client_secret_key is not being validated?

[sergiocwork]

I am using a keycloak confidential client. I have generated a key for the client. Using the client secret, I connect to the client via keycloak_openid = KeycloakOpenID( server_url="https://keycloak.me:8443/auth/", client_id="backend", client_secret_key="KbearRbXZdLbgJXtbfqVp5g1JE3DlQjZ", realm_name="turbo", verify=True, )

If I enter the wrong client_secret_key, I get no issues. Is the client_secret_key not validated? Why can I still use userinfo or decode_token when I am no longer initializing with the correct client secret?

[ahmedsmaali5]

Can you give us your keycloak exact version?

[sergiocwork]

Using Keycloak 18.0.

[ryshoooo]

AFAIK, client_secret is used for granting of tokens, i.e. in for the token method of the KeycloakOpenID class. The moment you have a valid access/refresh token from the client, the client secret is not relevant anymore. Userinfo endpoint just uses the access token to give the user-info, as the access token holds the client data. Decode token does not require any client, you can actually decode any JWT token without verification at any time without any credentials. So to me this works as expected, the only surprise would be if the token method worked without client secret as well, but that should be then pointing to the keycloak project rather than this python SDK.

[sergioc32]

Sounds like I don't fully understand oidc authentication. I was trying to use two clients in keycloak, a public client on my frontend that would authenticate and pass the token to the backend, which is a private client with a secret, that would mainly verify the token. From your response, that isn't the purpose of the token or decode_token method and it's really decoding a jwt which does not require a client secret. Thanks for the response and sorry for the confusion.

On Mon, Nov 13, 2023 at 5:55 AM Richard Nemeth @.***> wrote:

AFAIK, client_secret is used for granting of tokens, i.e. in for the token method of the KeycloakOpenID class. The moment you have a valid access/refresh token from the client, the client secret is not relevant anymore. Userinfo endpoint just uses the access token to give the user-info, as the access token holds the client data. Decode token does not require any client, you can actually decode any JWT token without verification at any time without any credentials. So to me this works as expected, the only surprise would be if the token method worked without client secret as well, but that should be then pointing to the keycloak project rather than this python SDK.

— Reply to this email directly, view it on GitHub https://github.com/marcospereirampj/python-keycloak/issues/489#issuecomment-1808210535, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMIEJ5KSAAN3UHH4RC3DG3YEIRGPAVCNFSM6AAAAAA5UYD2PSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBYGIYTANJTGU . You are receiving this because you commented.Message ID: @.***>

[codespearhead]

Should this issue be closed then?

[sergiocwork]

Yes, you can close the ticket. I'm still not sure why the client_secret_key is not used but seems like that is just my issue.

Thanks, Sergio Cardoso

---

From: Pedro Aguiar @.> Sent: Tuesday, March 12, 2024 11:49 AM To: marcospereirampj/python-keycloak @.> Cc: Sergio Cardoso @.>; Author @.> Subject: Re: [marcospereirampj/python-keycloak] client_secret_key is not being validated? (Issue #489)

[External Email]

Should this issue be closed then?

— Reply to this email directly, view it on GitHubhttps://github.com/marcospereirampj/python-keycloak/issues/489#issuecomment-1992327145, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AOJJLNIOD4757OL4GIZYT4DYX5E2JAVCNFSM6AAAAAA5UYD2PSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJSGMZDOMJUGU. You are receiving this because you authored the thread.Message ID: @.***>