I am trying to connect a Flask application with a Keycloak public that uses both types of endpoint decorators: @oidc.require_login and @oidc.accept_token
. However I have ran into the following issue.
For a Keycloak confidential client I can access all endpoints in the Flask application. This is my app config:
flask_app.config.update({
'SECRET_KEY': 'no-body-knows',
'TESTING': True,
'DEBUG': True,
'OIDC_CLIENT_SECRETS': 'client_secrets.json',
'OIDC_OPENID_REALM': 'testrealm',
'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
'OIDC_SCOPES': ['openid', 'email', 'profile'],
'OIDC_COOKIE_SECURE':True,
'OIDC_CALLBACK_ROUTE':'/oidc_callback',
'OIDC_TOKEN_TYPE_HINT': 'access_token',
'OIDC_RESOURCE_SERVER_ONLY':False
})
and the contents of my (sanitized) clients_secrets.json
{
"web": {
"client_id": "confidential-client",
"client_secret": "axxxxxxx-1xxx-5xxx-exxxx-2xxxxxxx",
"auth_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/auth",
"token_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token",
"issuer": "https://my-keycloak-url.com/auth/realms/testrealm",
"userinfo_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/userinfo",
"token_introspection_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token/introspect",
"redirect_uris": [
"http://localhost:5000/oidc_callback"
],
"bearer_only
": "true"
}
}
For the case of a public Keycloak client, I modified my client_secrets.json as follows (just set the client_secret to an empty string:
{
"web": {
"client_id": "public-client",
**"client_secret": "",**
"auth_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/auth",
"token_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token",
"issuer": "https://my-keycloak-url.com/auth/realms/testrealm",
"userinfo_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/userinfo",
"token_introspection_uri": "https://my-keycloak-url.com/auth/realms/testrealm/protocol/openid-connect/token/introspect",
"redirect_uris": [
"http://localhost:5000/oidc_callback"
],
"bearer_only": "true"
}
}
However, when I deploy this Flask under a public Keycloak client, I can still access the @oidc.require_login endpoints, but the @oidc.accept_token
API endpoints return this error:
{"error": "invalid_token", "error_description": "Token required but invalid"}.
The use of a Keycloak public client is a requirement of the microservice environment where this Flask app will live. I don't control this requirement, and the other microservices (written in Java, Angular, etc.) have no issues with this Keycloak confguration.
Is there a way to use a Keycloak public client with flask-oidc endpoints using the @oidc.accept_token
decorator? It seems to me this is a common OIDC scenario.
I am running this on Python 3.8.6 with Flask 1.0.2 flask-oidc 1.4.0