Comments (4)
ryshoooo
commented on July 17, 2024
Hi @muehlbacher
The change was introduced to remove dependency on python-jose and replace it with jwcrypto (see #531). In the current version, we sort of have a mix of python-jose signatures that get translated into jwcrypto options, but this also has issues as well (see f.e. #532, #503).
Moving forward from python-keycloak >=4, we will only support jwcrypto options and signatures specifically.
from python-keycloak.
JulienBrodin
commented on July 17, 2024
Hello @ryshoooo , I use decode_token with the "verify_signature" option to "False".So I set the "key" attribute to empty string. It used to work with Jose, however, with jwcrypto. It raises a value error exception.
Is it possible to allow empty value for the key ?
On the other hand a list of keys would useful for those who implement the key rotation in Keycloak. For example : I load the keys when I start my app instead of calling Keycloak every time I need to decide the token
from python-keycloak.
ryshoooo
commented on July 17, 2024
That's a fair point, I tend to do that as well (even though it is definitely not the recommended practice). I'm not sure right now whether verify_signature equivalent is supported by jwcrypto or not.
But honestly this is pushing it a bit to the edge. You don't need to use python-keycloak to decode a token from keycloak, you can use any library or custom-made code to decode the token outside of this. It probably comes down to the scope of what the decode_token should do.
My ideal scenario is to do something like client.decode_token(token) and I get decoded token out and that's it. How much customization should go into this method, I'm not sure, but by default I assume the method would fetch the public key and use it to decode and verify the token and return a validated decoded version of the token to me as the user, i.e. the function should follow the best standard practice. Overriding the key and decoding options should be optional.
If jwcrypto doesn't allow you to decode a token without verification, then perhaps this library should not support this behavior as it is just not a good thing to do in the first place. I get that there are use-cases where trust is established by default, but prefer to have the user go on its own and implement their own unsafe decoding logic rather than the library should support it directly.
from python-keycloak.
JulienBrodin
commented on July 17, 2024
Hello @ryshoooo
Indeed you're right, I am going to implement the decode function as it is standard.
Thank you for your answer
from python-keycloak.
Related Issues (20)
- ImportError: cannot import name 'KeycloakOpenID'
- KeycloakAdmin not recovering from KeycloakAuthenticationError
- [Keycloak Admin.create_user() ] Return Type Hint is incorrect HOT 2
- Reimplement create_client_authz_scope_based_permission (regression) HOT 1
- Network Call on every request for public key jwt? HOT 1
- How to delete user's custom attributes HOT 1
- How to get user ID from custom attributes?
- Keycloak admin get_group_by_path not fetching data simply by passing group name
- error with jwcrypto 1.5.6 HOT 2
- cannot import name 'Keycloak' from 'keycloak' HOT 5
- Adding user to a group HOT 2
- Authorization Data missing
- Make leeway configurable
- admin.get_groups not returning group attributes
- Authentication error when calling get_client_id HOT 2
- ImportError: cannot import name 'KeycloakOpenID' from 'keycloak' HOT 2
- Cannot configure timeout for KeycloakOpenIDConnection
- enable_user & disable_user broken since keycloak 24?
- Update user by username, not internal id HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from python-keycloak.