Operator context changes between Oauth2 tokens

Decription

Access tokens issued by Keycloak currently lead to different operator contexts when calling the Operator Platform APIs, even for the same logical operator.

This affects all APIs, since context is derived from transient token data instead of a stable identifier.

Two tokens obtained from Keycloak (same realm, same client) but through different sessions (e.g., Postman vs Swagger) generate different operator contexts. As a result, different tokens for the same operator lead to different records, IDs, or 404 responses, depending on which token instance is used. Thus, a federation created with a specific token, won't appear if we are using a different one. This makes token renewal unsafe and breaks consistency across the platform.

Expected behavior

The operator context should remain stable per partner, regardless of token renewal or session. Any token representing the same operator must yield the same contextual resources.

Same operator → Same partner_id → Same context across all API endpoints.

Potential cause

The backend links data to token instance fields (sub, azp, etc.) instead of a stable claim.