Closed ddtxra closed 1 year ago
I tried to use the documentation found in here: https://pyjwt.readthedocs.io/en/latest/usage.html#retrieve-rsa-signing-keys-from-a-jwks-endpoint related to the validation of a JWT token using JWKS but it was not working for me using Keycloak issuer.
That may be because of https://github.com/jpadilla/pyjwt/pull/863, your JWK endpoint might be returning unsupported keys and PyJWT currently fails to ignore them.
But at the end I still have problem with this code. Why do I need to specify an audience? Some of my users don't have the required resource_access for the specified audience, so the token does not contain the "aud" field, which is ok. But when those users try to login, the decode function crashes with MissingRequiredClaimError. Is there a way to specify all audiences or ignore this field? It seems mandatory to set in the decode function and also the token must contain the "aud" field...
By default, even if you don't pass any value to the audience
parameter of decode
, PyJWT will validate the aud
claim, if present in the token. Validation will succeed if there's no aud
claim in the token.
But as you are explicitly setting the audience
to app_****
, PyJWT will raise an error even if no aud
claim is available in the token.
To disable the aud
validation, use:
jwt.decode(token, key=key, algorithms=["RS256"], options={"verify_aud": False"})
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
as https://github.com/jpadilla/pyjwt/pull/863 is now fixed, this can be closed.
Hello, I tried to use the documentation found in here: https://pyjwt.readthedocs.io/en/latest/usage.html#retrieve-rsa-signing-keys-from-a-jwks-endpoint related to the validation of a JWT token using JWKS but it was not working for me using Keycloak issuer.
Then I searched for more documentation on Google and found out this great blog post: https://renzolucioni.com/verifying-jwts-with-jwks-and-pyjwt/
At the end I wrote down this code which worked for me (and could be useful for someone else, so I paste it here)
But at the end I still have problem with this code. Why do I need to specify an audience? Some of my users don't have the required resource_access for the specified audience, so the token does not contain the "aud" field, which is ok. But when those users try to login, the decode function crashes with MissingRequiredClaimError. Is there a way to specify all audiences or ignore this field? It seems mandatory to set in the decode function and also the token must contain the "aud" field...