Add support for private jwt key

bakdata · Feb 23, 2024 · 7a0cabc · 7a0cabc
1 parent 3b53478
commit 7a0cabc
Showing 1 changed file with 17 additions and 0 deletions.
diff --git a/keycloak/oauth.py b/keycloak/oauth.py
@@ -3,6 +3,7 @@
 from authlib.common.security import generate_token
 from authlib.integrations.starlette_client import OAuth, StarletteOAuth2App
 from authlib.jose import JWTClaims, JsonWebToken, JsonWebKey
+from authlib.oauth2.rfc7523 import PrivateKeyJWT
 
 from starlette import status
 from starlette.datastructures import URL
@@ -29,10 +30,23 @@ def __init__(
         base_url: str = "/",
         logout_target: str = "/",
     ) -> None:
+
         self.code_verifier = generate_token(48)
         self._base_url = base_url
         self._logout_page = logout_target
+
         oauth = OAuth()
+
+        # TODO use private key as client secret for JWT and expose public key via custom endpoint
+        # with open("keypair.pem", "rb") as f:
+        #     client_secret = f.read()
+
+        # TODO call self.keycloak.load_server_metadata() and get token_endpoint
+        token_endpoint = (
+            "http://localhost:8180/realms/daewy/protocol/openid-connect/token"
+        )
+        auth_method = PrivateKeyJWT(token_endpoint)
+
         oauth.register(
             name="keycloak",
             # client_id and client_secret are created in keycloak
@@ -41,7 +55,10 @@ def __init__(
             server_metadata_url=server_metadata_url,
             client_kwargs=client_kwargs,
             code_challenge_method="S256",
+            client_auth_methods=[auth_method],
+            token_endpoint_auth_method=auth_method.name,
         )
+
         assert isinstance(oauth.keycloak, StarletteOAuth2App)
         self.keycloak = oauth.keycloak