dmartinol
diff --git a/‎sdk/python/feast/permissions/auth/oidc_token_parser.py‎
Lines changed: 6 additions & 1 deletion b/‎sdk/python/feast/permissions/auth/oidc_token_parser.py‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎sdk/python/feast/permissions/client/http_auth_requests_wrapper.py‎
Lines changed: 1 addition & 2 deletions b/‎sdk/python/feast/permissions/client/http_auth_requests_wrapper.py‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎sdk/python/feast/permissions/client/oidc_authentication_client_manager.py‎
Lines changed: 1 addition & 1 deletion b/‎sdk/python/feast/permissions/client/oidc_authentication_client_manager.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎sdk/python/requirements/py3.10-ci-requirements.txt‎
Lines changed: 18 additions & 1 deletion b/‎sdk/python/requirements/py3.10-ci-requirements.txt‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎sdk/python/requirements/py3.11-ci-requirements.txt‎
Lines changed: 18 additions & 1 deletion b/‎sdk/python/requirements/py3.11-ci-requirements.txt‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎sdk/python/requirements/py3.9-ci-requirements.txt‎
Lines changed: 18 additions & 1 deletion b/‎sdk/python/requirements/py3.9-ci-requirements.txt‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎sdk/python/tests/conftest.py‎
Lines changed: 31 additions & 0 deletions b/‎sdk/python/tests/conftest.py‎
Lines changed: 31 additions & 0 deletions
@@ -73,7 +73,11 @@ async def user_details_from_access_token(self, access_token: str) -> User:
                 signing_key.key,
                 algorithms=["RS256"],
                 audience="account",
-                options={"verify_exp": True},
+                options={
+                    "verify_aud": False,
+                    "verify_signature": True,
+                    "verify_exp": True,
+                },
             )
 
             if "preferred_username" not in data:
@@ -99,4 +103,5 @@ async def user_details_from_access_token(self, access_token: str) -> User:
             logger.info(f"Extracted user {current_user} and roles {roles}")
             return User(username=current_user, roles=roles)
         except jwt.exceptions.InvalidTokenError:
+            logger.exception("Exception while parsing the token:")
             raise AuthenticationError("Invalid token.")
@@ -11,8 +11,7 @@
 class AuthenticatedRequestsSession(Session):
     def __init__(self, auth_token: str):
         super().__init__()
-        self.auth_token = auth_token
-        self.headers.update({"Authorization": f"Bearer {self.auth_token}"})
+        self.headers.update({"Authorization": f"Bearer {auth_token}"})
 
 
 def get_http_auth_requests_session(auth_config: AuthConfig) -> Session:
 
@@ -54,5 +54,5 @@ def get_token(self):
             return access_token
         else:
             raise RuntimeError(
-                "Failed to obtain access token: {token_response.status_code} - {token_response.text}"
+                f"""Failed to obtain oidc access token:url=[{token_endpoint}] {token_response.status_code} - {token_response.text}"""
             )
@@ -40,6 +40,8 @@ async-timeout==4.0.3
     # via
     #   aiohttp
     #   redis
+async-property==0.2.2
+    # via python-keycloak
 atpublic==4.1.0
     # via ibis-framework
 attrs==23.2.0
@@ -63,6 +65,8 @@ beautifulsoup4==4.12.3
     # via nbconvert
 bidict==0.23.1
     # via ibis-framework
+bigtree==0.19.2
+    # via feast (setup.py)
 bleach==6.1.0
     # via nbconvert
 boto3==1.34.131
@@ -133,6 +137,7 @@ cryptography==42.0.8
     #   azure-identity
     #   azure-storage-blob
     #   great-expectations
+    #   jwcrypto
     #   moto
     #   msal
     #   pyjwt
@@ -156,6 +161,8 @@ defusedxml==0.7.1
     # via nbconvert
 deltalake==0.18.1
     # via feast (setup.py)
+deprecation==2.1.0
+    # via python-keycloak
 dill==0.3.8
     # via feast (setup.py)
 distlib==0.3.8
@@ -323,6 +330,7 @@ httpx==0.27.0
     #   feast (setup.py)
     #   fastapi
     #   jupyterlab
+    #   python-keycloak
 ibis-framework[duckdb]==9.1.0
     # via
     #   feast (setup.py)
@@ -432,6 +440,8 @@ jupyterlab-server==2.27.2
     #   notebook
 jupyterlab-widgets==3.0.11
     # via ipywidgets
+jwcrypto==1.5.6
+    # via python-keycloak
 kubernetes==20.13.0
     # via feast (setup.py)
 locket==1.0.0
@@ -527,6 +537,7 @@ packaging==24.1
     #   build
     #   dask
     #   db-dtypes
+    #   deprecation
     #   google-cloud-bigquery
     #   great-expectations
     #   gunicorn
@@ -739,6 +750,8 @@ python-dotenv==1.0.1
     # via uvicorn
 python-json-logger==2.0.7
     # via jupyter-events
+python-keycloak==4.2.2
+    # via feast (setup.py)
 python-multipart==0.0.9
     # via fastapi
 pytz==2024.1
@@ -788,14 +801,18 @@ requests==2.32.3
     #   kubernetes
     #   moto
     #   msal
+    #   python-keycloak
     #   requests-oauthlib
+    #   requests-toolbelt
     #   responses
     #   singlestoredb
     #   snowflake-connector-python
     #   sphinx
     #   trino
 requests-oauthlib==2.0.0
     # via kubernetes
+requests-toolbelt==1.0.0
+    # via python-keycloak
 responses==0.25.3
     # via moto
 rfc3339-validator==0.1.4
@@ -1000,6 +1017,7 @@ typing-extensions==4.12.2
     #   great-expectations
     #   ibis-framework
     #   ipython
+    #   jwcrypto
     #   mypy
     #   psycopg
     #   psycopg-pool
@@ -1080,4 +1098,3 @@ yarl==1.9.4
     # via aiohttp
 zipp==3.19.1
     # via importlib-metadata
-bigtree==0.19.2
 
