Add support for decoding JWT tokens #3
Conversation
Why: - Extract microprofile from JWT instead of querying Keycloak - Retain KeycloakUser model - Enable Keycloak integration in tests - Add compatibility with async web servers - Add support for generating users with passwords - Fix misc. bugs This change addresses the need by: - Add urls to delete users and fetch keys to decode JWTs - Keep KeycloakUser as first class model - Add TestMixin to help with cleanup of integration tests - Mark middleware as sync-only compatible to trigger wrapper - Fix GraphQL url check - Fix user not being added to requests - Add password parameter for creating users
|
I've noticed that you've focused on the KeycloakUserAutoID while I'm happy using the original KeycloakUser. Since my tests don't cover the the AutoID version, I hope my changes don't break that functionality, but I've tried to be conscientious of it. I've run the changes through my test suite. However, since you use a different set of functionality, feedback from your internal test suite would be great. |
Why: - Use a cleaner method to check if a cache has been saved - Better linting and code completion support This change addresses the need by: - Add class property in constructor as None - Instead of using hasattr
|
I've also changed the |
Why: - Use common request config pattern This change addresses the need by: - Refactoring out generation of headers and server url
Why: - Uses the following libraries - rest_framework - dry-rest-permissions - jwt - requests This change addresses the need by: - Adding requirements in the setup.cfg file
|
I've also updated the library's library dependencies. I've not done this before, so please correct me if I'm wrong there |
|
Have you had time to form an impression about the changeset? Do you think it has potential to be merged? |
django_keycloak/keycloak.py
Outdated
| server_url = self.server_url | ||
| headers = {} | ||
| if self.internal_url: | ||
| server_url = self.internal_url | ||
| headers["HOST"] = urlparse(self.server_url).netloc |
There was a problem hiding this comment.
When using self.internal_url the HOST header must be urlparse(self.internal_url).netloc and not urlparse(self.server_url).netloc. This is a bug that was already here, but noticed it when testing with the DECODE_TOKEN=True, SERVER_URL="http://localhost:8080" and INTERNAL_URL=http://keycloak:8080. The subsequent requests done by public_key = self.jwks_client.get_signing_key_from_jwt(token).key used http://localhost:8080 instead of http://keycloak:8080 and since everything was inside docker, the request could not found http://localhost:8080.
Maybe we can simplify this and have only one URL that can be publicly accessible or an internal docker network reference (future improvement, I think).
There was a problem hiding this comment.
Makes sense. I've also just looked through the code and when internal URL is used, it overrides all uses of server_url, thereby supporting your idea to simplify the configuration to only use one url setting
There was a problem hiding this comment.
@moritz89 Could you please address the comment on django_keycloak/keycloak.py? I know that is from an already existent bug, but this way it will be already fixed with your PR. Besides that, with the tests we did, I think we can merge
Why: - HOST header must match domain used in URL This change addresses the need by: - Changing the internal and server URL in _make_request_config()
|
As a back of the envelop test, I tested the duration difference between decoding tokens vs. introspecting them against a Keycloak instance ( |
|
That is a great improvement! Yes, we could use ttl_cache for the decoding. Regarding the testes we weren't able to perform any specific tests (like response time). But everything seems to work and we will do more tests with the decoding option. I will merge this PR. @moritz89 it would be nice to have updates regarding the documentation and your improvements (decoding option). |
Why:
This change addresses the need by: