The library is missing the token introspection as defined in the standard: https://datatracker.ietf.org/doc/html/rfc7662
A consequence of this is that even if a user has been disabled on the keycloak side, if a user still has a valid JWT that was generated before, the library will still consider it to be valid. We'll have to wait until the JWT expiration time (that could last for long..) before a user can be considered as completely blocked.
A very simple piece of code that can handle this:
from authlib.integrations.requests_client import OAuth2Session
from fastapi import HTTPException
oauth = OAuth2Session(client_id=client_id, client_secret=client_secret)
result = oauth.introspect_token(
url=f"{keycloak_server}/auth/realms/{realm_name}/protocol/openid-connect/token/introspect",
token=token,
)
content = json.loads(result.content.decode())
if not content["active"]:
raise HTTPException(status_code=401, detail="Token expired or invalid")
else:
.....
The library is missing the token introspection as defined in the standard: https://datatracker.ietf.org/doc/html/rfc7662 A consequence of this is that even if a user has been disabled on the keycloak side, if a user still has a valid JWT that was generated before, the library will still consider it to be valid. We'll have to wait until the JWT expiration time (that could last for long..) before a user can be considered as completely blocked.
A very simple piece of code that can handle this: