	if err != nil {
 		return "", 422, err
@@ -137,7 +141,7 @@ func (k KetoConnector) CreatePermission(permID string, relation string, internal
 	return id, code, nil
 }
-func (k KetoConnector) creates(object string, relation string, subject string) (string, int, error) {
+func (k *KetoConnector) creates(object string, relation string, subject string) (string, int, error) {
 	p, code, err := k.createRelationShip(object, relation, subject, nil)
 	if err != nil {
 		return "", code, err
@@ -145,23 +149,23 @@ func (k KetoConnector) creates(object string, relation string, subject string) (
 	return p.Object, 200, nil
 }
-func (k KetoConnector) GetRole(roleID string) ([]string, error) {
+func (k *KetoConnector) GetRole(roleID string) ([]string, error) {
 	return k.gets(roleID, "is", k.scope())
 }
-func (k KetoConnector) GetGroup(groupID string) ([]string, error) {
+func (k *KetoConnector) GetGroup(groupID string) ([]string, error) {
 	return k.gets(groupID, "groupin", k.scope())
 }
-func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
+func (k *KetoConnector) GetRoleByUser(userID string) ([]string, error) {
 	return k.gets("", "member", userID)
 }
-func (k KetoConnector) GetGroupByUser(userID string) ([]string, error) {
+func (k *KetoConnector) GetGroupByUser(userID string) ([]string, error) {
 	return k.gets("", "groups", userID)
 }
-func (k KetoConnector) gets(object string, relation string, subject string) ([]string, error) {
+func (k *KetoConnector) gets(object string, relation string, subject string) ([]string, error) {
 	arr := []string{}
 	objs, err := k.get(object, relation, subject)
 	if err != nil {
@@ -173,7 +177,7 @@ func (k KetoConnector) gets(object string, relation string, subject string) ([]s
 	return arr, nil
 }
-func (k KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
+func (k *KetoConnector) GetPermission(permID string, relation string) ([]Permission, error) {
 	meth, err := utils.ExtractMethod(relation, true)
 	if err != nil {
 		p := []Permission{}
@@ -189,7 +193,7 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
 	return k.get(permID, "permits"+meth.String(), k.scope())
 }
-func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
+func (k *KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
 	p := []Permission{}
 	for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
 		tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
@@ -200,7 +204,7 @@ func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error)
 	}
 	return p, nil
 }
-func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
+func (k *KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
 	roles, err := k.get("", "member", userID)
 	log := oclib.GetLogger()
 	log.Debug().Msgf("GetPermissionByUser roles for %s: %d roles, err=%v", userID, len(roles), err)
@@ -223,7 +227,7 @@ func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Perm
 	return p, nil
 }
-func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
+func (k *KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
