Validate token in current_user

[valeriiduz]

We figured that current_user(line 220) function when receiving a token, doesn't validate the token like lib does in admin_token(line 141) method.

Is it by design or can I create a fix for that?

[yannicschroeer]

Hey @valeriiduz,
I can not find the flaw you’re mentioning. The current_user method utilizes the _decode_token method which in turn verifies the token via public key. Could you provide the mentioned code snippet?

[valeriiduz]

In lib, we have token_is_valid method which can check token is valid or not, but in current_user we don't use them. For example, in admin_token we have a condition for that

    @property
    def admin_token(self):
        """ Holds an AccessToken for the `admin-cli` client

        Returns:
            KeycloakToken: A token, valid to perform admin actions

        Notes:
            - This might result in an infinite recursion if something unforeseen goes wrong
        """
        if self.token_is_valid(token=self._admin_token):
            return self._admin_token
        self._get_admin_token()
        return self.admin_token

and I want to add the similar condition to current_user method. Something like that

        def current_user(token: OAuth2PasswordBearer = Depends(self.user_auth_scheme)) -> OIDCUser:
            """ Decodes and verifies a JWT to get the current user

            Args:
                token OAuth2PasswordBearer: Access token in `Authorization` HTTP-header

            Returns:
                OIDCUser: Decoded JWT content

            Raises:
                ExpiredSignatureError: If the token is expired (exp > datetime.now())
                JWTError: If decoding fails or the signature is invalid
                JWTClaimsError: If any claim is invalid
                HTTPException: If any role required is not contained within the roles of the users
            """
            if not self.token_is_valid(token=token, audience="account"):
                return None
            decoded_token = self._decode_token(token=token, audience="account")
            user = OIDCUser.parse_obj(decoded_token)
            if required_roles:
                for role in required_roles:
                    if role not in user.roles:
                        raise HTTPException(status_code=403, detail=f'Role "{role}" is required to perform this action')
            return user

        return current_user

[yannicschroeer]

Ah okay! So, the admin token is managed by this library, the user tokens are usually your custom implementation.

Both the admin token and the user tokens are validated. The validation you're referring to here determines whether the admin token is still valid, it checks if the exp (expiry) is reached yet and if the token has expired, a new one is requested. There is not much sense in providing the same functionality for the user tokens, as they're not managed by this library.

You could either wrap the functions and implement a custom handler for the exception that is thrown for expired user tokens or check the exp upfront.

I hope I got you right?

[valeriiduz]

Yep, got it. You are right, better to leave this approach upfront, cause different systems can have different flows to regenerate token for users. Thanks! I'll close the issue.