Mirror
/
python-keycloak
mirror of https://github.com/marcospereirampj/python-keycloak.git
1
0
Fork 1
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
646 Commits
15 Branches
98 Tags
17 MiB
Tree: c98189ca69
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c98189ca69'
${ noResults }
python-keycloak/src/keycloak/keycloak_openid.py

556 lines
19 KiB
Raw Normal View History

Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
Fixed README and setup.py. Updated docs.
6 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
pep8 formatting
6 years ago
Methods: list users, get user, create user.
7 years ago
pep8 formatting
6 years ago
feat: initial setup of CICD and linting
2 years ago
feat: added UMA-permission request functionality
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: added fixes based on feedback
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: added UMA-permission request functionality
2 years ago
Methods: list users, get user, create user.
7 years ago
Stick with existing code conventions
6 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
docs: fix docstrings
2 years ago
docs: add timeout to docstring
2 years ago
docs: fix docstrings
2 years ago
feat: initial setup of CICD and linting
2 years ago
feat: Ability to set custom timeout for KCOpenId and KCAdmin
2 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
docs: fix docstrings
2 years ago
feat: Ability to set custom timeout for KCOpenId and KCAdmin
2 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
fix: correct spelling of public API method BREAKING CHANGE: Renames `KeycloakOpenID.well_know` to `KeycloakOpenID.well_known`
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
fix: Support the auth_url method called with scope & state params now
2 years ago
refactor: merge master branch into local
2 years ago
docs: update auth_url method's docstring and readme file
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: correct spelling of public API method BREAKING CHANGE: Renames `KeycloakOpenID.well_know` to `KeycloakOpenID.well_known`
2 years ago
feat: initial setup of CICD and linting
2 years ago
fix: Support the auth_url method called with scope & state params now
2 years ago
feat: initial setup of CICD and linting
2 years ago
Stick with existing code conventions
6 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
Add possibility to use authorization_code in KeycloakOpenID.token
6 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
openid - minor typo fix, change nothing yet
3 years ago
Add the option to specify extra key/values to the token endpoint
5 years ago
Methods: list users, get user, create user.
7 years ago
support totp
6 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Refactoring code: groups and client.
7 years ago
style: fixed docstrings everywhere
2 years ago
Refactoring code: groups and client.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Refactoring code: groups and client.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
fix: raise correct exceptions
2 years ago
feat: Support Token Exchange. Fixes #305
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
Fixed mixed up urls
4 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Added public key method
4 years ago
style: fixed docstrings everywhere
2 years ago
Added public key method
4 years ago
Fixed mixed up urls
4 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
add deprecation exception on entitlement call
4 years ago
Methods: list users, get user, create user.
7 years ago
test: added more openid tests
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
docs: fix docstrings
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
fix: raise correct exceptions
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
style: fixed docstrings everywhere
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: initial setup of CICD and linting
2 years ago
Methods: list users, get user, create user.
7 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
style: fixed docstrings everywhere
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
style: fixed docstrings everywhere
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
feat: added UMA-permission request functionality
2 years ago
fix: added fixes based on feedback
2 years ago
test: finished off openid tests
2 years ago
feat: added UMA-permission request functionality
2 years ago
test: finished off openid tests
2 years ago
feat: added UMA-permission request functionality
2 years ago
  1. # -*- coding: utf-8 -*-
  2. #
  3. # The MIT License (MIT)
  4. #
  5. # Copyright (C) 2017 Marcos Pereira <marcospereira.mpj@gmail.com>
  6. #
  7. # Permission is hereby granted, free of charge, to any person obtaining a copy of
  8. # this software and associated documentation files (the "Software"), to deal in
  9. # the Software without restriction, including without limitation the rights to
  10. # use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
  11. # the Software, and to permit persons to whom the Software is furnished to do so,
  12. # subject to the following conditions:
  13. #
  14. # The above copyright notice and this permission notice shall be included in all
  15. # copies or substantial portions of the Software.
  16. #
  17. # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  18. # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
  19. # FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
  20. # COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
  21. # IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  22. # CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
  24. """Keycloak OpenID module.
  26. The module contains mainly the implementation of KeycloakOpenID class, the main
  27. class to handle authentication and token manipulation.
