Authentication validation function doesn't respect error classes

Question

Authentication validation function doesn't respect error classes

alfechner opened this issue 8 months ago · 2 comments

I created a security schema based on this example linked from the docs.

def decode_bearer_token(bearer_token):
    try:
        jwks_client = PyJWKClient(
            os.environ["JWKS_URI"],
            headers={
                "User-agent": os.environ["USER_AGENT"],
                "X-CORRELATION-ID": osep_correlation_id,
            },
        )

        signing_key = jwks_client.get_signing_key_from_jwt(bearer_token)

        return decode(
            jwt=bearer_token,
            key=signing_key.key,
            algorithms=[os.environ["JWT_ALGORITHM"]], 
            audience=[os.environ["JWT_AUDIENCE"]],
            issuer=os.environ["JWT_ISSUER"],
        )
    except Exception:
        raise Unauthorized("Invalid token")

The Unauthorized raised in the last line results in a 500 internal server error. I'd expect a problem detail returned reflecting the 401.

Am I doing something wrong or is 500 expected here?

Answer 1 · 2024-05-01T14:52:41.000Z

I had the same issue and was able to solve it by importing connexion.exceptions.Unauthorized instead of werkzeug.exceptions.Unauthorized provided in the example.

Answer 2 · 2024-05-01T15:25:45.000Z

Thanks @previ , I feel happy and stupid at the same time 🤣