From: "Vinay Anantharaman" <vinayan3(a)gmail.com>
To: "Bill Burke" <bburke(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Friday, 14 August, 2015 9:42:39 PM
Subject: Re: [keycloak-dev] Implementing database-service example in Python
I'll be looking into this and will report back if a library exists for Python
to read JWT tokens.
I was wondering is there an API on the KeyCloak server for doing JWT token
verification? Or rather should we decode the token and use the REST admin
endpoints if we need to query more information?
There is a rest endpoint that can be used to verify a token, but that requires a request
to KC. As the token is signed it's better to just check it locally as it reduces the
amount of request to Keycloak.
Vinay
On Thu, Aug 13, 2015 at 9:05 AM, Bill Burke < bburke(a)redhat.com > wrote:
If you're interested in becoming a contributor Vinay, this would be a
very useful extension!
BTW, we also have a "lightweight" Java Security HTTP Proxy based on
Undertow that you can use to secure python apps.
On 8/13/2015 2:00 AM, Stian Thorgersen wrote:
> Afraid we don't have any libraries for Python yet.
>
> Simply verifying the token should be relatively straight forward though.
> It's a standard JWT token (base64 encoded json) with a JWS signature. You
> can look at RSATokenVerifier to see what details should be verified
> (expiration date, issuer, etc..). You also need to verify the signature.
> There may quite likely be JWT libraries for Python you can use.
>
> ----- Original Message -----
>> From: "Vinay Anantharaman" < vinayan3(a)gmail.com >
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Thursday, 13 August, 2015 12:21:01 AM
>> Subject: [keycloak-dev] Implementing database-service example in Python
>>
>> Hi,
>> I'm trying to implement the example database service from Python. The
>> description is here:
>>
>>
>>
>>
https://github.com/keycloak/keycloak/tree/master/examples/demo-template
>>
>> Our backend service is contacted directly by clients with an access token
>> from the Keycloak server. We would like to verify access tokens are and
>> then
>> return some data they need. I was looking at the code here:
>>
>>
>>
>>
https://github.com/keycloak/keycloak/blob/master/examples/demo-template/d...
>> service/src/main/java/org/keycloak/example/oauth/CustomerService.java
>>
>> In Java this seems quite trivial with the support of Keycloak libraries.
>> In
>> Python I won't have them. What are the APIs on Keycloak I can use to
>> verify
>> an access token? Furthermore, are you aware of any classes like
>> RSATokenVerifier for python? I saw it being used here:
>>
>>
>>
>>
https://github.com/keycloak/keycloak/blob/master/testsuite/integration/sr...
>>
>> Thanks,
>>
>>
>> Vinay Anantharaman
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Vinay Anantharaman
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev