Skip to content

Getting KEYCLOAK_EXEMPT_URIS work #40

New issue
New issue
Open
#41
Open
Getting KEYCLOAK_EXEMPT_URIS work#40
#41
@Duentemeiname

Description

@Duentemeiname
Duentemeiname
opened on Jul 11, 2025

Hi,
first of all – thank you for the project! I really love the easy implementation of Keycloak Authentification!

I'm running into a problem with KEYCLOAK_EXEMPT_URIS. I’m using Django REST Framework with function-based views decorated via @api_view, which should be supported according to the documentation.

Setup:

  • DRF with @api_view decorators
  • KeycloakMiddleware is correctly added in MIDDLEWARE
  • Django==5.2.4
  • django-keycloak-auth==1.0.0
  • djangorestframework==3.16.0

Example view:

@api_view(['POST'])
def book_appointment(request):
    # ...

Following Config in the settings.py:

MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    'django_keycloak_auth.middleware.KeycloakMiddleware',
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

KEYCLOAK_EXEMPT_URIS = [
    'http://127.0.0.1:8000/api/appointments/unbooked/',
    '/api/appointments/unbooked/',
    'api/appointments/unbooked',
    'api/appointments/unbooked/',
    'api/appointments/book',
    'api/appointments/book/',
]

KEYCLOAK_CONFIG = {
    'KEYCLOAK_SERVER_URL': 'https://login.idp.domain.de',
    'KEYCLOAK_REALM': 'id',
    'KEYCLOAK_CLIENT_ID': 'account',
    'KEYCLOAK_CLIENT_SECRET_KEY': '',
    'KEYCLOAK_CACHE_TTL': 60,
    'LOCAL_DECODE': True
}

Like you can see i would like to "whitelist" the endpoints api/appointments/unbooked/ and api/appointments/book/

Even though the path matches exactly (request.path_info[1:] is 'api/appointments/book/'), the middleware still enforces authentication and rejects the request without a valid token.

Response:
{
"detail": "Authentication credentials were not provided."
}

I didn't patch the middleware with custom logging, but verified the path in the terminal via print statements and confirmed it matches the exempt URI.
Unauthorized: /api/appointments/unbooked/
[11/Jul/2025 13:37:29] "GET /api/appointments/unbooked/ HTTP/1.1" 401 59

Is there anything I'm missing in how KEYCLOAK_EXEMPT_URIS handles @api_view-based DRF views?

Could there be an issue in the exemption check logic?

Thanks in advance for your support! Hope you can help me, because i dont want to change to another Package for the Authentication.

Best regards,
Luca

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions