Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
748 Commits
14 Branches
95 Tags
15 MiB
Tree: 8f4b49a4d1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8f4b49a4d1'
${ noResults }
python-keycloak/src/keycloak/keycloak_openid.py

703 lines
24 KiB
Raw Normal View History

Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
pep8 formatting
6 years ago
Methods: list users, get user, create user.
7 years ago
pep8 formatting
6 years ago
feat: initial setup of CICD and linting
2 years ago
feat: added UMA-permission request functionality
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: added fixes based on feedback
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: added UMA-permission request functionality
2 years ago
Methods: list users, get user, create user.
7 years ago
Stick with existing code conventions
6 years ago
feat: initial setup of CICD and linting
2 years ago
feat: add initial access token support and policy delete method * feat: Add policy delete method * feat: Added initial access token support
1 year ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
docs: fix docstrings
2 years ago
docs: add timeout to docstring
2 years ago
docs: fix docstrings
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: Ability to set custom timeout for KCOpenId and KCAdmin
2 years ago
feat: initial setup of CICD and linting
2 years ago
docs: finished off docstrings in the source
2 years ago
docs: fix docstrings
2 years ago
feat: Ability to set custom timeout for KCOpenId and KCAdmin
2 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
fix: correct spelling of public API method BREAKING CHANGE: Renames `KeycloakOpenID.well_know` to `KeycloakOpenID.well_known`
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
fix: Support the auth_url method called with scope & state params now
2 years ago
refactor: merge master branch into local
2 years ago
docs: update auth_url method's docstring and readme file
2 years ago
docs: finished off docstrings in the source
2 years ago
docs: update auth_url method's docstring and readme file
2 years ago
docs: finished off docstrings in the source
2 years ago
docs: update auth_url method's docstring and readme file
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: correct spelling of public API method BREAKING CHANGE: Renames `KeycloakOpenID.well_know` to `KeycloakOpenID.well_known`
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: Support the auth_url method called with scope & state params now
2 years ago
feat: initial setup of CICD and linting
2 years ago
Stick with existing code conventions
6 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: default scope to openid
1 year ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
fix: default scope to openid
1 year ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: default scope to openid
1 year ago
feat: initial setup of CICD and linting
2 years ago
openid - minor typo fix, change nothing yet
3 years ago
Add the option to specify extra key/values to the token endpoint
5 years ago
Methods: list users, get user, create user.
7 years ago
support totp
6 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Refactoring code: groups and client.
6 years ago
style: fixed docstrings everywhere
2 years ago
Refactoring code: groups and client.
6 years ago
docs: finished off docstrings in the source
2 years ago
Refactoring code: groups and client.
6 years ago
feat: initial setup of CICD and linting
2 years ago
Refactoring code: groups and client.
6 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: Add token_type/scope to token exchange api
2 years ago
fix: default scope to openid
1 year ago
feat: Add token_type/scope to token exchange api
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
docs: finished off docstrings in the source
2 years ago
chore: merge master into branch
2 years ago
fix: default scope to openid
1 year ago
chore: merge master into branch
2 years ago
docs: finished off docstrings in the source
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
feat: Add token_type/scope to token exchange api
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
feat: Add token_type/scope to token exchange api
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
fix: raise correct exceptions
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
Fixed mixed up urls
4 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Added public key method
4 years ago
style: fixed docstrings everywhere
2 years ago
Added public key method
4 years ago
docs: finished off docstrings in the source
2 years ago
Added public key method
4 years ago
Fixed mixed up urls
4 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
add deprecation exception on entitlement call
4 years ago
Methods: list users, get user, create user.
7 years ago
test: added more openid tests
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: finished off docstrings in the source
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
style: fixed docstrings everywhere
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
docs: finished off docstrings in the source
2 years ago
fix: added fixes based on feedback
2 years ago
docs: finished off docstrings in the source
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: added UMA-permission request functionality
2 years ago
docs: finished off docstrings in the source
2 years ago
fix: added fixes based on feedback
2 years ago
docs: finished off docstrings in the source
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
test: finished off openid tests
2 years ago
feat: added UMA-permission request functionality
2 years ago
test: finished off openid tests
2 years ago
feat: added UMA-permission request functionality
2 years ago
feat: add initial access token support and policy delete method * feat: Add policy delete method * feat: Added initial access token support
1 year ago
  1. # -*- coding: utf-8 -*-
  2. #
  3. # The MIT License (MIT)
  4. #
  5. # Copyright (C) 2017 Marcos Pereira <marcospereira.mpj@gmail.com>
  6. #
  7. # Permission is hereby granted, free of charge, to any person obtaining a copy of
  8. # this software and associated documentation files (the "Software"), to deal in
  9. # the Software without restriction, including without limitation the rights to
  10. # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
  11. # the Software, and to permit persons to whom the Software is furnished to do so,
  12. # subject to the following conditions:
  13. #
  14. # The above copyright notice and this permission notice shall be included in all
  15. # copies or substantial portions of the Software.
  16. #
  17. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
  19. # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
  20. # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
  21. # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  22. # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  24. """Keycloak OpenID module.
  26. The module contains mainly the implementation of KeycloakOpenID class, the main
  27. class to handle authentication and token manipulation.
  28. """
  30. import json
  32. from jose import jwt
  34. from .authorization import Authorization
  35. from .connection import ConnectionManager
  36. from .exceptions import (
  37. KeycloakAuthenticationError,
  38. KeycloakAuthorizationConfigError,
  39. KeycloakDeprecationError,
  40. KeycloakGetError,
  41. KeycloakInvalidTokenError,
  42. KeycloakPostError,
  43. KeycloakRPTNotFound,
  44. raise_error_from_response,
  45. )
  46. from .uma_permissions import AuthStatus, build_permission_param
  47. from .urls_patterns import (
  48. URL_AUTH,
  49. URL_CERTS,
  50. URL_CLIENT_REGISTRATION,
  51. URL_ENTITLEMENT,
  52. URL_INTROSPECT,
  53. URL_LOGOUT,
  54. URL_REALM,
  55. URL_TOKEN,
  56. URL_USERINFO,
  57. URL_WELL_KNOWN,
  58. )
  61. class KeycloakOpenID:
  62. """Keycloak OpenID client.
  64. :param server_url: Keycloak server url
  65. :param client_id: client id
  66. :param realm_name: realm name
  67. :param client_secret_key: client secret key
  68. :param verify: True if want check connection SSL
  69. :param custom_headers: dict of custom header to pass to each HTML request
  70. :param proxies: dict of proxies to sent the request by.
  71. :param timeout: connection timeout in seconds
  72. """
  74. def __init__(
  75. self,
  76. server_url,
  77. realm_name,
  78. client_id,
  79. client_secret_key=None,
  80. verify=True,
  81. custom_headers=None,
  82. proxies=None,
  83. timeout=60,
  84. ):
  85. """Init method.
  87. :param server_url: Keycloak server url
  88. :type server_url: str
  89. :param client_id: client id
  90. :type client_id: str
  91. :param realm_name: realm name
  92. :type realm_name: str
  93. :param client_secret_key: client secret key
  94. :type client_secret_key: str
  95. :param verify: True if want check connection SSL
  96. :type verify: bool
  97. :param custom_headers: dict of custom header to pass to each HTML request
  98. :type custom_headers: dict
  99. :param proxies: dict of proxies to sent the request by.
  100. :type proxies: dict
  101. :param timeout: connection timeout in seconds
  102. :type timeout: int
  103. """
  104. self.client_id = client_id
  105. self.client_secret_key = client_secret_key
  106. self.realm_name = realm_name
  107. headers = custom_headers if custom_headers is not None else dict()
  108. self.connection = ConnectionManager(
  109. base_url=server_url, headers=headers, timeout=timeout, verify=verify, proxies=proxies
  110. )
  112. self.authorization = Authorization()
  114. @property
  115. def client_id(self):
  116. """Get client id.
  118. :returns: Client id
  119. :rtype: str
  120. """
  121. return self._client_id
  123. @client_id.setter
  124. def client_id(self, value):
  125. self._client_id = value
  127. @property
  128. def client_secret_key(self):
  129. """Get the client secret key.
  131. :returns: Client secret key
  132. :rtype: str
  133. """
  134. return self._client_secret_key
  136. @client_secret_key.setter
  137. def client_secret_key(self, value):
  138. self._client_secret_key = value
  140. @property
  141. def realm_name(self):
  142. """Get the realm name.
  144. :returns: Realm name
  145. :rtype: str
  146. """
  147. return self._realm_name
  149. @realm_name.setter
  150. def realm_name(self, value):
  151. self._realm_name = value
  153. @property
  154. def connection(self):
  155. """Get connection.
  157. :returns: Connection manager object
  158. :rtype: ConnectionManager
  159. """
  160. return self._connection
  162. @connection.setter
  163. def connection(self, value):
  164. self._connection = value
  166. @property
  167. def authorization(self):
  168. """Get authorization.
