Browse Source

fix: use jwcrypto and remove python-jose

pull/531/head
Nathan Furnal 8 months ago
parent
commit
26ce311551
  1. 13
      src/keycloak/keycloak_openid.py
  2. 4
      tests/test_keycloak_admin.py

13
src/keycloak/keycloak_openid.py

@ -30,7 +30,7 @@ class to handle authentication and token manipulation.
import json import json
from typing import Optional from typing import Optional
from jose import jwt
from jwcrypto import jwk, jwt
from .authorization import Authorization from .authorization import Authorization
from .connection import ConnectionManager from .connection import ConnectionManager
@ -539,7 +539,16 @@ class KeycloakOpenID:
:returns: Decoded token :returns: Decoded token
:rtype: dict :rtype: dict
""" """
return jwt.decode(token, key, algorithms=algorithms, audience=self.client_id, **kwargs)
# To keep the same API, we map the python-jose options to our claims for jwcrypto
# Per the jwcrypto dev, `exp` and `nbf` are always checked
options = kwargs.get("options", {})
check_claims = {}
if options.get("verify_aud") is True:
check_claims["aud"] = self.client_id
k = jwk.JWK.from_pem(key.encode("utf-8"))
full_jwt = jwt.JWT(jwt=token, key=k, algs=algorithms, check_claims=check_claims)
return jwt.json_decode(full_jwt.claims)
def load_authorization_config(self, path): def load_authorization_config(self, path):
"""Load Keycloak settings (authorization). """Load Keycloak settings (authorization).

4
tests/test_keycloak_admin.py

@ -1638,9 +1638,7 @@ def test_client_roles(admin: KeycloakAdmin, client: str):
# Test update client role # Test update client role
res = admin.update_client_role( res = admin.update_client_role(
client_id=client,
role_name="client-role-test",
payload={"name": "client-role-test-update"},
client_id=client, role_name="client-role-test", payload={"name": "client-role-test-update"}
) )
assert res == dict() assert res == dict()
with pytest.raises(KeycloakPutError) as err: with pytest.raises(KeycloakPutError) as err:

Loading…
Cancel
Save