新增KEYCLOAK_AUDIENCE，解决前后端认证失败的问题

2026-02-24 15:15:13 +08:00
parent 29209f5c63
commit efc05f7278
2 changed files with 17 additions and 5 deletions
--- a/app/auth/keycloak_dependencies.py
+++ b/app/auth/keycloak_dependencies.py
@@ -1,3 +1,4 @@
+# import logging
 from uuid import UUID

 from fastapi import Depends, HTTPException, status
@@ -10,6 +11,8 @@ oauth2_optional = OAuth2PasswordBearer(
    tokenUrl=f"{settings.API_V1_STR}/auth/login", auto_error=False
 )

+# logger = logging.getLogger(__name__)
+

 async def get_current_keycloak_sub(
    token: str | None = Depends(oauth2_optional),
@@ -28,8 +31,14 @@ async def get_current_keycloak_sub(
        algorithms = [settings.ALGORITHM]

    try:
-        payload = jwt.decode(token, key, algorithms=algorithms)
+        payload = jwt.decode(
+            token,
+            key,
+            algorithms=algorithms,
+            audience=settings.KEYCLOAK_AUDIENCE or None,
+        )
    except JWTError as exc:
+        # logger.warning("Keycloak token validation failed: %s", exc)
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid token",