|
@ -60,114 +60,178 @@ The documentation for python-keycloak is available on [readthedocs](http://pytho |
|
|
|
|
|
|
|
|
## Usage |
|
|
## Usage |
|
|
|
|
|
|
|
|
|
|
|
### Well-known |
|
|
|
|
|
|
|
|
```python |
|
|
```python |
|
|
from keycloak import KeycloakOpenID |
|
|
from keycloak import KeycloakOpenID |
|
|
|
|
|
|
|
|
# Configure client |
|
|
# Configure client |
|
|
keycloak_openid = KeycloakOpenID(server_url="http://localhost:8080/auth/", |
|
|
|
|
|
|
|
|
keycloak_openid = KeycloakOpenID( |
|
|
|
|
|
server_url="http://localhost:8080/", |
|
|
client_id="example_client", |
|
|
client_id="example_client", |
|
|
realm_name="example_realm", |
|
|
realm_name="example_realm", |
|
|
client_secret_key="secret") |
|
|
|
|
|
|
|
|
client_secret_key="secret", |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Get WellKnow |
|
|
# Get WellKnow |
|
|
config_well_known = keycloak_openid.well_known() |
|
|
config_well_known = keycloak_openid.well_known() |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### User authentication |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Get Token |
|
|
# Get Token |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password", totp="012345") |
|
|
token = keycloak_openid.token("user", "password", totp="012345") |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### User info |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Get Userinfo |
|
|
# Get Userinfo |
|
|
userinfo = keycloak_openid.userinfo(token['access_token']) |
|
|
userinfo = keycloak_openid.userinfo(token['access_token']) |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### Token refresh |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Refresh token |
|
|
# Refresh token |
|
|
token = keycloak_openid.refresh_token(token['refresh_token']) |
|
|
token = keycloak_openid.refresh_token(token['refresh_token']) |
|
|
|
|
|
|
|
|
# Logout |
|
|
# Logout |
|
|
keycloak_openid.logout(token['refresh_token']) |
|
|
keycloak_openid.logout(token['refresh_token']) |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### Certificates |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Get Certs |
|
|
# Get Certs |
|
|
certs = keycloak_openid.certs() |
|
|
certs = keycloak_openid.certs() |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### RPT |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Get RPT (Entitlement) |
|
|
# Get RPT (Entitlement) |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password") |
|
|
rpt = keycloak_openid.entitlement(token['access_token'], "resource_id") |
|
|
|
|
|
|
|
|
rpt = keycloak_openid.entitlement(token["access_token"], "resource_id") |
|
|
|
|
|
|
|
|
# Instropect RPT |
|
|
# Instropect RPT |
|
|
token_rpt_info = keycloak_openid.introspect(keycloak_openid.introspect(token['access_token'], rpt=rpt['rpt'], |
|
|
|
|
|
token_type_hint="requesting_party_token")) |
|
|
|
|
|
|
|
|
token_rpt_info = keycloak_openid.introspect( |
|
|
|
|
|
keycloak_openid.introspect( |
|
|
|
|
|
token["access_token"], rpt=rpt["rpt"], token_type_hint="requesting_party_token" |
|
|
|
|
|
) |
|
|
|
|
|
) |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### Token inspection |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Introspect Token |
|
|
# Introspect Token |
|
|
token_info = keycloak_openid.introspect(token['access_token']) |
|
|
|
|
|
|
|
|
token_info = keycloak_openid.introspect(token["access_token"]) |
|
|
|
|
|
|
|
|
# Decode Token |
|
|
# Decode Token |
|
|