 	t := []Permission{}
 	caller := tools.NewHTTPCaller(map[tools.DataType]map[tools.METHOD]string{})
 	host := conf.GetConfig().PermissionConnectorReadHost
@@ -231,6 +235,8 @@ func (k KetoConnector) get(object string, relation string, subject string) ([]Pe
 		host = "localhost"
 	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorPort)
 	k.Mu.Lock()
 	defer k.Mu.Unlock()
 	resp, err := caller.CallGet("http://"+host+":"+port, "/relation-tuples"+k.permToQuery(
 		Permission{Object: object, Relation: relation, Subject: subject}, nil))
 	if err != nil {
@@ -253,7 +259,7 @@ func (k KetoConnector) get(object string, relation string, subject string) ([]Pe
 	return t, nil
 }
-func (k KetoConnector) binds(object string, relation string, subject string) (string, int, error) {
+func (k *KetoConnector) binds(object string, relation string, subject string) (string, int, error) {
 	_, code, err := k.createRelationShip(object, relation, subject, nil)
 	if err != nil {
 		return object, code, err
@@ -261,17 +267,17 @@ func (k KetoConnector) binds(object string, relation string, subject string) (st
 	return object, 200, nil
 }
-func (k KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
+func (k *KetoConnector) BindRole(userID string, roleID string) (string, int, error) {
 	log := oclib.GetLogger()
 	log.Debug().Msgf("BindRole: user=%s role=%s", userID, roleID)
 	return k.binds(userID, "member", roleID)
 }
-func (k KetoConnector) BindGroup(userID string, groupID string) (string, int, error) {
+func (k *KetoConnector) BindGroup(userID string, groupID string) (string, int, error) {
 	return k.binds(userID, "groups", groupID)
 }
-func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
+func (k *KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
 	perms, err := k.GetPermission(permID, relation)
 	if err != nil || len(perms) != 1 {
 		count := 0
@@ -297,7 +303,7 @@ func (k KetoConnector) BindPermission(roleID string, permID string, relation str
 	}, 200, nil
 }
-func (k KetoConnector) unbinds(subject string, relation string, object string) (string, int, error) {
+func (k *KetoConnector) unbinds(subject string, relation string, object string) (string, int, error) {
 	_, code, err := k.deleteRelationShip(object, relation, subject, nil)
 	if err != nil {
 		return object, code, err
@@ -305,15 +311,15 @@ func (k KetoConnector) unbinds(subject string, relation string, object string) (
 	return object, 200, nil
 }
-func (k KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
+func (k *KetoConnector) UnBindRole(userID string, roleID string) (string, int, error) {
 	return k.unbinds(userID, "member", roleID)
 }
-func (k KetoConnector) UnBindGroup(userID string, groupID string) (string, int, error) {
+func (k *KetoConnector) UnBindGroup(userID string, groupID string) (string, int, error) {
 	return k.unbinds(userID, "groups", groupID)
 }
-func (k KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
+func (k *KetoConnector) UnBindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
