diff --git a/app/auth/keycloak_dependencies.py b/app/auth/keycloak_dependencies.py index be8ef0c..403189e 100644 --- a/app/auth/keycloak_dependencies.py +++ b/app/auth/keycloak_dependencies.py @@ -1,3 +1,4 @@ +# import logging from uuid import UUID from fastapi import Depends, HTTPException, status @@ -10,6 +11,8 @@ oauth2_optional = OAuth2PasswordBearer( tokenUrl=f"{settings.API_V1_STR}/auth/login", auto_error=False ) +# logger = logging.getLogger(__name__) + async def get_current_keycloak_sub( token: str | None = Depends(oauth2_optional), @@ -28,8 +31,14 @@ async def get_current_keycloak_sub( algorithms = [settings.ALGORITHM] try: - payload = jwt.decode(token, key, algorithms=algorithms) + payload = jwt.decode( + token, + key, + algorithms=algorithms, + audience=settings.KEYCLOAK_AUDIENCE or None, + ) except JWTError as exc: + # logger.warning("Keycloak token validation failed: %s", exc) raise HTTPException( status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token", diff --git a/app/core/config.py b/app/core/config.py index 1501684..3a2eea4 100644 --- a/app/core/config.py +++ b/app/core/config.py @@ -1,4 +1,5 @@ -from pydantic_settings import BaseSettings +from pathlib import Path +from pydantic_settings import BaseSettings, SettingsConfigDict class Settings(BaseSettings): @@ -55,6 +56,7 @@ class Settings(BaseSettings): # Keycloak JWT (optional override) KEYCLOAK_PUBLIC_KEY: str = "" KEYCLOAK_ALGORITHM: str = "RS256" + KEYCLOAK_AUDIENCE: str = "" @property def SQLALCHEMY_DATABASE_URI(self) -> str: @@ -67,9 +69,10 @@ class Settings(BaseSettings): f"@{self.METADATA_DB_HOST}:{self.METADATA_DB_PORT}/{self.METADATA_DB_NAME}" ) - class Config: - env_file = ".env" - extra = "ignore" + model_config = SettingsConfigDict( + env_file=Path(__file__).resolve().parents[2] / ".env", + extra="ignore", + ) settings = Settings()