@@ -36,6 +36,8 @@ asttokens==2.4.1
     # via stack-data
 async-lru==2.0.4
     # via jupyterlab
+async-property==0.2.2
+    # via python-keycloak
 atpublic==4.1.0
     # via ibis-framework
 attrs==23.2.0
@@ -59,6 +61,8 @@ beautifulsoup4==4.12.3
     # via nbconvert
 bidict==0.23.1
     # via ibis-framework
+bigtree==0.19.2
+    # via feast (setup.py)
 bleach==6.1.0
     # via nbconvert
 boto3==1.34.131
@@ -129,6 +133,7 @@ cryptography==42.0.8
     #   azure-identity
     #   azure-storage-blob
     #   great-expectations
+    #   jwcrypto
     #   moto
     #   msal
     #   pyjwt
@@ -152,6 +157,8 @@ defusedxml==0.7.1
     # via nbconvert
 deltalake==0.18.1
     # via feast (setup.py)
+deprecation==2.1.0
+    # via python-keycloak
 dill==0.3.8
     # via feast (setup.py)
 distlib==0.3.8
@@ -314,6 +321,7 @@ httpx==0.27.0
     #   feast (setup.py)
     #   fastapi
     #   jupyterlab
+    #   python-keycloak
 ibis-framework[duckdb]==9.1.0
     # via
     #   feast (setup.py)
@@ -423,6 +431,8 @@ jupyterlab-server==2.27.2
     #   notebook
 jupyterlab-widgets==3.0.11
     # via ipywidgets
+jwcrypto==1.5.6
+    # via python-keycloak
 kubernetes==20.13.0
     # via feast (setup.py)
 locket==1.0.0
@@ -518,6 +528,7 @@ packaging==24.1
     #   build
     #   dask
     #   db-dtypes
+    #   deprecation
     #   google-cloud-bigquery
     #   great-expectations
     #   gunicorn
@@ -730,6 +741,8 @@ python-dotenv==1.0.1
     # via uvicorn
 python-json-logger==2.0.7
     # via jupyter-events
+python-keycloak==4.2.2
+    # via feast (setup.py)
 python-multipart==0.0.9
     # via fastapi
 pytz==2024.1
@@ -779,14 +792,18 @@ requests==2.32.3
     #   kubernetes
     #   moto
     #   msal
+    #   python-keycloak
     #   requests-oauthlib
+    #   requests-toolbelt
     #   responses
     #   singlestoredb
     #   snowflake-connector-python
     #   sphinx
     #   trino
 requests-oauthlib==2.0.0
     # via kubernetes
+requests-toolbelt==1.0.0
+    # via python-keycloak
 responses==0.25.3
     # via moto
 rfc3339-validator==0.1.4
@@ -979,6 +996,7 @@ typing-extensions==4.12.2
     #   great-expectations
     #   ibis-framework
     #   ipython
+    #   jwcrypto
     #   mypy
     #   psycopg
     #   psycopg-pool
@@ -1058,4 +1076,3 @@ yarl==1.9.4
     # via aiohttp
 zipp==3.19.1
     # via importlib-metadata
-bigtree==0.19.2
 