KEYCLOAK_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----\n" + keycloak_openid.public_key() + "\n-----END PUBLIC KEY-----" |
|
|
|
|
|
|
|
|
KEYCLOAK_PUBLIC_KEY = ( |
|
|
|
|
|
"-----BEGIN PUBLIC KEY-----\n" + keycloak_openid.public_key() + "\n-----END PUBLIC KEY-----" |
|
|
|
|
|
) |
|
|
options = {"verify_signature": True, "verify_aud": True, "verify_exp": True} |
|
|
options = {"verify_signature": True, "verify_aud": True, "verify_exp": True} |
|
|
token_info = keycloak_openid.decode_token(token['access_token'], key=KEYCLOAK_PUBLIC_KEY, options=options) |
|
|
|
|
|
|
|
|
token_info = keycloak_openid.decode_token( |
|
|
|
|
|
token["access_token"], key=KEYCLOAK_PUBLIC_KEY, options=options |
|
|
|
|
|
) |
|
|
|
|
|
``` |
|
|
|
|
|
|
|
|
|
|
|
### Permissions |
|
|
|
|
|
|
|
|
|
|
|
```python |
|
|
# Get permissions by token |
|
|
# Get permissions by token |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password") |
|
|
keycloak_openid.load_authorization_config("example-authz-config.json") |
|
|
keycloak_openid.load_authorization_config("example-authz-config.json") |
|
|
policies = keycloak_openid.get_policies(token['access_token'], method_token_info='decode', key=KEYCLOAK_PUBLIC_KEY) |
|
|
|
|
|
permissions = keycloak_openid.get_permissions(token['access_token'], method_token_info='introspect') |
|
|
|
|
|
|
|
|
policies = keycloak_openid.get_policies( |
|
|
|
|
|
token["access_token"], method_token_info="decode", key=KEYCLOAK_PUBLIC_KEY |
|
|
|
|
|
) |
|
|
|
|
|
permissions = keycloak_openid.get_permissions( |
|
|
|
|
|
token["access_token"], method_token_info="introspect" |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Get UMA-permissions by token |
|
|
# Get UMA-permissions by token |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password") |
|
|
permissions = keycloak_openid.uma_permissions(token['access_token']) |
|
|
|
|
|
|
|
|
permissions = keycloak_openid.uma_permissions(token["access_token"]) |
|
|
|
|
|
|
|
|
# Get UMA-permissions by token with specific resource and scope requested |
|
|
# Get UMA-permissions by token with specific resource and scope requested |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password") |
|
|
permissions = keycloak_openid.uma_permissions(token['access_token'], permissions="Resource#Scope") |
|
|
|
|
|
|
|
|
permissions = keycloak_openid.uma_permissions(token["access_token"], permissions="Resource#Scope") |
|
|
|
|
|
|
|
|
# Get auth status for a specific resource and scope by token |
|
|
# Get auth status for a specific resource and scope by token |
|
|
token = keycloak_openid.token("user", "password") |
|
|
token = keycloak_openid.token("user", "password") |
|
|
auth_status = keycloak_openid.has_uma_access(token['access_token'], "Resource#Scope") |
|
|
|
|
|
|
|
|
auth_status = keycloak_openid.has_uma_access(token["access_token"], "Resource#Scope") |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# KEYCLOAK ADMIN |
|
|
# KEYCLOAK ADMIN |
|
|
|
|
|
|
|
|
from keycloak import KeycloakAdmin |
|
|
from keycloak import KeycloakAdmin |
|
|
|
|
|
|
|
|
keycloak_admin = KeycloakAdmin(server_url="http://localhost:8080/auth/", |
|
|
|
|
|
username='example-admin', |
|
|
|
|
|
password='secret', |
|
|
|
|
|
|
|
|
keycloak_admin = KeycloakAdmin( |
|
|
|
|
|
server_url="http://localhost:8080/auth/", |
|
|
|
|
|
username="example-admin", |
|
|
|
|
|
password="secret", |
|
|
realm_name="master", |
|
|
realm_name="master", |
|
|
user_realm_name="only_if_other_realm_than_master", |
|
|
user_realm_name="only_if_other_realm_than_master", |
|
|
client_secret_key="client-secret", |
