Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

Missing token introspection #48

Open
hall-b opened this issue May 20, 2022 · 0 comments
Open

Missing token introspection #48

hall-b opened this issue May 20, 2022 · 0 comments
Labels
pull requests welcome An issue that we would like to see fixed, but don't have the time for to fix them personally

Comments

@hall-b
Copy link

hall-b commented May 20, 2022

The library is missing the token introspection as defined in the standard: https://datatracker.ietf.org/doc/html/rfc7662
A consequence of this is that even if a user has been disabled on the keycloak side, if a user still has a valid JWT that was generated before, the library will still consider it to be valid. We'll have to wait until the JWT expiration time (that could last for long..) before a user can be considered as completely blocked.

A very simple piece of code that can handle this:

    from authlib.integrations.requests_client import OAuth2Session
    from fastapi import HTTPException

    oauth = OAuth2Session(client_id=client_id, client_secret=client_secret)
    result = oauth.introspect_token(
        url=f"{keycloak_server}/auth/realms/{realm_name}/protocol/openid-connect/token/introspect",
        token=token,
    )
    content = json.loads(result.content.decode())
    if not content["active"]:
        raise HTTPException(status_code=401, detail="Token expired or invalid")
    else:
        .....
@yannicschroeer yannicschroeer added the pull requests welcome An issue that we would like to see fixed, but don't have the time for to fix them personally label Jun 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
pull requests welcome An issue that we would like to see fixed, but don't have the time for to fix them personally
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hall-b @yannicschroeer