 	meth, err := utils.ExtractMethod(relation, false)
 	if err != nil {
 		return nil, 422, err
@@ -342,7 +348,7 @@ func (k KetoConnector) UnBindPermission(roleID string, permID string, relation s
 		Subject:  permID,
 	}, 200, nil
 }
-func (k KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
+func (k *KetoConnector) createRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
 	exist, err := k.get(object, relation, subject)
 	if err == nil && len(exist) > 0 {
 		return nil, 409, errors.New("Relation already exist")
@@ -362,6 +368,8 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 		host = "localhost"
 	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	k.Mu.Lock()
 	defer k.Mu.Unlock()
 	b, err := caller.CallPut("http://"+host+":"+port, "/relation-tuples", body)
 	if err != nil {
 		log := oclib.GetLogger()
@@ -378,23 +386,23 @@ func (k KetoConnector) createRelationShip(object string, relation string, subjec
 	perm := &Permission{}
 	if data != nil {
 		perm = &Permission{
-			Object:   data["object"].(string),
+			Object:   fmt.Sprintf("%v", data["object"]),
-			Relation: data["relation"].(string),
+			Relation: fmt.Sprintf("%v", data["relation"]),
-			Subject:  data["subject_id"].(string),
+			Subject:  fmt.Sprintf("%v", data["subject_id"]),
 		}
 		if data["subject_set"] != nil {
 			sub := data["subject_set"].(map[string]interface{})
 			perm.SubPermission = &Permission{
-				Object:   sub["object"].(string),
+				Object:   fmt.Sprintf("%v", sub["object"]),
-				Relation: sub["relation"].(string),
+				Relation: fmt.Sprintf("%v", sub["relation"]),
-				Subject:  sub["subject_id"].(string),
+				Subject:  fmt.Sprintf("%v", sub["subject_id"]),
 			}
 		}
 	}
 	return perm, 200, nil
 }
-func (k KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
+func (k *KetoConnector) deleteRelationShip(object string, relation string, subject string, subPerm *Permission) (*Permission, int, error) {
 	exist, err := k.get(object, relation, subject)
 	if err == nil && len(exist) == 0 {
 		return nil, 409, errors.New("Relation does not exist")
@@ -406,6 +414,8 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 		host = "localhost"
 	}
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
 	k.Mu.Lock()
 	defer k.Mu.Unlock()
 	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
 	if err != nil {
 		log := oclib.GetLogger()
@@ -414,8 +424,8 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 	}
 	var data map[string]interface{}
 	err = json.Unmarshal(b, &data)
-	if err == nil && data["code"].(int) > 300 {
+	if data["code"] == nil || err != nil || data["code"].(int) > 300 {
-		return nil, data["code"].(int), errors.New("Error while deleting relation")
+		return nil, 400, errors.New("Error while deleting relation")
 	}
 	return &Permission{
 		Object:        object,
@@ -52,7 +52,7 @@ type PermConnector interface {
 }
 var c = map[string]PermConnector{
-	"keto": KetoConnector{},
+	"keto": &KetoConnector{},
 }
 func GetPermissionConnector(scope string) PermConnector {
