search

kroketio / quart-keycloak

Add Keycloak OpenID Connect support to your Quart application.
BSD 3-Clause "New" or "Revised" License
12 stars 4 forks source link

check keycloak token #1

Closed rubikscuber closed 1 year ago

rubikscuber commented 2 years ago

Hallo,

maybe someone could help me here:

After receiving and storing the token in a session (and verifying with openid_keycloak.verify_token(resp["access_token"]), before serving - how to best check a token? Is there a better/cleaner way than this?

  user_info = await openid_keycloak.user_info(session["access_token"])

  if "error" in user_info:
      logout()

I am using keycloak.

sanderfoobar commented 2 years ago

openid_keycloak.verify_token(resp["access_token"]) is the way - if this call passes without raising an exception then the token is correct and verified.

The reason this library does not do this automatically is so that programmers can have maximum control over whether to verify the token or not.

rubikscuber commented 2 years ago

ok, but if the user is logged out by some reason (e.g. keycloak-admin-portal, log out all sessions), then the token is still correct and verifyable until it expires. If I want to restrict access immediatly when the user has been logged out by some other component not controlled by my application directly, I have to call e.g. the user info endpoint (e.g. user_info = await openid_keycloak.user_info(session["access_token"])) and logout the user in my application if this fails. It would be nice to have a function in the library that takes care of this. Maybe there is already a clean way and I did not find it.

sanderfoobar commented 2 years ago

Yeah, verify_token only verifies the token cryptographically.

Previously I have worked with a SSO system (CAS) that would contact all registered client(s) (read: all web applications) on a special URL with a 'logout token' when an user is forcefully logged out - at which point the clients (applications) handle the user logout themselves.

Seems like Keycloak has something similar called Back-Channel logout. I'm not sure where I can find this in the Keycloak admin panel - maybe it is on by default?

Would be nice to have quart_session_openid register a logout route that Keycloak sends logout tokens towards. I would need to know what this route should be, though.

sanderfoobar commented 2 years ago

Looks like it can be found over at https://keycloak/auth/realms/master/.well-known/openid-configuration as end_session_endpoint.

I have created a feature request here https://github.com/sanderfoobar/quart-session-openid/issues/2

rubikscuber commented 2 years ago

Seems like Keycloak has something similar called Back-Channel logout. I'm not sure where I can find this in the Keycloak admin panel - maybe it is on by default?

I see it in my admin panel under the client settings. I have to test it, but I think I need to keep the token check anyway in the case the client is misconfigured.

kroketio commented 1 year ago

@rubikscuber

I want to restrict access immediatly when the user has been logged out by some other component not controlled by my application directly

This should work for your use-case: https://github.com/kroketio/quart-keycloak#handling-logout-events

Note that the extension changed name to quart-keycloak and there are some small API changes.