fix: don't require keycloak algorithms in background_jobs (#869)

Panaetius · web-flow · commit 54842e61a1db · 2025-05-21T07:59:14.000Z
diff --git a/bases/renku_data_services/data_api/dependencies.py b/bases/renku_data_services/data_api/dependencies.py
@@ -528,6 +528,9 @@ def from_env(cls, prefix: str = "") -> "DependencyManager":
                     message="The JWKS url for Keycloak cannot be found from the OIDC discovery endpoint."
                 )
             jwks = PyJWKClient(jwks_url)
+            if config.keycloak.algorithms is None:
+                raise errors.ConfigurationError(message="At least one token signature algorithm is required.")
+
             authenticator = KeycloakAuthenticator(jwks=jwks, algorithms=config.keycloak.algorithms)
             assert config.gitlab_url is not None
             gitlab_authenticator = GitlabAuthenticator(gitlab_url=config.gitlab_url)
diff --git a/bases/renku_data_services/secrets_storage_api/dependencies.py b/bases/renku_data_services/secrets_storage_api/dependencies.py
@@ -51,6 +51,9 @@ def from_env(cls) -> "DependencyManager":
                     message="The JWKS url for Keycloak cannot be found from the OIDC discovery endpoint."
                 )
             jwks = PyJWKClient(jwks_url)
+            if config.keycloak.algorithms is None:
+                raise errors.ConfigurationError(message="At least one token signature algorithm is required.")
+
             authenticator = KeycloakAuthenticator(jwks=jwks, algorithms=config.keycloak.algorithms)
             core_client = K8sCoreClient()
 
diff --git a/components/renku_data_services/app_config/config.py b/components/renku_data_services/app_config/config.py
@@ -23,7 +23,7 @@ class KeycloakConfig:
     realm: str
     client_id: str
     client_secret: str
-    algorithms: list[str]
+    algorithms: list[str] | None
 
     @classmethod
     def from_env(cls) -> "KeycloakConfig":
@@ -36,9 +36,9 @@ def from_env(cls) -> "KeycloakConfig":
         client_id = os.environ["KEYCLOAK_CLIENT_ID"]
         client_secret = os.environ["KEYCLOAK_CLIENT_SECRET"]
         algorithms = os.environ.get("KEYCLOAK_TOKEN_SIGNATURE_ALGS")
-        if algorithms is None:
-            raise errors.ConfigurationError(message="At least one token signature algorithm is required.")
-        algorithms_lst = [i.strip() for i in algorithms.split(",")]
+        algorithms_lst = None
+        if algorithms is not None:
+            algorithms_lst = [i.strip() for i in algorithms.split(",")]
         return cls(
             url=url,
             realm=realm,

Original file line number	Diff line number	Diff line change
`@@ -51,6 +51,9 @@ def from_env(cls) -> "DependencyManager":`
`51`	`51`	`message="The JWKS url for Keycloak cannot be found from the OIDC discovery endpoint."`
`52`	`52`	`)`
`53`	`53`	`jwks = PyJWKClient(jwks_url)`
	`54`	`+ if config.keycloak.algorithms is None:`
	`55`	`+ raise errors.ConfigurationError(message="At least one token signature algorithm is required.")`
	`56`	`+`
`54`	`57`	`authenticator = KeycloakAuthenticator(jwks=jwks, algorithms=config.keycloak.algorithms)`
`55`	`58`	`core_client = K8sCoreClient()`
`56`	`59`