Comments (4)
yannicschroeer
commented on August 15, 2024
Hey @valeriiduz,
I can not find the flaw youβre mentioning. The current_user method utilizes the _decode_token method which in turn verifies the token via public key. Could you provide the mentioned code snippet?
from fastapi-keycloak.
valeriiduz
commented on August 15, 2024
In lib, we have token_is_valid method which can check token is valid or not, but in current_user we don't use them. For example, in admin_token we have a condition for that
@property
def admin_token(self):
""" Holds an AccessToken for the `admin-cli` client
Returns:
KeycloakToken: A token, valid to perform admin actions
Notes:
- This might result in an infinite recursion if something unforeseen goes wrong
"""
if self.token_is_valid(token=self._admin_token):
return self._admin_token
self._get_admin_token()
return self.admin_token
and I want to add the similar condition to current_user method. Something like that
def current_user(token: OAuth2PasswordBearer = Depends(self.user_auth_scheme)) -> OIDCUser:
""" Decodes and verifies a JWT to get the current user
Args:
token OAuth2PasswordBearer: Access token in `Authorization` HTTP-header
Returns:
OIDCUser: Decoded JWT content
Raises:
ExpiredSignatureError: If the token is expired (exp > datetime.now())
JWTError: If decoding fails or the signature is invalid
JWTClaimsError: If any claim is invalid
HTTPException: If any role required is not contained within the roles of the users
"""
if not self.token_is_valid(token=token, audience="account"):
return None
decoded_token = self._decode_token(token=token, audience="account")
user = OIDCUser.parse_obj(decoded_token)
if required_roles:
for role in required_roles:
if role not in user.roles:
raise HTTPException(status_code=403, detail=f'Role "{role}" is required to perform this action')
return user
return current_user
from fastapi-keycloak.
yannicschroeer
commented on August 15, 2024
Ah okay! So, the admin token is managed by this library, the user tokens are usually your custom implementation.
Both the admin token and the user tokens are validated. The validation you're referring to here determines whether the admin token is still valid, it checks if the exp (expiry) is reached yet and if the token has expired, a new one is requested. There is not much sense in providing the same functionality for the user tokens, as they're not managed by this library.
You could either wrap the functions and implement a custom handler for the exception that is thrown for expired user tokens or check the exp upfront.
I hope I got you right?
from fastapi-keycloak.
valeriiduz
commented on August 15, 2024
Yep, got it. You are right, better to leave this approach upfront, cause different systems can have different flows to regenerate token for users. Thanks! I'll close the issue.
from fastapi-keycloak.
Related Issues (20)
- realmRoles Field required HOT 4
- Why admin_client_secret? HOT 2
- Support other OAuth2 auth schemes than `OAuth2PasswordBearer`
- fastapi_keycloak.exceptions.KeycloakError: HTTP 403: {'error': 'unauthorized_client', 'error_description': 'Invalid client secret'} HOT 1
- Create clients from library HOT 1
- Question: 2FA support
- required_roles param in get_current_user method. Add OR condition
- unable to connect to keycloak server HOT 2
- The `realm-export.json` file in the documentation website needs to be updated
- fastapi-keycloak docs outdated?
- Unable to pip install from python docker images HOT 2
- Can we pass dynamic realm, client_id and client_secret params to FastAPIKeycloak class
- Cannot install from sources: distutils.errors.DistutilsOptionError: No configuration found for dynamic 'description'.
- Trying to run quickstart example, got error The 'realm_access' section of the provided access token is missing on /admin method HOT 7
- how to assign client roles to a user HOT 3
- Adde introspect token from server HOT 1
- Issue with Keycloak v20+ 'access required was not contained' HOT 4
- Refresh token HOT 2
- /protected return Not authenticated HOT 1
- password -> tokenUrl none is not an allowed value HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastapi-keycloak.