|
|
client_secret_key="client-secret", |
|
|
verify=True) |
|
|
|
|
|
|
|
|
verify=True, |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Add user |
|
|
# Add user |
|
|
new_user = keycloak_admin.create_user({"email": "example@example.com", |
|
|
|
|
|
|
|
|
new_user = keycloak_admin.create_user( |
|
|
|
|
|
{ |
|
|
|
|
|
"email": "example@example.com", |
|
|
"username": "example@example.com", |
|
|
"username": "example@example.com", |
|
|
"enabled": True, |
|
|
"enabled": True, |
|
|
"firstName": "Example", |
|
|
"firstName": "Example", |
|
|
"lastName": "Example"}) |
|
|
|
|
|
|
|
|
"lastName": "Example", |
|
|
|
|
|
} |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Add user and raise exception if username already exists |
|
|
# Add user and raise exception if username already exists |
|
|
# exist_ok currently defaults to True for backwards compatibility reasons |
|
|
# exist_ok currently defaults to True for backwards compatibility reasons |
|
|
new_user = keycloak_admin.create_user({"email": "example@example.com", |
|
|
|
|
|
|
|
|
new_user = keycloak_admin.create_user( |
|
|
|
|
|
{ |
|
|
|
|
|
"email": "example@example.com", |
|
|
"username": "example@example.com", |
|
|
"username": "example@example.com", |
|
|
"enabled": True, |
|
|
"enabled": True, |
|
|
"firstName": "Example", |
|
|
"firstName": "Example", |
|
|
"lastName": "Example"}, |
|
|
|
|
|
exist_ok=False) |
|
|
|
|
|
|
|
|
"lastName": "Example", |
|
|
|
|
|
}, |
|
|
|
|
|
exist_ok=False, |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Add user and set password |
|
|
# Add user and set password |
|
|
new_user = keycloak_admin.create_user({"email": "example@example.com", |
|
|
|
|
|
|
|
|
new_user = keycloak_admin.create_user( |
|
|
|
|
|
{ |
|
|
|
|
|
"email": "example@example.com", |
|
|
"username": "example@example.com", |
|
|
"username": "example@example.com", |
|
|
"enabled": True, |
|
|
"enabled": True, |
|
|
"firstName": "Example", |
|
|
"firstName": "Example", |
|
|
"lastName": "Example", |
|
|
"lastName": "Example", |
|
|
"credentials": [{"value": "secret","type": "password",}]}) |
|
|
|
|
|
|
|
|
"credentials": [ |
|
|
|
|
|
{ |
|
|
|
|
|
"value": "secret", |
|
|
|
|
|
"type": "password", |
|
|
|
|
|
} |
|
|
|
|
|
], |
|
|
|
|
|
} |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Add user and specify a locale |
|
|
# Add user and specify a locale |
|
|
new_user = keycloak_admin.create_user({"email": "example@example.fr", |
|
|
|
|
|
|
|
|
new_user = keycloak_admin.create_user( |
|
|
|
|
|
{ |
|
|
|
|
|
"email": "example@example.fr", |
|
|
"username": "example@example.fr", |
|
|
"username": "example@example.fr", |
|
|
"enabled": True, |
|
|
"enabled": True, |
|
|
"firstName": "Example", |
|
|
"firstName": "Example", |
|
|
"lastName": "Example", |
|
|
"lastName": "Example", |
|
|
"attributes": { |
|
|
|
|
|
"locale": ["fr"] |
|
|
|
|
|
}}) |
|
|
|
|
|
|
|
|
"attributes": {"locale": ["fr"]}, |
|
|
|
|
|
} |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# User counter |
|
|
# User counter |
|
|
count_users = keycloak_admin.users_count() |
|
|
count_users = keycloak_admin.users_count() |
|
@ -182,20 +246,23 @@ user_id_keycloak = keycloak_admin.get_user_id("example@example.com") |
|
|
user = keycloak_admin.get_user("user-id-keycloak") |
|
|
user = keycloak_admin.get_user("user-id-keycloak") |
|
|
|
|
|
|
|
|
# Update User |
|
|
# Update User |
|
|
response = keycloak_admin.update_user(user_id="user-id-keycloak", |
|
|
|
|
|
payload={'firstName': 'Example Update'}) |
|
|
|
|
|
|
|
|
response = keycloak_admin.update_user( |
|
|
|
|
|
user_id="user-id-keycloak", payload={"firstName": "Example Update"} |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Update User Password |
|
|
# Update User Password |
|
|
response = keycloak_admin.set_user_password(user_id="user-id-keycloak", password="secret", temporary=True) |
|
|
|
|
|
|
|
|
response = keycloak_admin.set_user_password( |
|
|
|
|
|
user_id="user-id-keycloak", password="secret", temporary=True |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Get User Credentials |
|
|
# Get User Credentials |
|
|
credentials = keycloak_admin.get_credentials(user_id='user_id') |
|
|
|
|
|
|
|
|
credentials = keycloak_admin.get_credentials(user_id="user_id") |
|
|
|
|
|
|
|
|
# Get User Credential by ID |
|
|
# Get User Credential by ID |
|
|
credential = keycloak_admin.get_credential(user_id='user_id', credential_id='credential_id') |
|
|
|
|
|
|
|
|
credential = keycloak_admin.get_credential(user_id="user_id", credential_id="credential_id") |
|
|
|
|
|
|
|
|
# Delete User Credential |
|
|
# Delete User Credential |
|
|
response = keycloak_admin.delete_credential(user_id='user_id', credential_id='credential_id') |
|
|
|
|
|
|
|
|
response = keycloak_admin.delete_credential(user_id="user_id", credential_id="credential_id") |
|
|
|
|
|
|
|
|
# Delete User |
|
|
# Delete User |
|
|
response = keycloak_admin.delete_user(user_id="user-id-keycloak") |
|
|
response = keycloak_admin.delete_user(user_id="user-id-keycloak") |
|
@ -204,8 +271,9 @@ response = keycloak_admin.delete_user(user_id="user-id-keycloak") |
|
|
consents = keycloak_admin.consents_user(user_id="user-id-keycloak") |
|
|
consents = keycloak_admin.consents_user(user_id="user-id-keycloak") |
|
|
|
|
|
|
|
|
# Send User Action |
|
|
# Send User Action |
|
|
response = keycloak_admin.send_update_account(user_id="user-id-keycloak", |
|
|
|
|
|
payload=json.dumps(['UPDATE_PASSWORD'])) |
|
|
|
|
|
|
|
|
response = keycloak_admin.send_update_account( |
|
|
|
|
|
user_id="user-id-keycloak", payload=json.dumps(["UPDATE_PASSWORD"]) |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Send Verify Email |
|
|
# Send Verify Email |
|
|
response = keycloak_admin.send_verify_email(user_id="user-id-keycloak") |
|
|
response = keycloak_admin.send_verify_email(user_id="user-id-keycloak") |
|
@ -239,10 +307,14 @@ role = keycloak_admin.get_client_role(client_id="client_id", role_name="role_nam |
|
|
role_id = keycloak_admin.get_client_role_id(client_id="client_id", role_name="test") |
|
|
role_id = keycloak_admin.get_client_role_id(client_id="client_id", role_name="test") |
|
|
|
|
|
|
|
|
# Create client role |
|
|
# Create client role |
|
|
keycloak_admin.create_client_role(client_role_id='client_id', payload={'name': 'roleName', 'clientRole': True}) |
|
|
|
|
|
|
|
|
keycloak_admin.create_client_role( |
|
|
|
|
|
client_role_id="client_id", payload={"name": "roleName", "clientRole": True} |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Assign client role to user. Note that BOTH role_name and role_id appear to be required. |
|
|
# Assign client role to user. Note that BOTH role_name and role_id appear to be required. |
|
|
keycloak_admin.assign_client_role(client_id="client_id", user_id="user_id", role_id="role_id", role_name="test") |
|
|
|
|
|
|
|
|
keycloak_admin.assign_client_role( |
|
|
|
|
|
client_id="client_id", user_id="user_id", role_id="role_id", role_name="test" |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Retrieve client roles of a user. |
|
|