  170. :returns: The authorization manager
  171. :rtype: Authorization
  172. """
  173. return self._authorization
  175. @authorization.setter
  176. def authorization(self, value):
  177. self._authorization = value
  179. def _add_secret_key(self, payload):
  180. """Add secret key if exists.
  182. :param payload: Payload
  183. :type payload: dict
  184. :returns: Payload with the secret key
  185. :rtype: dict
  186. """
  187. if self.client_secret_key:
  188. payload.update({"client_secret": self.client_secret_key})
  190. return payload
  192. def _build_name_role(self, role):
  193. """Build name of a role.
  195. :param role: Role name
  196. :type role: str
  197. :returns: Role path
  198. :rtype: str
  199. """
  200. return self.client_id + "/" + role
  202. def _token_info(self, token, method_token_info, **kwargs):
  203. """Getter for the token data.
  205. :param token: Token
  206. :type token: str
  207. :param method_token_info: Token info method to use
  208. :type method_token_info: str
  209. :param kwargs: Additional keyword arguments
  210. :type kwargs: dict
  211. :returns: Token info
  212. :rtype: dict
  213. """
  214. if method_token_info == "introspect":
  215. token_info = self.introspect(token)
  216. else:
  217. token_info = self.decode_token(token, **kwargs)
  219. return token_info
  221. def well_known(self):
  222. """Get the well_known object.
  224. The most important endpoint to understand is the well-known configuration
  225. endpoint. It lists endpoints and other configuration options relevant to
  226. the OpenID Connect implementation in Keycloak.
  228. :returns: It lists endpoints and other configuration options relevant
  229. :rtype: dict
  230. """
  231. params_path = {"realm-name": self.realm_name}
  232. data_raw = self.connection.raw_get(URL_WELL_KNOWN.format(**params_path))
  233. return raise_error_from_response(data_raw, KeycloakGetError)
  235. def auth_url(self, redirect_uri, scope="email", state=""):
  236. """Get authorization URL endpoint.
  238. :param redirect_uri: Redirect url to receive oauth code
  239. :type redirect_uri: str
  240. :param scope: Scope of authorization request, split with the blank space
  241. :type scope: str
  242. :param state: State will be returned to the redirect_uri
  243. :type state: str
  244. :returns: Authorization URL Full Build
  245. :rtype: str
  246. """
  247. params_path = {
  248. "authorization-endpoint": self.well_known()["authorization_endpoint"],
  249. "client-id": self.client_id,
  250. "redirect-uri": redirect_uri,
  251. "scope": scope,
  252. "state": state,
  253. }
  254. return URL_AUTH.format(**params_path)
  256. def token(
  257. self,
  258. username="",
  259. password="",
  260. grant_type=["password"],
  261. code="",
  262. redirect_uri="",
  263. totp=None,
  264. scope="openid",
  265. **extra
  266. ):
  267. """Retrieve user token.
  269. The token endpoint is used to obtain tokens. Tokens can either be obtained by
  270. exchanging an authorization code or by supplying credentials directly depending on
  271. what flow is used. The token endpoint is also used to obtain new access tokens
  272. when they expire.
  274. http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
  276. :param username: Username
  277. :type username: str
  278. :param password: Password
  279. :type password: str
  280. :param grant_type: Grant type
  281. :type grant_type: str
  282. :param code: Code
  283. :type code: str
  284. :param redirect_uri: Redirect URI
  285. :type redirect_uri: str
  286. :param totp: Time-based one-time password
  287. :type totp: int
  288. :param scope: Scope, defaults to openid
  289. :type scope: str
  290. :param extra: Additional extra arguments
  291. :type extra: dict
  292. :returns: Keycloak token
  293. :rtype: dict
  294. """
  295. params_path = {"realm-name": self.realm_name}
  296. payload = {
  297. "username": username,
  298. "password": password,
  299. "client_id": self.client_id,
  300. "grant_type": grant_type,
  301. "code": code,
  302. "redirect_uri": redirect_uri,
  303. "scope": scope,
  304. }
  305. if extra:
  306. payload.update(extra)
  308. if totp:
  309. payload["totp"] = totp
  311. payload = self._add_secret_key(payload)
  312. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  313. return raise_error_from_response(data_raw, KeycloakPostError)
  315. def refresh_token(self, refresh_token, grant_type=["refresh_token"]):
  316. """Refresh the user token.