  28. """
  30. import json
  32. from jose import jwt
  34. from .authorization import Authorization
  35. from .connection import ConnectionManager
  36. from .exceptions import (
  37. KeycloakAuthenticationError,
  38. KeycloakAuthorizationConfigError,
  39. KeycloakDeprecationError,
  40. KeycloakGetError,
  41. KeycloakInvalidTokenError,
  42. KeycloakPostError,
  43. KeycloakRPTNotFound,
  44. raise_error_from_response,
  45. )
  46. from .uma_permissions import AuthStatus, build_permission_param
  47. from .urls_patterns import (
  48. URL_AUTH,
  49. URL_CERTS,
  50. URL_ENTITLEMENT,
  51. URL_INTROSPECT,
  52. URL_LOGOUT,
  53. URL_REALM,
  54. URL_TOKEN,
  55. URL_USERINFO,
  56. URL_WELL_KNOWN,
  57. )
  60. class KeycloakOpenID:
  61. """Keycloak OpenID client.
  63. :param server_url: Keycloak server url
  64. :param client_id: client id
  65. :param realm_name: realm name
  66. :param client_secret_key: client secret key
  67. :param verify: True if want check connection SSL
  68. :param custom_headers: dict of custom header to pass to each HTML request
  69. :param proxies: dict of proxies to sent the request by.
  70. :param timeout: connection timeout in seconds
  71. """
  73. def __init__(
  74. self,
  75. server_url,
  76. realm_name,
  77. client_id,
  78. client_secret_key=None,
  79. verify=True,
  80. custom_headers=None,
  81. proxies=None,
  82. timeout=60,
  83. ):
  84. """Init method."""
  85. self.client_id = client_id
  86. self.client_secret_key = client_secret_key
  87. self.realm_name = realm_name
  88. headers = custom_headers if custom_headers is not None else dict()
  89. self.connection = ConnectionManager(
  90. base_url=server_url, headers=headers, timeout=timeout, verify=verify, proxies=proxies
  91. )
  93. self.authorization = Authorization()
  95. @property
  96. def client_id(self):
  97. """Get client id."""
  98. return self._client_id
  100. @client_id.setter
  101. def client_id(self, value):
  102. self._client_id = value
  104. @property
  105. def client_secret_key(self):
  106. """Get the client secret key."""
  107. return self._client_secret_key
  109. @client_secret_key.setter
  110. def client_secret_key(self, value):
  111. self._client_secret_key = value
  113. @property
  114. def realm_name(self):
  115. """Get the realm name."""
  116. return self._realm_name
  118. @realm_name.setter
  119. def realm_name(self, value):
  120. self._realm_name = value
  122. @property
  123. def connection(self):
  124. """Get connection."""
  125. return self._connection
  127. @connection.setter
  128. def connection(self, value):
  129. self._connection = value
  131. @property
  132. def authorization(self):
  133. """Get authorization."""
  134. return self._authorization
  136. @authorization.setter
  137. def authorization(self, value):
  138. self._authorization = value
  140. def _add_secret_key(self, payload):
  141. """Add secret key if exists.
  143. :param payload:
  144. :return:
  145. """
  146. if self.client_secret_key:
  147. payload.update({"client_secret": self.client_secret_key})
  149. return payload
  151. def _build_name_role(self, role):
  152. """Build name of a role.
  154. :param role:
  155. :return:
  156. """
  157. return self.client_id + "/" + role
  159. def _token_info(self, token, method_token_info, **kwargs):
  160. """Getter for the token data.
  162. :param token:
  163. :param method_token_info:
  164. :param kwargs:
  165. :return:
  166. """
  167. if method_token_info == "introspect":
  168. token_info = self.introspect(token)
  169. else:
  170. token_info = self.decode_token(token, **kwargs)
  172. return token_info
  174. def well_known(self):
  175. """Get the well_known object.
  177. The most important endpoint to understand is the well-known configuration
  178. endpoint. It lists endpoints and other configuration options relevant to
  179. the OpenID Connect implementation in Keycloak.
  181. :return It lists endpoints and other configuration options relevant.
  182. """
  183. params_path = {"realm-name": self.realm_name}
  184. data_raw = self.connection.raw_get(URL_WELL_KNOWN.format(**params_path))
  185. return raise_error_from_response(data_raw, KeycloakGetError)
  187. def auth_url(self, redirect_uri, scope="email", state=""):
  188. """Get authorization URL endpoint.
  190. :param redirect_uri: Redirect url to receive oauth code
  191. :type redirect_uri: str
  192. :param scope: Scope of authorization request, split with the blank space
  193. :type: scope: str
  194. :param state: State will be returned to the redirect_uri
  195. :type: str
  196. :returns: Authorization URL Full Build
  197. :rtype: str
  198. """
  199. params_path = {
  200. "authorization-endpoint": self.well_known()["authorization_endpoint"],
  201. "client-id": self.client_id,
  202. "redirect-uri": redirect_uri,
  203. "scope": scope,
  204. "state": state,
  205. }
  206. return URL_AUTH.format(**params_path)
  208. def token(
  209. self,
  210. username="",
  211. password="",
  212. grant_type=["password"],
  213. code="",
  214. redirect_uri="",
  215. totp=None,
  216. **extra
  217. ):
  218. """Retrieve user token.
  220. The token endpoint is used to obtain tokens. Tokens can either be obtained by
  221. exchanging an authorization code or by supplying credentials directly depending on
  222. what flow is used. The token endpoint is also used to obtain new access tokens
  223. when they expire.
  225. http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
  227. :param username:
  228. :param password:
  229. :param grant_type:
  230. :param code:
  231. :param redirect_uri:
  232. :param totp:
  233. :return:
  234. """
  235. params_path = {"realm-name": self.realm_name}
  236. payload = {
  237. "username": username,
  238. "password": password,
  239. "client_id": self.client_id,
  240. "grant_type": grant_type,
  241. "code": code,
  242. "redirect_uri": redirect_uri,
  243. }
  244. if extra:
  245. payload.update(extra)
  247. if totp:
  248. payload["totp"] = totp
  250. payload = self._add_secret_key(payload)
  251. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  252. return raise_error_from_response(data_raw, KeycloakPostError)
  254. def refresh_token(self, refresh_token, grant_type=["refresh_token"]):
  255. """Refresh the user token.
  257. The token endpoint is used to obtain tokens. Tokens can either be obtained by
  258. exchanging an authorization code or by supplying credentials directly depending on
  259. what flow is used. The token endpoint is also used to obtain new access tokens
  260. when they expire.
  262. http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
  264. :param refresh_token:
  265. :param grant_type:
  266. :return:
  267. """
  268. params_path = {"realm-name": self.realm_name}
  269. payload = {
  270. "client_id": self.client_id,
  271. "grant_type": grant_type,
  272. "refresh_token": refresh_token,
  273. }
  274. payload = self._add_secret_key(payload)
  275. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  276. return raise_error_from_response(data_raw, KeycloakPostError)
  278. def exchange_token(self, token: str, client_id: str, audience: str, subject: str) -> dict:
  279. """Exchange user token.
  281. Use a token to obtain an entirely different token. See
  282. https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
  284. :param token:
  285. :param client_id:
  286. :param audience:
  287. :param subject:
  288. :return:
  289. """
  290. params_path = {"realm-name": self.realm_name}
  291. payload = {
  292. "grant_type": ["urn:ietf:params:oauth:grant-type:token-exchange"],
  293. "client_id": client_id,
  294. "subject_token": token,
  295. "requested_token_type": "urn:ietf:params:oauth:token-type:refresh_token",
  296. "audience": audience,
  297. "requested_subject": subject,
  298. }
  299. payload = self._add_secret_key(payload)
  300. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  301. return raise_error_from_response(data_raw, KeycloakPostError)
  303. def userinfo(self, token):
  304. """Get the user info object.
  306. The userinfo endpoint returns standard claims about the authenticated user,
  307. and is protected by a bearer token.
  309. http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
  311. :param token:
  312. :return:
  313. """
  314. self.connection.add_param_headers("Authorization", "Bearer " + token)
  315. params_path = {"realm-name": self.realm_name}
  316. data_raw = self.connection.raw_get(URL_USERINFO.format(**params_path))
  317. return raise_error_from_response(data_raw, KeycloakGetError)
  319. def logout(self, refresh_token):
  320. """Log out the authenticated user.