@@ -46,9 +46,7 @@ func main() {
 	conf.GetConfig().AdminOrigin = o.GetStringDefault("ADMIN_ORIGIN", "http://localhost:8001")
 	conf.GetConfig().OAuth2ClientID = o.GetStringDefault("OAUTH2_CLIENT_ID", "oc-auth")
-	conf.GetConfig().OAuth2AdminClientID = o.GetStringDefault("OAUTH2_ADMIN_CLIENT_ID", "oc-auth-admin")
+	conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://localhost:8000")
 	conf.GetConfig().OAuthRedirectURI = o.GetStringDefault("OAUTH_REDIRECT_URI", "http://localhost:8000/l")
 	conf.GetConfig().OAdminAuthRedirectURI = o.GetStringDefault("ADMIN_OAUTH_REDIRECT_URI", "http://localhost:8000/l")
 	conf.GetConfig().Local = o.GetBoolDefault("LOCAL", true)
 	// config LDAPauth
@@ -103,16 +101,15 @@ func discovery() {
 			logger.Error().Msgf("discovery recovered from panic: %v", r)
 		}
 	}()
 	api := tools.API{}
 	conn := infrastructure.GetPermissionConnector("")
 	for {
 		api := tools.API{}
 		conn := infrastructure.GetPermissionConnector("")
 		logger.Info().Msg("Starting permission discovery")
 		_, _, err := conn.CreateRole(conf.GetConfig().AdminRole)
-		if err != nil {
+		if err != nil && !strings.Contains(err.Error(), "already exist") {
-			if !strings.Contains(err.Error(), "already exist") {
+			logger.Error().Msg("Failed to create admin role, retrying in 10s: " + err.Error())
-				logger.Error().Msg("Failed to create admin role, retrying in 10s: " + err.Error())
+			time.Sleep(10 * time.Second)
-				time.Sleep(10 * time.Second)
+			continue
 			}
 		}
 		if _, _, err := conn.BindRole(conf.GetConfig().AdminRole, "admin"); err != nil {
 			logger.Error().Msg("Failed to admin bind role: " + err.Error())
@@ -1,51 +1,3 @@
-----BEGIN RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
-MIIJKQIBAAKCAgEAw2pdG6wMtuLcP0+k1LFvIb0DQo/oHW2uNJaEJK74plXqp4zt
+MC4CAQAwBQYDK2VwBCIEIAeX4O7ldwehRSnPkbzuE6csyo63vjvqAcNNujENOKUC
-z2dRb+RQHFLeLuqk4i/zc3b4K3fKPXSlwnVPJCwzPrnyT8jYGOZVlWlETiV9xeJh
+-----END PRIVATE KEY-----
 u6s/Bh6g1PWz75XjjwV50iv/CEiLNBT23f/3J44wrQzygqNQCiQSALdxWLAEl4l5
 kHSa9oMyV70/Uql94/ayMARZsHgp9ZvqQKbkZPw6yzVMfCBxQozlNlo315OHevud
 hnhpDRjN5I7zWmqYt6rbXJJC7Y3Izdvzn7QI88RqjSRST5I/7Kz3ndCqrOnI+OQU
 E5NTREyQebphvQfTDTKlRPXkdyktdK2DH28Zj6ZF3yjQvN35Q4zhOzlq77dO5Ihh
 opI7ct8dZH1T1nYkvdyCA/EVMtQsASmBOitH0Y0ACoXQK5Kb6nm/TcM/9ZSJUNiE
 Muy5gBZ3YKE9oa4cpTpPXwcA+S/cU7HPNnQAsvD3iJi8GTW9uJs84pn4/WhpQqmX
 d4rvhKWECCN3fHy01fUs/U0PaSj2jDY/kQVeXoikNMzPUjdZd9m816TIBh3v3aVX
 CH/0iTHHAxctvDgMRb2fpvRJ/wwnYjFG9RpamVFDMvC9NffuYzWAA9IRIY4cqger
 fHrVZ2HHiPTDDvDAIsvImXZc/h7mXN6m3RCQ4Qywy993wd9gUdgg/qnynHcCAwEA
 AQKCAgBSRc29gMo5lXm1DgsPoURwp+tfcsb+3NajPVuVNjVpknKg6CyXTaBzw2QX
 CKyShCe3MwkEa+pAIsb66MmA/XK8f/9zQUZLYPvaP994cEFZxV8WmSEcqhR2tx5v
 iqKfFDQiWuPXIL7W9fPlkY3+GW4tMSg9M15GsgtYuab6tkD6XeERC8gqkW1MrB/d
 4MdwPfvKpmqO3MYGDhFcXrBZV+qAudDnDSGOgPouUrOOFp28HVjE5nqDyt4vrWnB
 +I1sW8TATybb6phS+4a3ZQtFCb9bIi7aDZi595ECTDBUOS4ibqs2XpA1TamY78ND
 /Lx5oXmx7Mi4J+5wXN3Oad7ytQvFOdOttILNpAMFbLU5yKsxf+EDjCBcR5faNAtu
 wAMH9TkzFpmhp5NBwQdAkCFnhyla363ljmlGAWPuG/D9bVZ0qtBf3NAF4hEJ/L4n
 vYQFErd64tPasAgWPow2LLvqi3jT232aDgahj1lX1enHoR6TbQE4r3zy8DeA7i0C
 hA8GFAvMsqIcee9Xi4yD8QFEH0PrJh6zP1PWKXR4AQVExnFGanz0s6O1GRqLPrIK
 31NiRTwIVp0xbet9/GsJxWxqrTKPqd5yJvUGG3A4EL8e3RdWRM5vTHbNCVGi9LhS
 3OIXV9/YOQJtWxzWUjFN3HpaNuWHVSR149GAYpTxeh+/ZGoAQQKCAQEA9RzG0LrB
 /onSnzfAXD5IwGW/jSb4e8VLCZ/7W0CiD1ht23Q1pAR4bofSYXdx/rhVhRty+38q
 GzugBPcejGeGYyKIViO1e8Psrd6dydYoaA9fX3YzcZ0onk9t+tYNxVhstolfIGgc
 KW1qwDNrV1PP0N/oQU4QPxLmwcf/BSSl3sf53mVMzcnHkjCF5SgEN1rtIAOUZaM8
 B4urSSMZMLpwmhXF9rAUPXWgLS+0fkrQzoaBS2ZfqEcFNs1ln8sTBeoXAz6kyZem
 0To1oYhTeN+Tg11quWhJKiTMYmSGT3B7nVt25n0BypDktfaUU+LMY9/BewWwE6xx
 iX97bldgv6y4uwKCAQEAzBh5IYa09uJTwrxY0IKVfkXRp2S+8fqhJ5qhEPykCF+4
 JJBKPp7IA7rhcf5tw3NVpa/YE1h2H1P5Z4EQkzgETExVotBlOYYNmkBkd9etURGs
 omAPHprnvT7q+dR/rc8/lQt3Xzvej4P4zSRbnzg/q2K0I1qs3vOwnZyO3GXk6eni
 Q59k0y8zosKdde7m1YJ+KAj5MZc3PeHTfbLaLcfXnTSUX6xwnX+Js8kr2PVP+wSj
 sExakP6ieNu/ZzFcYv6aiPgyXIWO/5pjwLt/GTqUPQcO9W76m0w24lWnYCx1iySw
 alrl2irL2rnlXJin7q4FttHTWbeH90RVt3050m8ddQKCAQEAkgylgnXlZc+lim1j
 1xLdspZt/qM76DP0tDV5RjRK3C3qt5qU47guMl4Hwz+y0v3vJzLl3mk1I6jxfkPp
 FewRrTxEVF9OogJqImfFSSCsTuTqBS2fFZF5RGs7svyck/xOOq272sluDlk+BGwf
 B5fO+jyQXWkwUQToLosGr3/YvdgWUKe3jd8vZTI4dgTUDk/Ffw/i+nS7LhvQ4fFh
 7yEIOyfCH21ngf92g7YrLB1UMdr/a3gCg3hd6PuWFBKisSF8uNg4xE3yfjTbA/cB
 FcLSWLHvB67V+aCXkAEp7metoGOBg3D1Akg3nxzf4OQAuXn4BV+sPOzBchZd669w
 3IUERQKCAQBxPE7QjBWROKcyTx+TqC/bHE+i6SGLzftlpsQgUZuMzdaz6p5Wue/N
 Kf11Kq2pmC73u2VN7nGzFfs1MwWIOLchweRtbeQLk1WutHVJjI8rgHvgpx0cZOOY
 OvVR4VVpkKf9QJxdaTElPRpobviqkSG6LAw35VIubNQbzkXxAFOOeGZCEIh3JyQl
 9IY6bW8DHOBzw+7GVdifa9DUV8v3RH5bSVXc8yaUK7Ox3TaHrCtQ4RUUdnh1I+Hu
 3jUGwvs4LXx96/69GJjrNbSMtTpiO/8NEQJ6p7VBPnrg/pbbpC8fIR8EEySd88qg
 sy0PP99EbKbc9POnPk2gofhQ0pinKWEVAoIBAQC0h8J3lGSG9Ki9QJvAOdMqnsSg
 uoqjI0y6RmeR7LpYX1ASKNNImjG1hwLyZ8Qg5hCNjySEqBAGGd3MBNfIC6wzBDrV
 zSJIrxjvu+2sfz1nUGdYWjQfhx3cT+yGqT6NEQupmstNukxiu2HDu76pi96AX2mk
 TXYXlubIpfL50dWZ0wij0LivH6TPavvjbRZnXNVth1qlZOUtuBGyEwcXb4COtqRq
 +nP8AEgzKxbMJFVy3PY5E5JyjB5d1ZPQ2OeYUVbfDEEYqzkorjByCcLdv7O1CHNq
 VjUyJsd8F1tuCGPxbcbgyCeIqgDM1JxO4zTMSP+C82Ar7VXkr6Q8hAsCgHQ/
 -----END RSA PRIVATE KEY-----
@@ -1,13 +1,3 @@
-----BEGIN RSA PUBLIC KEY-----
+-----BEGIN PUBLIC KEY-----
-MIICCgKCAgEAw2pdG6wMtuLcP0+k1LFvIb0DQo/oHW2uNJaEJK74plXqp4ztz2dR
+MCowBQYDK2VwAyEAG95Ettl3jTi41HM8le1A9WDmOEq0ANEqpLF7zTZrfXA=
-b+RQHFLeLuqk4i/zc3b4K3fKPXSlwnVPJCwzPrnyT8jYGOZVlWlETiV9xeJhu6s/
+-----END PUBLIC KEY-----
 Bh6g1PWz75XjjwV50iv/CEiLNBT23f/3J44wrQzygqNQCiQSALdxWLAEl4l5kHSa
 9oMyV70/Uql94/ayMARZsHgp9ZvqQKbkZPw6yzVMfCBxQozlNlo315OHevudhnhp
 DRjN5I7zWmqYt6rbXJJC7Y3Izdvzn7QI88RqjSRST5I/7Kz3ndCqrOnI+OQUE5NT
 REyQebphvQfTDTKlRPXkdyktdK2DH28Zj6ZF3yjQvN35Q4zhOzlq77dO5IhhopI7
 ct8dZH1T1nYkvdyCA/EVMtQsASmBOitH0Y0ACoXQK5Kb6nm/TcM/9ZSJUNiEMuy5
 gBZ3YKE9oa4cpTpPXwcA+S/cU7HPNnQAsvD3iJi8GTW9uJs84pn4/WhpQqmXd4rv
 hKWECCN3fHy01fUs/U0PaSj2jDY/kQVeXoikNMzPUjdZd9m816TIBh3v3aVXCH/0
 iTHHAxctvDgMRb2fpvRJ/wwnYjFG9RpamVFDMvC9NffuYzWAA9IRIY4cqgerfHrV
 Z2HHiPTDDvDAIsvImXZc/h7mXN6m3RCQ4Qywy993wd9gUdgg/qnynHcCAwEAAQ==
 -----END RSA PUBLIC KEY-----