  318. The token endpoint is used to obtain tokens. Tokens can either be obtained by
  319. exchanging an authorization code or by supplying credentials directly depending on
  320. what flow is used. The token endpoint is also used to obtain new access tokens
  321. when they expire.
  323. http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
  325. :param refresh_token: Refresh token from Keycloak
  326. :type refresh_token: str
  327. :param grant_type: Grant type
  328. :type grant_type: str
  329. :returns: New token
  330. :rtype: dict
  331. """
  332. params_path = {"realm-name": self.realm_name}
  333. payload = {
  334. "client_id": self.client_id,
  335. "grant_type": grant_type,
  336. "refresh_token": refresh_token,
  337. }
  338. payload = self._add_secret_key(payload)
  339. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  340. return raise_error_from_response(data_raw, KeycloakPostError)
  342. def exchange_token(
  343. self,
  344. token: str,
  345. client_id: str,
  346. audience: str,
  347. subject: str,
  348. requested_token_type: str = "urn:ietf:params:oauth:token-type:refresh_token",
  349. scope: str = "openid",
  350. ) -> dict:
  351. """Exchange user token.
  353. Use a token to obtain an entirely different token. See
  354. https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
  356. :param token: Access token
  357. :type token: str
  358. :param client_id: Client id
  359. :type client_id: str
  360. :param audience: Audience
  361. :type audience: str
  362. :param subject: Subject
  363. :type subject: str
  364. :param requested_token_type: Token type specification
  365. :type requested_token_type: str
  366. :param scope: Scope, defaults to openid
  367. :type scope: str
  368. :returns: Exchanged token
  369. :rtype: dict
  370. """
  371. params_path = {"realm-name": self.realm_name}
  372. payload = {
  373. "grant_type": ["urn:ietf:params:oauth:grant-type:token-exchange"],
  374. "client_id": client_id,
  375. "subject_token": token,
  376. "requested_token_type": requested_token_type,
  377. "audience": audience,
  378. "requested_subject": subject,
  379. "scope": scope,
  380. }
  381. payload = self._add_secret_key(payload)
  382. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  383. return raise_error_from_response(data_raw, KeycloakPostError)
  385. def userinfo(self, token):
  386. """Get the user info object.
  388. The userinfo endpoint returns standard claims about the authenticated user,
  389. and is protected by a bearer token.
  391. http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
  393. :param token: Access token
  394. :type token: str
  395. :returns: Userinfo object
  396. :rtype: dict
  397. """
  398. self.connection.add_param_headers("Authorization", "Bearer " + token)
  399. params_path = {"realm-name": self.realm_name}
  400. data_raw = self.connection.raw_get(URL_USERINFO.format(**params_path))
  401. return raise_error_from_response(data_raw, KeycloakGetError)
  403. def logout(self, refresh_token):
  404. """Log out the authenticated user.
  406. :param refresh_token: Refresh token from Keycloak
  407. :type refresh_token: str
  408. :returns: Keycloak server response
  409. :rtype: dict
  410. """
  411. params_path = {"realm-name": self.realm_name}
  412. payload = {"client_id": self.client_id, "refresh_token": refresh_token}
  413. payload = self._add_secret_key(payload)
  414. data_raw = self.connection.raw_post(URL_LOGOUT.format(**params_path), data=payload)
  415. return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[204])
  417. def certs(self):
  418. """Get certificates.
  420. The certificate endpoint returns the public keys enabled by the realm, encoded as a
  421. JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled
  422. for verifying tokens.
  424. https://tools.ietf.org/html/rfc7517
  426. :returns: Certificates
  427. :rtype: dict
  428. """
  429. params_path = {"realm-name": self.realm_name}
  430. data_raw = self.connection.raw_get(URL_CERTS.format(**params_path))
  431. return raise_error_from_response(data_raw, KeycloakGetError)
  433. def public_key(self):
  434. """Retrieve the public key.
  436. The public key is exposed by the realm page directly.
  438. :returns: The public key
  439. :rtype: str
  440. """
  441. params_path = {"realm-name": self.realm_name}
  442. data_raw = self.connection.raw_get(URL_REALM.format(**params_path))
  443. return raise_error_from_response(data_raw, KeycloakGetError)["public_key"]
  445. def entitlement(self, token, resource_server_id):
  446. """Get entitlements from the token.
