From 26ce311551b5d3edcc04e4ffbc0b4d5af9550f2c Mon Sep 17 00:00:00 2001 From: Nathan Furnal Date: Fri, 23 Feb 2024 00:19:56 +0100 Subject: [PATCH] fix: use jwcrypto and remove python-jose --- src/keycloak/keycloak_openid.py | 13 +++++++++++-- tests/test_keycloak_admin.py | 4 +--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/keycloak/keycloak_openid.py b/src/keycloak/keycloak_openid.py index 1bcc7f7..499f3e5 100644 --- a/src/keycloak/keycloak_openid.py +++ b/src/keycloak/keycloak_openid.py @@ -30,7 +30,7 @@ class to handle authentication and token manipulation. import json from typing import Optional -from jose import jwt +from jwcrypto import jwk, jwt from .authorization import Authorization from .connection import ConnectionManager @@ -539,7 +539,16 @@ class KeycloakOpenID: :returns: Decoded token :rtype: dict """ - return jwt.decode(token, key, algorithms=algorithms, audience=self.client_id, **kwargs) + # To keep the same API, we map the python-jose options to our claims for jwcrypto + # Per the jwcrypto dev, `exp` and `nbf` are always checked + options = kwargs.get("options", {}) + check_claims = {} + if options.get("verify_aud") is True: + check_claims["aud"] = self.client_id + + k = jwk.JWK.from_pem(key.encode("utf-8")) + full_jwt = jwt.JWT(jwt=token, key=k, algs=algorithms, check_claims=check_claims) + return jwt.json_decode(full_jwt.claims) def load_authorization_config(self, path): """Load Keycloak settings (authorization). diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py index e8f889a..d5dc134 100644 --- a/tests/test_keycloak_admin.py +++ b/tests/test_keycloak_admin.py @@ -1638,9 +1638,7 @@ def test_client_roles(admin: KeycloakAdmin, client: str): # Test update client role res = admin.update_client_role( - client_id=client, - role_name="client-role-test", - payload={"name": "client-role-test-update"}, + client_id=client, role_name="client-role-test", payload={"name": "client-role-test-update"} ) assert res == dict() with pytest.raises(KeycloakPutError) as err: