fix: use jwcrypto and remove python-jose

Author: Nathan Furnal

src/keycloak/keycloak_openid.py

@@ -30,7 +30,7 @@ class to handle authentication and token manipulation.
 import json
 from typing import Optional
 
-from jose import jwt
+from jwcrypto import jwk, jwt
 
 from .authorization import Authorization
 from .connection import ConnectionManager
@@ -539,7 +539,16 @@ def decode_token(self, token, key, algorithms=["RS256"], **kwargs):
         :returns: Decoded token
         :rtype: dict
         """
-        return jwt.decode(token, key, algorithms=algorithms, audience=self.client_id, **kwargs)
+        # To keep the same API, we map the python-jose options to our claims for jwcrypto
+        # Per the jwcrypto dev, `exp` and `nbf` are always checked
+        options = kwargs.get("options", {})
+        check_claims = {}
+        if options.get("verify_aud") is True:
+            check_claims["aud"] = self.client_id
+
+        k = jwk.JWK.from_pem(key.encode("utf-8"))
+        full_jwt = jwt.JWT(jwt=token, key=k, algs=algorithms, check_claims=check_claims)
+        return jwt.json_decode(full_jwt.claims)
 
     def load_authorization_config(self, path):
         """Load Keycloak settings (authorization).

tests/test_keycloak_admin.py

@@ -1638,9 +1638,7 @@ def test_client_roles(admin: KeycloakAdmin, client: str):
 
     # Test update client role
     res = admin.update_client_role(
-        client_id=client,
-        role_name="client-role-test",
-        payload={"name": "client-role-test-update"},
+        client_id=client, role_name="client-role-test", payload={"name": "client-role-test-update"}
     )
     assert res == dict()
     with pytest.raises(KeycloakPutError) as err: