fix: post-merge fixes for Keycloak login flow

[dosaki]

Two follow-ups to PR #4 needed before SSO works end-to-end. Both surfaced when actually exercising the login flow in prod.

What's broken

Hitting `https://librarian.services.keyholding.com\` returned Keycloak's `Invalid parameter: redirect_uri` error. The redirect_uri the app sent was `http://librarian.services.keyholding.com/callback\`, which is wrong on two axes vs the registered Keycloak client (`https://librarian.services.keyholding.com/auth/callback\`):

	What the app sent	What Keycloak expects
Scheme	`http`	`https`
Path	`/callback`	`/auth/callback`

There was also a missing runtime dependency surfaced separately during the deploy.

Fixes in this PR

1. `fix: declare requests as explicit dependency` (already on branch)
Authlib pulls `requests` transitively, but explicitly declaring it in `requirements.txt` makes the dependency contract obvious and protects against Authlib ever switching HTTP libraries.

2. `fix: route OIDC redirect through https and /auth/callback`

• Mount the auth blueprint at `url_prefix="/auth"`. Without this, `@bp.route("/callback")` produced `/callback`, not `/auth/callback`. The blueprint name ("auth") doesn't auto-prefix paths — `url_prefix` is what does that. The original prompt to the keycloak-config session already specified `/auth/callback`, so the app side was the one out of step.
• Add `ProxyFix(x_for=2, x_proto=2, x_host=1)` to the WSGI app. Topology is CloudFront(HTTPS) → ALB(HTTP) → ECS, so the inner WSGI scheme is `http` and `url_for(..., _external=True)` was generating `http://` URLs. With `x_proto=2` the app trusts the `X-Forwarded-Proto: https` value CloudFront stamps (ALB appends `http`, making the header `"https, http"` — ProxyFix takes `values[-x_proto]`).

Why x_proto=2 not 1

The header value at the app is `"https, http"`. ProxyFix's `_get_real_value` returns `values[-trusted]`:

• `x_proto=1` → picks `http` (ALB's value) → app keeps generating http URLs (silent no-op, common bug)
• `x_proto=2` → picks `https` (CloudFront's value) → correct

Safe because the ALB security group only accepts traffic from the CloudFront managed prefix list, so an attacker can't bypass CloudFront and inject a forged `X-Forwarded-Proto` directly. The 2-hop trust matches the real network topology.

Test plan

• Hit `https://librarian.services.keyholding.com/\` — should bounce to Keycloak with `redirect_uri=https://.../auth/callback` (decoded: correct scheme and path).
• Sign in successfully and land on the library index.
• Confirm `/auth/login`, `/auth/callback`, `/auth/logout` all resolve (no 404s) and `/login` etc. now 404.
• Logout returns to the Keycloak login screen and a fresh login prompts for credentials again.

Note for the keycloak-config side

No change needed there — the Keycloak client's `/auth/callback` registration was already correct. This PR moves the app to match what the IdP was already expecting.

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Follow-up fixes to make the Keycloak (OIDC) login flow work end-to-end in production by ensuring generated redirect URLs match the Keycloak client configuration and by making a transitive runtime dependency explicit.

Changes:

• Add requests as an explicit Python dependency.
• Apply ProxyFix so externally-generated URLs use the correct forwarded scheme/host behind CloudFront → ALB.
• Mount the auth blueprint under /auth so OIDC callback/login/logout routes align with Keycloak’s registered redirect URI paths.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File	Description
requirements.txt	Explicitly declares requests as a runtime dependency.
app/init.py	Configures proxy header handling and prefixes auth routes under /auth to correct OIDC redirect URI generation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.