tobias/gwoe-antragspruefer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Fix: JWT aud=account bei Keycloak Public Clients — prüfe azp statt aud

Browse Source
This commit is contained in:
Dotty Dotter 2026-04-10 21:32:08 +02:00
parent f56c2af5cd
commit 49c1b92753
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
app/auth.py
View File

@ -122,15 +122,22 @@ async def _validate_token(token: str) -> Optional[dict]:
logger.warning("JWT kid %s not found in JWKS", kid) logger.warning("JWT kid %s not found in JWKS", kid)
return None return None
# Keycloak setzt aud="account" für Public Clients, nicht den
# client_id. Prüfe azp (authorized party) statt aud, und
# deaktiviere den strikten aud-Check.
payload = jwt.decode( payload = jwt.decode(
token, token,
rsa_key, rsa_key,
algorithms=["RS256"], algorithms=["RS256"],
audience=settings.keycloak_client_id,
issuer=_keycloak_issuer(), issuer=_keycloak_issuer(),
options={"verify_exp": True}, options={"verify_exp": True, "verify_aud": False},
) )
# azp muss unserem Client entsprechen
if payload.get("azp") != settings.keycloak_client_id:
logger.warning("JWT azp %s != expected %s", payload.get("azp"), settings.keycloak_client_id)
return None
return { return {
"sub": payload.get("sub"), "sub": payload.get("sub"),
"email": payload.get("email", ""), "email": payload.get("email", ""),