  448. Client applications can use a specific endpoint to obtain a special security token
  449. called a requesting party token (RPT). This token consists of all the entitlements
  450. (or permissions) for a user as a result of the evaluation of the permissions and
  451. authorization policies associated with the resources being requested. With an RPT,
  452. client applications can gain access to protected resources at the resource server.
  454. :param token: Access token
  455. :type token: str
  456. :param resource_server_id: Resource server ID
  457. :type resource_server_id: str
  458. :returns: Entitlements
  459. :rtype: dict
  460. """
  461. self.connection.add_param_headers("Authorization", "Bearer " + token)
  462. params_path = {"realm-name": self.realm_name, "resource-server-id": resource_server_id}
  463. data_raw = self.connection.raw_get(URL_ENTITLEMENT.format(**params_path))
  465. if data_raw.status_code == 404:
  466. return raise_error_from_response(data_raw, KeycloakDeprecationError)
  468. return raise_error_from_response(data_raw, KeycloakGetError) # pragma: no cover
  470. def introspect(self, token, rpt=None, token_type_hint=None):
  471. """Introspect the user token.
  473. The introspection endpoint is used to retrieve the active state of a token.
  474. It is can only be invoked by confidential clients.
  476. https://tools.ietf.org/html/rfc7662
  478. :param token: Access token
  479. :type token: str
  480. :param rpt: Requesting party token
  481. :type rpt: str
  482. :param token_type_hint: Token type hint
  483. :type token_type_hint: str
  485. :returns: Token info
  486. :rtype: dict
  487. :raises KeycloakRPTNotFound: In case of RPT not specified
  488. """
  489. params_path = {"realm-name": self.realm_name}
  490. payload = {"client_id": self.client_id, "token": token}
  492. if token_type_hint == "requesting_party_token":
  493. if rpt:
  494. payload.update({"token": rpt, "token_type_hint": token_type_hint})
  495. self.connection.add_param_headers("Authorization", "Bearer " + token)
  496. else:
  497. raise KeycloakRPTNotFound("Can't found RPT.")
  499. payload = self._add_secret_key(payload)
  501. data_raw = self.connection.raw_post(URL_INTROSPECT.format(**params_path), data=payload)
  502. return raise_error_from_response(data_raw, KeycloakPostError)
  504. def decode_token(self, token, key, algorithms=["RS256"], **kwargs):
  505. """Decode user token.
  507. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data
  508. structure that represents a cryptographic key. This specification
  509. also defines a JWK Set JSON data structure that represents a set of
  510. JWKs. Cryptographic algorithms and identifiers for use with this
  511. specification are described in the separate JSON Web Algorithms (JWA)
  512. specification and IANA registries established by that specification.
  514. https://tools.ietf.org/html/rfc7517
  516. :param token: Keycloak token
  517. :type token: str
  518. :param key: Decode key
  519. :type key: str
  520. :param algorithms: Algorithms to use for decoding
  521. :type algorithms: list[str]
  522. :param kwargs: Keyword arguments
  523. :type kwargs: dict
  524. :returns: Decoded token
  525. :rtype: dict
  526. """
  527. return jwt.decode(token, key, algorithms=algorithms, audience=self.client_id, **kwargs)
  529. def load_authorization_config(self, path):
  530. """Load Keycloak settings (authorization).
  532. :param path: settings file (json)
  533. :type path: str
  534. """
  535. with open(path, "r") as fp:
  536. authorization_json = json.load(fp)
  538. self.authorization.load_config(authorization_json)
  540. def get_policies(self, token, method_token_info="introspect", **kwargs):
  541. """Get policies by user token.
  543. :param token: User token
  544. :type token: str
  545. :param method_token_info: Method for token info decoding
  546. :type method_token_info: str
  547. :param kwargs: Additional keyword arguments
  548. :type kwargs: dict
  549. :return: Policies
  550. :rtype: dict
  551. :raises KeycloakAuthorizationConfigError: In case of bad authorization configuration
  552. :raises KeycloakInvalidTokenError: In case of bad token
  553. """
  554. if not self.authorization.policies:
  555. raise KeycloakAuthorizationConfigError(
  556. "Keycloak settings not found. Load Authorization Keycloak settings."
  557. )
  559. token_info = self._token_info(token, method_token_info, **kwargs)
  561. if method_token_info == "introspect" and not token_info["active"]:
  562. raise KeycloakInvalidTokenError("Token expired or invalid.")