# Retrieve client roles of a user. |
|
|
keycloak_admin.get_client_roles_of_user(user_id="user_id", client_id="client_id") |
|
|
keycloak_admin.get_client_roles_of_user(user_id="user_id", client_id="client_id") |
|
@ -254,8 +326,12 @@ keycloak_admin.get_available_client_roles_of_user(user_id="user_id", client_id=" |
|
|
keycloak_admin.get_composite_client_roles_of_user(user_id="user_id", client_id="client_id") |
|
|
keycloak_admin.get_composite_client_roles_of_user(user_id="user_id", client_id="client_id") |
|
|
|
|
|
|
|
|
# Delete client roles of a user. |
|
|
# Delete client roles of a user. |
|
|
keycloak_admin.delete_client_roles_of_user(client_id="client_id", user_id="user_id", roles={"id": "role-id"}) |
|
|
|
|
|
keycloak_admin.delete_client_roles_of_user(client_id="client_id", user_id="user_id", roles=[{"id": "role-id_1"}, {"id": "role-id_2"}]) |
|
|
|
|
|
|
|
|
keycloak_admin.delete_client_roles_of_user( |
|
|
|
|
|
client_id="client_id", user_id="user_id", roles={"id": "role-id"} |
|
|
|
|
|
) |
|
|
|
|
|
keycloak_admin.delete_client_roles_of_user( |
|
|
|
|
|
client_id="client_id", user_id="user_id", roles=[{"id": "role-id_1"}, {"id": "role-id_2"}] |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Get all client authorization resources |
|
|
# Get all client authorization resources |
|
|
client_resources = get_client_authz_resources(client_id="client_id") |
|
|
client_resources = get_client_authz_resources(client_id="client_id") |
|
@ -276,10 +352,10 @@ group = keycloak_admin.create_group({"name": "Example Group"}) |
|
|
groups = keycloak_admin.get_groups() |
|
|
groups = keycloak_admin.get_groups() |
|
|
|
|
|
|
|
|
# Get group |
|
|
# Get group |
|
|
group = keycloak_admin.get_group(group_id='group_id') |
|
|
|
|
|
|
|
|
group = keycloak_admin.get_group(group_id="group_id") |
|
|
|
|
|
|
|
|
# Get group by name |
|
|
# Get group by name |
|
|
group = keycloak_admin.get_group_by_path(path='/group/subgroup', search_in_subgroups=True) |
|
|
|
|
|
|
|
|
group = keycloak_admin.get_group_by_path(path="/group/subgroup", search_in_subgroups=True) |
|
|
|
|
|
|
|
|
# Function to trigger user sync from provider |
|
|
# Function to trigger user sync from provider |
|
|
sync_users(storage_id="storage_di", action="action") |
|
|
sync_users(storage_id="storage_di", action="action") |
|
@ -291,7 +367,9 @@ role_id = keycloak_admin.get_client_role_id(client_id=client_id, role_name="test |
|
|
realm_roles = keycloak_admin.get_roles() |
|
|
realm_roles = keycloak_admin.get_roles() |
|
|
|
|
|
|
|
|
# Assign client role to user. Note that BOTH role_name and role_id appear to be required. |
|
|
# Assign client role to user. Note that BOTH role_name and role_id appear to be required. |
|
|
keycloak_admin.assign_client_role(client_id=client_id, user_id=user_id, role_id=role_id, role_name="test") |
|
|
|
|
|
|
|
|
keycloak_admin.assign_client_role( |
|
|
|
|
|
client_id=client_id, user_id=user_id, role_id=role_id, role_name="test" |
|
|
|
|
|
) |
|
|
|
|
|
|
|
|
# Assign realm roles to user |
|
|
# Assign realm roles to user |
|
|
keycloak_admin.assign_realm_roles(user_id=user_id, roles=realm_roles) |
|
|
keycloak_admin.assign_realm_roles(user_id=user_id, roles=realm_roles) |
|
@ -302,5 +380,4 @@ idps = keycloak_admin.get_idps() |
|
|
|
|
|
|
|
|
# Create a new Realm |
|
|
# Create a new Realm |
|
|
keycloak_admin.create_realm(payload={"realm": "demo"}, skip_exists=False) |
|
|
keycloak_admin.create_realm(payload={"realm": "demo"}, skip_exists=False) |
|
|
|
|
|
|
|
|
``` |
|
|
``` |