@@ -40,6 +40,8 @@ async-timeout==4.0.3
     # via
     #   aiohttp
     #   redis
+async-property==0.2.2
+    # via python-keycloak
 atpublic==4.1.0
     # via ibis-framework
 attrs==23.2.0
@@ -63,6 +65,8 @@ beautifulsoup4==4.12.3
     # via nbconvert
 bidict==0.23.1
     # via ibis-framework
+bigtree==0.19.2
+    # via feast (setup.py)
 bleach==6.1.0
     # via nbconvert
 boto3==1.34.131
@@ -133,6 +137,7 @@ cryptography==42.0.8
     #   azure-identity
     #   azure-storage-blob
     #   great-expectations
+    #   jwcrypto
     #   moto
     #   msal
     #   pyjwt
@@ -156,6 +161,8 @@ defusedxml==0.7.1
     # via nbconvert
 deltalake==0.18.1
     # via feast (setup.py)
+deprecation==2.1.0
+    # via python-keycloak
 dill==0.3.8
     # via feast (setup.py)
 distlib==0.3.8
@@ -323,6 +330,7 @@ httpx==0.27.0
     #   feast (setup.py)
     #   fastapi
     #   jupyterlab
+    #   python-keycloak
 ibis-framework[duckdb]==9.0.0
     # via
     #   feast (setup.py)
@@ -441,6 +449,8 @@ jupyterlab-server==2.27.2
     #   notebook
 jupyterlab-widgets==3.0.11
     # via ipywidgets
+jwcrypto==1.5.6
+    # via python-keycloak
 kubernetes==20.13.0
     # via feast (setup.py)
 locket==1.0.0
@@ -536,6 +546,7 @@ packaging==24.1
     #   build
     #   dask
     #   db-dtypes
+    #   deprecation
     #   google-cloud-bigquery
     #   great-expectations
     #   gunicorn
@@ -748,6 +759,8 @@ python-dotenv==1.0.1
     # via uvicorn
 python-json-logger==2.0.7
     # via jupyter-events
+python-keycloak==4.2.2
+    # via feast (setup.py)
 python-multipart==0.0.9
     # via fastapi
 pytz==2024.1
@@ -797,14 +810,18 @@ requests==2.32.3
     #   kubernetes
     #   moto
     #   msal
+    #   python-keycloak
     #   requests-oauthlib
+    #   requests-toolbelt
     #   responses
     #   singlestoredb
     #   snowflake-connector-python
     #   sphinx
     #   trino
 requests-oauthlib==2.0.0
     # via kubernetes
+requests-toolbelt==1.0.0
+    # via python-keycloak
 responses==0.25.3
     # via moto
 rfc3339-validator==0.1.4
@@ -1012,6 +1029,7 @@ typing-extensions==4.12.2
     #   great-expectations
     #   ibis-framework
     #   ipython
+    #   jwcrypto
     #   mypy
     #   psycopg
     #   psycopg-pool
@@ -1094,4 +1112,3 @@ yarl==1.9.4
     # via aiohttp
 zipp==3.19.1
     # via importlib-metadata
-bigtree==0.19.2
 
@@ -15,6 +15,7 @@
 import multiprocessing
 import os
 import random
+import tempfile
 from datetime import timedelta
 from multiprocessing import Process
 from sys import platform
@@ -24,6 +25,7 @@
 import pandas as pd
 import pytest
 from _pytest.nodes import Item
+from testcontainers.keycloak import KeycloakContainer
 
 from feast.data_source import DataSource
 from feast.feature_store import FeatureStore  # noqa: E402
@@ -54,6 +56,10 @@
     driver,
     location,
 )
+from tests.utils.auth_permissions_util import (
+    default_store,
+    setup_permissions_on_keycloak,
+)
 from tests.utils.http_server import check_port_open, free_port  # noqa: E402
 
 logger = logging.getLogger(__name__)
@@ -406,3 +412,28 @@ def fake_document_data(environment: Environment) -> Tuple[pd.DataFrame, DataSour
         environment.feature_store.project,
     )
     return df, data_source
+
+
+@pytest.fixture
+def temp_dir():
+    with tempfile.TemporaryDirectory() as temp_dir:
+        print(f"Created {temp_dir}")
+        yield temp_dir
+
+
+@pytest.fixture
+def start_keycloak_server():
+    with KeycloakContainer("quay.io/keycloak/keycloak:24.0.1") as keycloak_container:
+        setup_permissions_on_keycloak(keycloak_container.get_client())
+        yield keycloak_container.get_url()
+
+
+@pytest.fixture
+def server_port():
+    return free_port()
+
+
+@pytest.fixture
+def feature_store(temp_dir, auth_config, applied_permissions):
+    print(f"Creating store at {temp_dir}")
+    return default_store(str(temp_dir), auth_config, applied_permissions)
Original file line number	Diff line number	Diff line change
`@@ -54,5 +54,5 @@ def get_token(self):`
`54`	`54`	`return access_token`
`55`	`55`	`else:`
`56`	`56`	`raise RuntimeError(`
`57`		`- "Failed to obtain access token: {token_response.status_code} - {token_response.text}"`
	`57`	`+ f"""Failed to obtain oidc access token:url=[{token_endpoint}] {token_response.status_code} - {token_response.text}"""`
`58`	`58`	`)`