  322. :param refresh_token:
  323. :return:
  324. """
  325. params_path = {"realm-name": self.realm_name}
  326. payload = {"client_id": self.client_id, "refresh_token": refresh_token}
  327. payload = self._add_secret_key(payload)
  328. data_raw = self.connection.raw_post(URL_LOGOUT.format(**params_path), data=payload)
  329. return raise_error_from_response(data_raw, KeycloakPostError, expected_codes=[204])
  331. def certs(self):
  332. """Get certificates.
  334. The certificate endpoint returns the public keys enabled by the realm, encoded as a
  335. JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled
  336. for verifying tokens.
  338. https://tools.ietf.org/html/rfc7517
  340. :return:
  341. """
  342. params_path = {"realm-name": self.realm_name}
  343. data_raw = self.connection.raw_get(URL_CERTS.format(**params_path))
  344. return raise_error_from_response(data_raw, KeycloakGetError)
  346. def public_key(self):
  347. """Retrieve the public key.
  349. The public key is exposed by the realm page directly.
  351. :return:
  352. """
  353. params_path = {"realm-name": self.realm_name}
  354. data_raw = self.connection.raw_get(URL_REALM.format(**params_path))
  355. return raise_error_from_response(data_raw, KeycloakGetError)["public_key"]
  357. def entitlement(self, token, resource_server_id):
  358. """Get entitlements from the token.
  360. Client applications can use a specific endpoint to obtain a special security token
  361. called a requesting party token (RPT). This token consists of all the entitlements
  362. (or permissions) for a user as a result of the evaluation of the permissions and
  363. authorization policies associated with the resources being requested. With an RPT,
  364. client applications can gain access to protected resources at the resource server.
  366. :return:
  367. """
  368. self.connection.add_param_headers("Authorization", "Bearer " + token)
  369. params_path = {"realm-name": self.realm_name, "resource-server-id": resource_server_id}
  370. data_raw = self.connection.raw_get(URL_ENTITLEMENT.format(**params_path))
  372. if data_raw.status_code == 404:
  373. return raise_error_from_response(data_raw, KeycloakDeprecationError)
  375. return raise_error_from_response(data_raw, KeycloakGetError) # pragma: no cover
  377. def introspect(self, token, rpt=None, token_type_hint=None):
  378. """Introspect the user token.
  380. The introspection endpoint is used to retrieve the active state of a token.
  381. It is can only be invoked by confidential clients.
  383. https://tools.ietf.org/html/rfc7662
  385. :param token:
  386. :param rpt:
  387. :param token_type_hint:
  389. :return:
  390. """
  391. params_path = {"realm-name": self.realm_name}
  392. payload = {"client_id": self.client_id, "token": token}
  394. if token_type_hint == "requesting_party_token":
  395. if rpt:
  396. payload.update({"token": rpt, "token_type_hint": token_type_hint})
  397. self.connection.add_param_headers("Authorization", "Bearer " + token)
  398. else:
  399. raise KeycloakRPTNotFound("Can't found RPT.")
  401. payload = self._add_secret_key(payload)
  403. data_raw = self.connection.raw_post(URL_INTROSPECT.format(**params_path), data=payload)
  404. return raise_error_from_response(data_raw, KeycloakPostError)
  406. def decode_token(self, token, key, algorithms=["RS256"], **kwargs):
  407. """Decode user token.
  409. A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data
  410. structure that represents a cryptographic key. This specification
  411. also defines a JWK Set JSON data structure that represents a set of
  412. JWKs. Cryptographic algorithms and identifiers for use with this
  413. specification are described in the separate JSON Web Algorithms (JWA)
  414. specification and IANA registries established by that specification.
  416. https://tools.ietf.org/html/rfc7517
  418. :param token:
  419. :param key:
  420. :param algorithms:
  421. :return:
  422. """
  423. return jwt.decode(token, key, algorithms=algorithms, audience=self.client_id, **kwargs)
  425. def load_authorization_config(self, path):
  426. """Load Keycloak settings (authorization).
  428. :param path: settings file (json)
  429. :return:
  430. """
  431. with open(path, "r") as fp:
  432. authorization_json = json.load(fp)
  434. self.authorization.load_config(authorization_json)
  436. def get_policies(self, token, method_token_info="introspect", **kwargs):
  437. """Get policies by user token.
  439. :param token: user token
  440. :return: policies list
  441. """
  442. if not self.authorization.policies:
  443. raise KeycloakAuthorizationConfigError(
  444. "Keycloak settings not found. Load Authorization Keycloak settings."
  445. )
  447. token_info = self._token_info(token, method_token_info, **kwargs)
  449. if method_token_info == "introspect" and not token_info["active"]:
  450. raise KeycloakInvalidTokenError("Token expired or invalid.")
  452. user_resources = token_info["resource_access"].get(self.client_id)
  454. if not user_resources:
  455. return None
  457. policies = []
  459. for policy_name, policy in self.authorization.policies.items():
  460. for role in user_resources["roles"]:
  461. if self._build_name_role(role) in policy.roles:
  462. policies.append(policy)
  464. return list(set(policies))
  466. def get_permissions(self, token, method_token_info="introspect", **kwargs):
  467. """Get permission by user token.
  469. :param token: user token
  470. :param method_token_info: Decode token method
  471. :param kwargs: parameters for decode
  472. :return: permissions list
  473. """
  474. if not self.authorization.policies:
  475. raise KeycloakAuthorizationConfigError(
  476. "Keycloak settings not found. Load Authorization Keycloak settings."
  477. )
  479. token_info = self._token_info(token, method_token_info, **kwargs)
  481. if method_token_info == "introspect" and not token_info["active"]:
  482. raise KeycloakInvalidTokenError("Token expired or invalid.")
  484. user_resources = token_info["resource_access"].get(self.client_id)
  486. if not user_resources:
  487. return None
  489. permissions = []
  491. for policy_name, policy in self.authorization.policies.items():
  492. for role in user_resources["roles"]:
  493. if self._build_name_role(role) in policy.roles:
  494. permissions += policy.permissions
  496. return list(set(permissions))
  498. def uma_permissions(self, token, permissions=""):
  499. """Get UMA permissions by user token with requested permissions.
  501. The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be
  502. invoked by confidential clients.
  504. http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
  506. :param token: user token
  507. :param permissions: list of uma permissions list(resource:scope) requested by the user
  508. :return: permissions list
  509. """
  510. permission = build_permission_param(permissions)
  512. params_path = {"realm-name": self.realm_name}
  513. payload = {
  514. "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  515. "permission": permission,
  516. "response_mode": "permissions",
  517. "audience": self.client_id,
  518. }
  520. self.connection.add_param_headers("Authorization", "Bearer " + token)
  521. data_raw = self.connection.raw_post(URL_TOKEN.format(**params_path), data=payload)
  522. return raise_error_from_response(data_raw, KeycloakPostError)
  524. def has_uma_access(self, token, permissions):
  525. """Determine whether user has uma permissions with specified user token.
  527. :param token: user token
  528. :param permissions: list of uma permissions (resource:scope)
  529. :return: auth status
  530. """
  531. needed = build_permission_param(permissions)
  532. try:
  533. granted = self.uma_permissions(token, permissions)
  534. except (KeycloakPostError, KeycloakAuthenticationError) as e:
  535. if e.response_code == 403: # pragma: no cover
  536. return AuthStatus(
  537. is_logged_in=True, is_authorized=False, missing_permissions=needed
  538. )
  539. elif e.response_code == 401:
  540. return AuthStatus(
  541. is_logged_in=False, is_authorized=False, missing_permissions=needed
  542. )
  543. raise
  545. for resource_struct in granted:
  546. resource = resource_struct["rsname"]
  547. scopes = resource_struct.get("scopes", None)
  548. if not scopes:
  549. needed.discard(resource)
  550. continue
  551. for scope in scopes: # pragma: no cover
  552. needed.discard("{}#{}".format(resource, scope))
  554. return AuthStatus(
  555. is_logged_in=True, is_authorized=len(needed) == 0, missing_permissions=needed
  556. )