You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using Keycloak to implement SSO with Django, and I found this library. I used JWTStatelessUserAuthentication for my default authentication class as stated in the docs. However, i was having trouble with the validation process when the frontend passed in the JWT token to django on a protected endpoint. It keeps giving me 401 Unauthorized with the message "Token is invalid or expired". The message was quite vague as i couldn't debug the code as there is no logging output other than the Unauthorized response.
Issue
With Keycloak, you would get the JWK via https://xxx/realms/xxx/protocol/openid-connect/certs endpoint. What I found was that it was raising a Forbidden error from PyJWKClient when it does PyJWKClient.fetch_data(), I couldn't see this error due to the generic error raised by this try-except.
For more detail, Keycloak rejects (gives Forbidden) on GET requests that does not have a user-agent header, which PyJWKClient does not by default.
Current solution
To solve my issue i had to override Token and patch the token_backend
Code
fromrest_framework_simplejwt.tokensimportAccessTokenclassKeycloakAccessToken(AccessToken):
token_type="Bearer"# token_type is not stated within payload, but `typ` existdefget_token_backend(self) ->"TokenBackend":
backend=super().get_token_backend()
backend.jwks_client.headers= {"User-Agent": "Keycloak-python-urllib"}
returnbackend
It would be helpful if there is a way to debug these, have verbose output with logging DEBUG level. It would also be good to be able to override PyJWKClient args for TokenBackend init.
The text was updated successfully, but these errors were encountered:
Context
I'm using Keycloak to implement SSO with Django, and I found this library. I used
JWTStatelessUserAuthenticationfor my default authentication class as stated in the docs. However, i was having trouble with the validation process when the frontend passed in the JWT token to django on a protected endpoint. It keeps giving me 401 Unauthorized with the message "Token is invalid or expired". The message was quite vague as i couldn't debug the code as there is no logging output other than the Unauthorized response.Issue
With Keycloak, you would get the JWK via
https://xxx/realms/xxx/protocol/openid-connect/certsendpoint. What I found was that it was raising a Forbidden error fromPyJWKClientwhen it doesPyJWKClient.fetch_data(), I couldn't see this error due to the generic error raised by this try-except.For more detail, Keycloak rejects (gives Forbidden) on GET requests that does not have a user-agent header, which
PyJWKClientdoes not by default.Current solution
To solve my issue i had to override Token and patch the token_backend
Code
settings.pyDiscussion
It would be helpful if there is a way to debug these, have verbose output with logging DEBUG level. It would also be good to be able to override
PyJWKClientargs forTokenBackendinit.The text was updated successfully, but these errors were encountered: