feature/oidc_auth

[SkylordA]

Adds OIDC login to python UI
Updates docker compose files to add oidc containers.
closes #47

[SkylordA]

NOTE: requires OasisLMF/OasisPlatform#1342 and OasisLMF/OasisLMF#1879 fixes to work with authentik. You might get some client not set, network errors or 4xx errors if not using these.

[SkylordA]

Migration Guide

Refactors the Docker Compose setup and adds built-in OIDC support via Keycloak and Authentik. To learn how to run, see README.md.

What Changed

TLDR. The docker compose files more closely match the kubernetes version from OasisPlatform now.

Renamed Compose Files

Old	New
oasis-platform.yml	docker-compose.yml
oasis-ui.yml	docker-compose.ui.yml

Old files remain in the repo but are no longer used by install.sh.

I've not touched the oasis-scenarios-*.yml files either, so they will probably need to be updated in a future PR.

NOTE: skip_login should still work with OIDC, just uses the client_credentials id and secret rather than any specific user credentials. Needs to be added to secrets.toml.

New Files Added

File / Directory	Purpose
docker-compose.keycloak.yml	Keycloak IdP services
docker-compose.authentik.yml	Authentik IdP services
.env.simple, .env.keycloak, .env.authentik	Per-auth-type env templates
oidc/keycloak/	Keycloak realm config and user definitions
oidc/authentik/	Authentik blueprint and user definitions
scripts/	Template processing and validation helpers
install.sh	Unified installer — detects auth type, processes templates, brings up the stack

Infrastructure Additions

• Traefik reverse proxy added to the stack (port 80 / 8443). Routes /api, /ws, /auth, /authentik, and / to the correct service by path prefix.
• Keycloak and Authentik OIDC providers can now be included as part of the same Compose stack, selected by API_AUTH_TYPE in .env.

Base Image Changes

Service	Old	New
Server DB / Celery DB	postgres (unpinned)	postgres:15-alpine
Message broker	rabbitmq (old tag)	rabbitmq:3.11-management-alpine
Channel layer	redis	valkey/valkey:8.1-alpine3.21

Database Engine String Changes

SQLAlchemy / psycopg version updates require updated engine strings in .env:

Old	New
postgresql_psycopg2	postgresql
db+postgresql+psycopg2	db+postgresql+psycopg

The .streamlit/secrets.toml file

The UI reads auth configuration from .streamlit/secrets.toml (mounted
read-only into the container). Set auth_type and the matching credentials
or OIDC client details here before running the installer. See the README for
examples.

The auth_type here is either "simple" or "oidc" based on auth_type found in OasisLMF APIClient/APISession.

[vinulw]

minor: in the UI for now everything runs through docker so might want to map the kubectl commands in this file to their docker counterparts?

[vinulw]

pyyaml not installed by requirements, should add if needed

[vinulw]

URL for admin panel needs a # at the end e.g. http://ui.oasis.local/authentik/if/admin/#

Otherwise goes to page not found