  564. user_resources = token_info["resource_access"].get(self.client_id)
  566. if not user_resources:
  567. return None
  569. policies = []
  571. for policy_name, policy in self.authorization.policies.items():
  572. for role in user_resources["roles"]:
  573. if self._build_name_role(role) in policy.roles:
  574. policies.append(policy)
  576. return list(set(policies))
  578. def get_permissions(self, token, method_token_info="introspect", **kwargs):
  579. """Get permission by user token.
  581. :param token: user token
  582. :type token: str
  583. :param method_token_info: Decode token method
  584. :type method_token_info: str
  585. :param kwargs: parameters for decode
  586. :type kwargs: dict
  587. :returns: permissions list
  588. :rtype: list
  589. :raises KeycloakAuthorizationConfigError: In case of bad authorization configuration
  590. :raises KeycloakInvalidTokenError: In case of bad token
  591. """
  592. if not self.authorization.policies:
  593. raise KeycloakAuthorizationConfigError(
  594. "Keycloak settings not found. Load Authorization Keycloak settings."
  595. )
  597. token_info = self._token_info(token, method_token_info, **kwargs)
  599. if method_token_info == "introspect" and not token_info["active"]:
  600. raise KeycloakInvalidTokenError("Token expired or invalid.")
  602. user_resources = token_info["resource_access"].get(self.client_id)
  604. if not user_resources:
  605. return None
  607. permissions = []
  609. for policy_name, policy in self.authorization.policies.items():
  610. for role in user_resources["roles"]:
  611. if self._build_name_role(role) in policy.roles:
  612. permissions += policy.permissions
  614. return list(set(permissions))
  616. def uma_permissions(self, token, permissions=""):
  617. """Get UMA permissions by user token with requested permissions.
  619. The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be
  620. invoked by confidential clients.
  622. http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
  624. :param token: user token
  625. :type token: str
  626. :param permissions: list of uma permissions list(resource:scope) requested by the user
  627. :type permissions: str
  628. :returns: Keycloak server response
  629. :rtype: dict
  630. """
  631. permission = build_permission_param(permissions)
  633. params_path = {"realm-name": self.realm_name}
  634. payload = {
  635. "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  636. "permission": permission,
  637. "response_mode": "permissions",
  638. "audience": self.client_id,
  639. }
  641. self.connection.add_param_headers("Authorization", "Bearer " + token)
  642. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  643. return raise_error_from_response(data_raw, KeycloakPostError)
  645. def has_uma_access(self, token, permissions):
  646. """Determine whether user has uma permissions with specified user token.
  648. :param token: user token
  649. :type token: str
  650. :param permissions: list of uma permissions (resource:scope)
  651. :type permissions: str
  652. :return: Authentication status
  653. :rtype: AuthStatus
  654. :raises KeycloakAuthenticationError: In case of failed authentication
  655. :raises KeycloakPostError: In case of failed request to Keycloak
  656. """
  657. needed = build_permission_param(permissions)
  658. try:
  659. granted = self.uma_permissions(token, permissions)
  660. except (KeycloakPostError, KeycloakAuthenticationError) as e:
  661. if e.response_code == 403: # pragma: no cover
  662. return AuthStatus(
  663. is_logged_in=True, is_authorized=False, missing_permissions=needed
  664. )
  665. elif e.response_code == 401:
  666. return AuthStatus(
  667. is_logged_in=False, is_authorized=False, missing_permissions=needed
  668. )
  669. raise
  671. for resource_struct in granted:
  672. resource = resource_struct["rsname"]
  673. scopes = resource_struct.get("scopes", None)
  674. if not scopes:
  675. needed.discard(resource)
  676. continue
  677. for scope in scopes: # pragma: no cover
  678. needed.discard("{}#{}".format(resource, scope))
  680. return AuthStatus(
  681. is_logged_in=True, is_authorized=len(needed) == 0, missing_permissions=needed
  682. )
  684. def register_client(self, token: str, payload: dict):
  685. """Create a client.
  687. ClientRepresentation:
  688. https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
  690. :param token: Initial access token
  691. :type token: str
  692. :param payload: ClientRepresentation
  693. :type payload: dict
  694. :return: Client Representation
  695. :rtype: dict
  696. """
  697. params_path = {"realm-name": self.realm_name}
  698. self.connection.add_param_headers("Authorization", "Bearer " + token)
  699. self.connection.add_param_headers("Content-Type", "application/json")
  700. data_raw = self.connection.raw_post(
  701. URL_CLIENT_REGISTRATION.format(**params_path), data=json.dumps(payload)
  702. )
  703. return raise_error_from_response(data_raw, KeycloakPostError)