Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
816 Commits
16 Branches
109 Tags
19 MiB
Tree: 78b3e9e006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '78b3e9e006'
${ noResults }
python-keycloak/src/keycloak/keycloak_uma.py

417 lines
15 KiB
Raw Normal View History

feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
fix: Refactor auto refresh (#415) * refactor: Factor our OpenIdConnectionManager class and deprecate old methods * refactor: Refactor keycloak uma client to use openid connection manager * fix: Perform token renewal at 90% of lifetime * refactor: Add optional openid connection constructor param to keycloak admin * refactor: Remove auto_refresh_token in favour of automatic refresh on expiry * refactor: move KeycloakOpenIDConnectionManager to a separate file * docs: uma additions and fixes * refactor: rename token_renewal_fraction->token_lifetime_fraction * refactor: shorten KeycloakOpenIDConnectionManager->KeycloakOpenIDConnection * docs: incorporate review comments
2 years ago
feat: add Keycloak UMA client (#403)
2 years ago
feat: Add UMA policy management and permission tickets (#426)
2 years ago
  1. # -*- coding: utf-8 -*-
  2. #
  3. # The MIT License (MIT)
  4. #
  5. # Copyright (C) 2017 Marcos Pereira <marcospereira.mpj@gmail.com>
  6. #
  7. # Permission is hereby granted, free of charge, to any person obtaining a copy of
  8. # this software and associated documentation files (the "Software"), to deal in
  9. # the Software without restriction, including without limitation the rights to
  10. # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
  11. # the Software, and to permit persons to whom the Software is furnished to do so,
  12. # subject to the following conditions:
  13. #
  14. # The above copyright notice and this permission notice shall be included in all
  15. # copies or substantial portions of the Software.
  16. #
  17. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
  19. # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
  20. # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
  21. # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  22. # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  24. """Keycloak UMA module.
  26. The module contains a UMA compatible client for keycloak:
  27. https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html
  28. """
  29. import json
  30. from typing import Iterable
  31. from urllib.parse import quote_plus
  33. from .connection import ConnectionManager
  34. from .exceptions import (
  35. KeycloakDeleteError,
  36. KeycloakGetError,
  37. KeycloakPostError,
  38. KeycloakPutError,
  39. raise_error_from_response,
  40. )
  41. from .openid_connection import KeycloakOpenIDConnection
  42. from .uma_permissions import UMAPermission
  43. from .urls_patterns import URL_UMA_WELL_KNOWN
  46. class KeycloakUMA:
  47. """Keycloak UMA client.
  49. :param connection: OpenID connection manager
  50. """
  52. def __init__(self, connection: KeycloakOpenIDConnection):
  53. """Init method.
  55. :param connection: OpenID connection manager
  56. :type connection: KeycloakOpenIDConnection
  57. """
  58. self.connection = connection
  59. custom_headers = self.connection.custom_headers or {}
  60. custom_headers.update({"Content-Type": "application/json"})
  61. self.connection.custom_headers = custom_headers
  62. self._well_known = None
  64. def _fetch_well_known(self):
  65. params_path = {"realm-name": self.connection.realm_name}
  66. data_raw = self.connection.raw_get(URL_UMA_WELL_KNOWN.format(**params_path))
  67. return raise_error_from_response(data_raw, KeycloakGetError)
  69. @staticmethod
  70. def format_url(url, **kwargs):
  71. """Substitute url path parameters.
  73. Given a parameterized url string, returns the string after url encoding and substituting
  74. the given params. For example,
  75. `format_url("https://myserver/{my_resource}/{id}", my_resource="hello world", id="myid")`
  76. would produce `https://myserver/hello+world/myid`.
  78. :param url: url string to format
  79. :type url: str
  80. :param kwargs: dict containing kwargs to substitute
  81. :type kwargs: dict
  82. :return: formatted string
  83. :rtype: str
  84. """
  85. return url.format(**{k: quote_plus(v) for k, v in kwargs.items()})
  87. @property
  88. def uma_well_known(self):
  89. """Get the well_known UMA2 config.
  91. :returns: It lists endpoints and other configuration options relevant
  92. :rtype: dict
  93. """
  94. # per instance cache
  95. if not self._well_known:
  96. self._well_known = self._fetch_well_known()
  97. return self._well_known
  99. def resource_set_create(self, payload):
  100. """Create a resource set.
  102. Spec
  103. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1
  105. ResourceRepresentation
  106. https://www.keycloak.org/docs-api/20.0.0/rest-api/index.html#_resourcerepresentation
  108. :param payload: ResourceRepresentation
  109. :type payload: dict
  110. :return: ResourceRepresentation with the _id property assigned
  111. :rtype: dict
  112. """
  113. data_raw = self.connection.raw_post(
  114. self.uma_well_known["resource_registration_endpoint"], data=json.dumps(payload)
  115. )
  116. return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[201])
  118. def resource_set_update(self, resource_id, payload):
  119. """Update a resource set.
  121. Spec
  122. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set
  124. ResourceRepresentation
  125. https://www.keycloak.org/docs-api/20.0.0/rest-api/index.html#_resourcerepresentation
  127. :param resource_id: id of the resource
  128. :type resource_id: str
  129. :param payload: ResourceRepresentation
  130. :type payload: dict
  131. :return: Response dict (empty)
  132. :rtype: dict
  133. """
  134. url = self.format_url(
  135. self.uma_well_known["resource_registration_endpoint"] + "/{id}", id=resource_id
  136. )
  137. data_raw = self.connection.raw_put(url, data=json.dumps(payload))
  138. return raise_error_from_response(data_raw, KeycloakPutError, expected_codes=[204])
  140. def resource_set_read(self, resource_id):
  141. """Read a resource set.
  143. Spec
  144. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set
  146. ResourceRepresentation
  147. https://www.keycloak.org/docs-api/20.0.0/rest-api/index.html#_resourcerepresentation
  149. :param resource_id: id of the resource
  150. :type resource_id: str
  151. :return: ResourceRepresentation
  152. :rtype: dict
  153. """
  154. url = self.format_url(
  155. self.uma_well_known["resource_registration_endpoint"] + "/{id}", id=resource_id
  156. )
  157. data_raw = self.connection.raw_get(url)
  158. return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
  160. def resource_set_delete(self, resource_id):
  161. """Delete a resource set.
  163. Spec
  164. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set
  166. :param resource_id: id of the resource
  167. :type resource_id: str
  168. :return: Response dict (empty)
  169. :rtype: dict
  170. """
  171. url = self.format_url(
  172. self.uma_well_known["resource_registration_endpoint"] + "/{id}", id=resource_id
  173. )
  174. data_raw = self.connection.raw_delete(url)
  175. return raise_error_from_response(data_raw, KeycloakDeleteError, expected_codes=[204])
  177. def resource_set_list_ids(
  178. self,
  179. name: str = "",
  180. exact_name: bool = False,
  181. uri: str = "",
  182. owner: str = "",
  183. resource_type: str = "",
  184. scope: str = "",
  185. first: int = 0,
  186. maximum: int = -1,
  187. ):
  188. """Query for list of resource set ids.
  190. Spec
  191. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
  193. :param name: query resource name
  194. :type name: str
  195. :param exact_name: query exact match for resource name
  196. :type exact_name: bool
  197. :param uri: query resource uri
  198. :type uri: str
  199. :param owner: query resource owner
  200. :type owner: str
  201. :param resource_type: query resource type
  202. :type resource_type: str
  203. :param scope: query resource scope
  204. :type scope: str
  205. :param first: index of first matching resource to return
  206. :type first: int
  207. :param maximum: maximum number of resources to return (-1 for all)
  208. :type maximum: int
  209. :return: List of ids
  210. :rtype: List[str]
  211. """
  212. query = dict()
  213. if name:
  214. query["name"] = name
  215. if exact_name:
  216. query["exactName"] = "true"
  217. if uri:
  218. query["uri"] = uri
  219. if owner:
  220. query["owner"] = owner
  221. if resource_type:
  222. query["type"] = resource_type
  223. if scope:
  224. query["scope"] = scope
  225. if first > 0:
  226. query["first"] = first
  227. if maximum >= 0:
  228. query["max"] = maximum
  230. data_raw = self.connection.raw_get(
  231. self.uma_well_known["resource_registration_endpoint"], **query
  232. )
  233. return raise_error_from_response(data_raw, KeycloakGetError, expected_codes=[200])
  235. def resource_set_list(self):
  236. """List all resource sets.
  238. Spec
  239. https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
  241. ResourceRepresentation
  242. https://www.keycloak.org/docs-api/20.0.0/rest-api/index.html#_resourcerepresentation
  244. :yields: Iterator over a list of ResourceRepresentations
  245. :rtype: Iterator[dict]
  246. """
  247. for resource_id in self.resource_set_list_ids():
  248. resource = self.resource_set_read(resource_id)
  249. yield resource
  251. def permission_ticket_create(self, permissions: Iterable[UMAPermission]):
  252. """Create a permission ticket.
  254. :param permissions: Iterable of uma permissions to validate the token against
  255. :type permissions: Iterable[UMAPermission]
  256. :returns: Keycloak decision
  257. :rtype: boolean
  258. :raises KeycloakPostError: In case permission resource not found
  259. """
  260. resources = dict()
  261. for permission in permissions:
  262. resource_id = getattr(permission, "resource_id", None)
  264. if resource_id is None:
  265. resource_ids = self.resource_set_list_ids(
  266. exact_name=True, name=permission.resource, first=0, maximum=1
  267. )
  269. if not resource_ids:
  270. raise KeycloakPostError("Invalid resource specified")
  272. setattr(permission, "resource_id", resource_ids[0])
  274. resources.setdefault(resource_id, set())
  275. if permission.scope:
  276. resources[resource_id].add(permission.scope)
  278. payload = [
  279. {"resource_id": resource_id, "resource_scopes": list(scopes)}
  280. for resource_id, scopes in resources.items()
  281. ]
  283. data_raw = self.connection.raw_post(
  284. self.uma_well_known["permission_endpoint"], data=json.dumps(payload)
  285. )
  286. return raise_error_from_response(data_raw, KeycloakPostError)
  288. def permissions_check(self, token, permissions: Iterable[UMAPermission]):
  289. """Check UMA permissions by user token with requested permissions.
  291. The token endpoint is used to check UMA permissions from Keycloak. It can only be
  292. invoked by confidential clients.
  294. https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api
  296. :param token: user token
  297. :type token: str
  298. :param permissions: Iterable of uma permissions to validate the token against
  299. :type permissions: Iterable[UMAPermission]
  300. :returns: Keycloak decision
  301. :rtype: boolean
  302. """
  303. payload = {
  304. "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  305. "permission": ",".join(str(permission) for permission in permissions),
  306. "response_mode": "decision",
  307. "audience": self.connection.client_id,
  308. }
  310. # Everyone always has the null set of permissions
  311. # However keycloak cannot evaluate the null set
  312. if len(payload["permission"]) == 0:
  313. return True
  315. connection = ConnectionManager(self.connection.base_url)
  316. connection.add_param_headers("Authorization", "Bearer " + token)
  317. connection.add_param_headers("Content-Type", "application/x-www-form-urlencoded")
  318. data_raw = connection.raw_post(self.uma_well_known["token_endpoint"], data=payload)
  319. try:
  320. data = raise_error_from_response(data_raw, KeycloakPostError)
  321. except KeycloakPostError:
  322. return False
  323. return data.get("result", False)
  325. def policy_resource_create(self, resource_id, payload):
  326. """Create permission policy for resource.
  328. Supports name, description, scopes, roles, groups, clients
  330. https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource
  332. :param resource_id: _id of resource
  333. :type resource_id: str
  334. :param payload: permission configuration
  335. :type payload: dict
  336. :return: PermissionRepresentation
  337. :rtype: dict
  338. """
  339. data_raw = self.connection.raw_post(
  340. self.uma_well_known["policy_endpoint"] + f"/{resource_id}", data=json.dumps(payload)
  341. )
  342. return raise_error_from_response(data_raw, KeycloakPostError)
  344. def policy_update(self, policy_id, payload):
  345. """Update permission policy.
  347. https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource
  348. https://www.keycloak.org/docs-api/21.0.1/rest-api/index.html#_policyrepresentation
  350. :param policy_id: id of policy permission
  351. :type policy_id: str
  352. :param payload: policy permission configuration
  353. :type payload: dict
  354. :return: PermissionRepresentation
  355. :rtype: dict
  356. """
  357. data_raw = self.connection.raw_put(
  358. self.uma_well_known["policy_endpoint"] + f"/{policy_id}", data=json.dumps(payload)
  359. )
  360. return raise_error_from_response(data_raw, KeycloakPutError)
  362. def policy_delete(self, policy_id):
  363. """Delete permission policy.
  365. https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission
  366. https://www.keycloak.org/docs-api/21.0.1/rest-api/index.html#_policyrepresentation
  368. :param policy_id: id of permission policy
  369. :type policy_id: str
  370. :return: PermissionRepresentation
  371. :rtype: dict
  372. """
  373. data_raw = self.connection.raw_delete(
  374. self.uma_well_known["policy_endpoint"] + f"/{policy_id}"
  375. )
  376. return raise_error_from_response(data_raw, KeycloakDeleteError)
  378. def policy_query(
  379. self,
  380. resource: str = "",
  381. name: str = "",
  382. scope: str = "",
  383. first: int = 0,
  384. maximum: int = -1,
  385. ):
  386. """Query permission policies.
  388. https://www.keycloak.org/docs/latest/authorization_services/#querying-permission
  390. :param resource: query resource id
  391. :type resource: str
  392. :param name: query resource name
  393. :type name: str
  394. :param scope: query resource scope
  395. :type scope: str
  396. :param first: index of first matching resource to return
  397. :type first: int
  398. :param maximum: maximum number of resources to return (-1 for all)
  399. :type maximum: int
  400. :return: List of ids
  401. :return: List of ids
  402. :rtype: List[str]
  403. """
  404. query = dict()
  405. if name:
  406. query["name"] = name
  407. if resource:
  408. query["resource"] = resource
  409. if scope:
  410. query["scope"] = scope
  411. if first > 0:
  412. query["first"] = first
  413. if maximum >= 0:
  414. query["max"] = maximum
  416. data_raw = self.connection.raw_get(self.uma_well_known["policy_endpoint"], **query)
  417. return raise_error_from_response(data_raw, KeycloakGetError)