diff --git a/.gitignore b/.gitignore index 25a3ea48..a9acd744 100644 --- a/.gitignore +++ b/.gitignore @@ -82,6 +82,7 @@ celerybeat-schedule # dotenv .env +.envrc # virtualenv .venv diff --git a/poetry.lock b/poetry.lock index 6981b350..04eaeff1 100644 --- a/poetry.lock +++ b/poetry.lock @@ -579,24 +579,6 @@ files = [ {file = "docutils-0.18.1.tar.gz", hash = "sha256:679987caf361a7539d76e584cbeddc311e3aee937877c87346f31debc63e9d06"}, ] -[[package]] -name = "ecdsa" -version = "0.18.0" -description = "ECDSA cryptographic signature library (pure python)" -optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" -files = [ - {file = "ecdsa-0.18.0-py2.py3-none-any.whl", hash = "sha256:80600258e7ed2f16b9aa1d7c295bd70194109ad5a30fdee0eaeefef1d4c559dd"}, - {file = "ecdsa-0.18.0.tar.gz", hash = "sha256:190348041559e21b22a1d65cee485282ca11a6f81d503fddb84d5017e9ed1e49"}, -] - -[package.dependencies] -six = ">=1.9.0" - -[package.extras] -gmpy = ["gmpy"] -gmpy2 = ["gmpy2"] - [[package]] name = "exceptiongroup" version = "1.2.0" @@ -820,6 +802,20 @@ MarkupSafe = ">=2.0" [package.extras] i18n = ["Babel (>=2.7)"] +[[package]] +name = "jwcrypto" +version = "1.5.4" +description = "Implementation of JOSE Web standards" +optional = false +python-versions = ">= 3.8" +files = [ + {file = "jwcrypto-1.5.4.tar.gz", hash = "sha256:0815fbab613db99bad85691da5f136f8860423396667728a264bcfa6e1db36b0"}, +] + +[package.dependencies] +cryptography = ">=3.4" +typing_extensions = ">=4.5.0" + [[package]] name = "keyring" version = "24.3.0" @@ -1160,17 +1156,6 @@ files = [ [package.dependencies] wcwidth = "*" -[[package]] -name = "pyasn1" -version = "0.5.1" -description = "Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,>=2.7" -files = [ - {file = "pyasn1-0.5.1-py2.py3-none-any.whl", hash = "sha256:4439847c58d40b1d0a573d07e3856e95333f1976294494c325775aeca506eb58"}, - {file = "pyasn1-0.5.1.tar.gz", hash = "sha256:6d391a96e59b23130a5cfa74d6fd7f388dbbe26cc8f1edf39fdddf08d9d6676c"}, -] - [[package]] name = "pycodestyle" version = "2.9.1" @@ -1309,27 +1294,6 @@ files = [ [package.dependencies] six = ">=1.5" -[[package]] -name = "python-jose" -version = "3.3.0" -description = "JOSE implementation in Python" -optional = false -python-versions = "*" -files = [ - {file = "python-jose-3.3.0.tar.gz", hash = "sha256:55779b5e6ad599c6336191246e95eb2293a9ddebd555f796a65f838f07e5d78a"}, - {file = "python_jose-3.3.0-py2.py3-none-any.whl", hash = "sha256:9b1376b023f8b298536eedd47ae1089bcdb848f1535ab30555cd92002d78923a"}, -] - -[package.dependencies] -ecdsa = "!=0.15" -pyasn1 = "*" -rsa = "*" - -[package.extras] -cryptography = ["cryptography (>=3.4.0)"] -pycrypto = ["pyasn1", "pycrypto (>=2.6.0,<2.7.0)"] -pycryptodome = ["pyasn1", "pycryptodome (>=3.3.1,<4.0.0)"] - [[package]] name = "pytz" version = "2024.1" @@ -1545,20 +1509,6 @@ typing-extensions = {version = ">=4.0.0,<5.0", markers = "python_version < \"3.9 [package.extras] jupyter = ["ipywidgets (>=7.5.1,<9)"] -[[package]] -name = "rsa" -version = "4.9" -description = "Pure-Python RSA implementation" -optional = false -python-versions = ">=3.6,<4" -files = [ - {file = "rsa-4.9-py3-none-any.whl", hash = "sha256:90260d9058e514786967344d0ef75fa8727eed8a7d2e43ce9f4bcf1b536174f7"}, - {file = "rsa-4.9.tar.gz", hash = "sha256:e38464a49c6c85d7f1351b0126661487a7e0a14a50f1675ec50eb34d4f20ef21"}, -] - -[package.dependencies] -pyasn1 = ">=0.1.3" - [[package]] name = "secretstorage" version = "3.3.3" @@ -1972,4 +1922,4 @@ docs = ["Sphinx", "alabaster", "commonmark", "m2r2", "mock", "readthedocs-sphinx [metadata] lock-version = "2.0" python-versions = ">=3.8,<4.0" -content-hash = "f6e955202faac5714d1d730709e2f03a45e148bb93f5f4288f0f54b51c415205" +content-hash = "fe45fda91997f6001207b828d4c17c2364b7c4b403ec3d82ef8154252e2a8f4c" diff --git a/pyproject.toml b/pyproject.toml index cd07bc86..7dff4b36 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -31,7 +31,6 @@ Documentation = "https://python-keycloak.readthedocs.io/en/latest/" [tool.poetry.dependencies] python = ">=3.8,<4.0" requests = ">=2.20.0" -python-jose = ">=3.3.0" mock = {version = "^4.0.3", optional = true} alabaster = {version = "^0.7.12", optional = true} commonmark = {version = "^0.9.1", optional = true} @@ -43,6 +42,7 @@ m2r2 = {version = "^0.3.2", optional = true} sphinx-autoapi = {version = "^3.0.0", optional = true} requests-toolbelt = ">=0.6.0" deprecation = ">=2.1.0" +jwcrypto = "^1.5.4" [tool.poetry.extras] docs = [ diff --git a/src/keycloak/keycloak_openid.py b/src/keycloak/keycloak_openid.py index 1bcc7f7f..499f3e54 100644 --- a/src/keycloak/keycloak_openid.py +++ b/src/keycloak/keycloak_openid.py @@ -30,7 +30,7 @@ class to handle authentication and token manipulation. import json from typing import Optional -from jose import jwt +from jwcrypto import jwk, jwt from .authorization import Authorization from .connection import ConnectionManager @@ -539,7 +539,16 @@ def decode_token(self, token, key, algorithms=["RS256"], **kwargs): :returns: Decoded token :rtype: dict """ - return jwt.decode(token, key, algorithms=algorithms, audience=self.client_id, **kwargs) + # To keep the same API, we map the python-jose options to our claims for jwcrypto + # Per the jwcrypto dev, `exp` and `nbf` are always checked + options = kwargs.get("options", {}) + check_claims = {} + if options.get("verify_aud") is True: + check_claims["aud"] = self.client_id + + k = jwk.JWK.from_pem(key.encode("utf-8")) + full_jwt = jwt.JWT(jwt=token, key=k, algs=algorithms, check_claims=check_claims) + return jwt.json_decode(full_jwt.claims) def load_authorization_config(self, path): """Load Keycloak settings (authorization). diff --git a/tests/test_keycloak_admin.py b/tests/test_keycloak_admin.py index e8f889a0..d5dc1340 100644 --- a/tests/test_keycloak_admin.py +++ b/tests/test_keycloak_admin.py @@ -1638,9 +1638,7 @@ def test_client_roles(admin: KeycloakAdmin, client: str): # Test update client role res = admin.update_client_role( - client_id=client, - role_name="client-role-test", - payload={"name": "client-role-test-update"}, + client_id=client, role_name="client-role-test", payload={"name": "client-role-test-update"} ) assert res == dict() with pytest.raises(KeycloakPutError) as err: