From efc05f727872a71facb3e629d14f0f80cb317507 Mon Sep 17 00:00:00 2001
From: Jiang <huarch97@outlook.com>
Date: Tue, 24 Feb 2026 15:15:13 +0800
Subject: [PATCH] =?UTF-8?q?=E6=96=B0=E5=A2=9EKEYCLOAK=5FAUDIENCE=EF=BC=8C?=
 =?UTF-8?q?=E8=A7=A3=E5=86=B3=E5=89=8D=E5=90=8E=E7=AB=AF=E8=AE=A4=E8=AF=81?=
 =?UTF-8?q?=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/auth/keycloak_dependencies.py | 11 ++++++++++-
 app/core/config.py                | 11 +++++++----
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/app/auth/keycloak_dependencies.py b/app/auth/keycloak_dependencies.py
index be8ef0c..403189e 100644
--- a/app/auth/keycloak_dependencies.py
+++ b/app/auth/keycloak_dependencies.py
@@ -1,3 +1,4 @@
+# import logging
 from uuid import UUID
 
 from fastapi import Depends, HTTPException, status
@@ -10,6 +11,8 @@ oauth2_optional = OAuth2PasswordBearer(
     tokenUrl=f"{settings.API_V1_STR}/auth/login", auto_error=False
 )
 
+# logger = logging.getLogger(__name__)
+
 
 async def get_current_keycloak_sub(
     token: str | None = Depends(oauth2_optional),
@@ -28,8 +31,14 @@ async def get_current_keycloak_sub(
         algorithms = [settings.ALGORITHM]
 
     try:
-        payload = jwt.decode(token, key, algorithms=algorithms)
+        payload = jwt.decode(
+            token,
+            key,
+            algorithms=algorithms,
+            audience=settings.KEYCLOAK_AUDIENCE or None,
+        )
     except JWTError as exc:
+        # logger.warning("Keycloak token validation failed: %s", exc)
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail="Invalid token",
diff --git a/app/core/config.py b/app/core/config.py
index 1501684..3a2eea4 100644
--- a/app/core/config.py
+++ b/app/core/config.py
@@ -1,4 +1,5 @@
-from pydantic_settings import BaseSettings
+from pathlib import Path
+from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
 class Settings(BaseSettings):
@@ -55,6 +56,7 @@ class Settings(BaseSettings):
     # Keycloak JWT (optional override)
     KEYCLOAK_PUBLIC_KEY: str = ""
     KEYCLOAK_ALGORITHM: str = "RS256"
+    KEYCLOAK_AUDIENCE: str = ""
 
     @property
     def SQLALCHEMY_DATABASE_URI(self) -> str:
@@ -67,9 +69,10 @@ class Settings(BaseSettings):
             f"@{self.METADATA_DB_HOST}:{self.METADATA_DB_PORT}/{self.METADATA_DB_NAME}"
         )
 
-    class Config:
-        env_file = ".env"
-        extra = "ignore"
+    model_config = SettingsConfigDict(
+        env_file=Path(__file__).resolve().parents[2] / ".env",
+        extra="ignore",
+    )
 
 
 settings = Settings()