keycloak
¶
Subpackages¶
Submodules¶
Package Contents¶
Classes¶
Represents a simple server connection. |
|
Keycloak Admin client. |
|
Keycloak OpenID client. |
Attributes¶
- class keycloak.ConnectionManager(base_url, headers={}, timeout=60, verify=True, proxies=None)[source]¶
Bases:
object
Represents a simple server connection.
- Parameters
base_url – (str) The server URL.
headers – (dict) The header parameters of the requests to the server.
timeout – (int) Timeout to use for requests to the server.
verify – (bool) Verify server SSL.
proxies – (dict) The proxies servers requests is sent by.
- __del__(self)¶
- property base_url(self)¶
Return base url in use for requests to the server.
- property timeout(self)¶
Return timeout in use for request to the server.
- property verify(self)¶
Return verify in use for request to the server.
- property headers(self)¶
Return header request to the server.
- param_headers(self, key)¶
Return a specific header parameter.
- Parameters
key – (str) Header parameters key.
- Returns
If the header parameters exist, return its value.
- clean_headers(self)¶
Clear header parameters.
- exist_param_headers(self, key)¶
Check if the parameter exists in the header.
- Parameters
key – (str) Header parameters key.
- Returns
If the header parameters exist, return True.
- add_param_headers(self, key, value)¶
Add a single parameter inside the header.
- Parameters
key – (str) Header parameters key.
value – (str) Value to be added.
- del_param_headers(self, key)¶
Remove a specific parameter.
- Parameters
key – (str) Key of the header parameters.
- raw_get(self, path, **kwargs)¶
Submit get request to the path.
- Parameters
path – (str) Path for request.
- Returns
Response the request.
- Raises
HttpError Can’t connect to server.
- raw_post(self, path, data, **kwargs)¶
Submit post request to the path.
- Parameters
path – (str) Path for request.
data – (dict) Payload for request.
- Returns
Response the request.
- Raises
HttpError Can’t connect to server.
- raw_put(self, path, data, **kwargs)¶
Submit put request to the path.
- Parameters
path – (str) Path for request.
data – (dict) Payload for request.
- Returns
Response the request.
- Raises
HttpError Can’t connect to server.
- raw_delete(self, path, data={}, **kwargs)¶
Submit delete request to the path.
- Parameters
path – (str) Path for request.
data – (dict) Payload for request.
- Returns
Response the request.
- Raises
HttpError Can’t connect to server.
- exception keycloak.KeycloakAuthenticationError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakAuthorizationConfigError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakConnectionError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakDeleteError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakDeprecationError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
Exception
Common base class for all non-exit exceptions.
- __str__(self)¶
Return str(self).
- exception keycloak.KeycloakGetError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakInvalidTokenError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakOperationError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakPostError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakPutError(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakRPTNotFound(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- exception keycloak.KeycloakSecretNotFound(error_message='', response_code=None, response_body=None)[source]¶
Bases:
KeycloakOperationError
Common base class for all non-exit exceptions.
- class keycloak.KeycloakAdmin(server_url, username=None, password=None, totp=None, realm_name='master', client_id='admin-cli', verify=True, client_secret_key=None, custom_headers=None, user_realm_name=None, auto_refresh_token=None)[source]¶
Keycloak Admin client.
- Parameters
server_url – Keycloak server url
username – admin username
password – admin password
totp – Time based OTP
realm_name – realm name
client_id – client id
verify – True if want check connection SSL
client_secret_key – client secret key (optional, required only for access type confidential)
custom_headers – dict of custom header to pass to each HTML request
user_realm_name – The realm name of the user, if different from realm_name
auto_refresh_token – list of methods that allows automatic token refresh. Ex: [‘get’, ‘put’, ‘post’, ‘delete’]
- PAGE_SIZE = 100¶
- _server_url¶
- _username¶
- _password¶
- _totp¶
- _realm_name¶
- _client_id¶
- _verify¶
- _client_secret_key¶
- _auto_refresh_token¶
- _connection¶
- _token¶
- _custom_headers¶
- _user_realm_name¶
- property server_url(self)¶
- property realm_name(self)¶
- property connection(self)¶
- property client_id(self)¶
- property client_secret_key(self)¶
- property verify(self)¶
- property username(self)¶
- property password(self)¶
- property totp(self)¶
- property token(self)¶
- property auto_refresh_token(self)¶
- property user_realm_name(self)¶
- property custom_headers(self)¶
- __fetch_all(self, url, query=None)¶
Wrapper function to paginate GET requests
- Parameters
url – The url on which the query is executed
query – Existing query parameters (optional)
- Returns
Combined results of paginated queries
- __fetch_paginated(self, url, query=None)¶
- import_realm(self, payload)¶
Import a new realm from a RealmRepresentation. Realm name must be unique.
RealmRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation
- Parameters
payload – RealmRepresentation
- Returns
RealmRepresentation
- export_realm(self, export_clients=False, export_groups_and_role=False)¶
Export the realm configurations in the json format
RealmRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_partialexport
- Parameters
export-clients – Skip if not want to export realm clients
export-groups-and-roles – Skip if not want to export realm groups and roles
- Returns
realm configurations JSON
- get_realms(self)¶
Lists all realms in Keycloak deployment
- Returns
realms list
- get_realm(self, realm_name)¶
Get a specific realm.
RealmRepresentation: https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_realmrepresentation
- Parameters
realm_name – Realm name (not the realm id)
- Returns
RealmRepresentation
- create_realm(self, payload, skip_exists=False)¶
Create a realm
RealmRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation
- Parameters
payload – RealmRepresentation
skip_exists – Skip if Realm already exist.
- Returns
Keycloak server response (RealmRepresentation)
- update_realm(self, realm_name, payload)¶
Update a realm. This wil only update top level attributes and will ignore any user, role, or client information in the payload.
RealmRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation
- Parameters
realm_name – Realm name (not the realm id)
payload – RealmRepresentation
- Returns
Http response
- delete_realm(self, realm_name)¶
Delete a realm
- Parameters
realm_name – Realm name (not the realm id)
- Returns
Http response
- get_users(self, query=None)¶
Return a list of users, filtered according to query parameters
UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation
- Parameters
query – Query parameters (optional)
- Returns
users list
- create_idp(self, payload)¶
Create an ID Provider,
IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityproviderrepresentation
- Param
payload: IdentityProviderRepresentation
- add_mapper_to_idp(self, idp_alias, payload)¶
Create an ID Provider,
IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityprovidermapperrepresentation
- Param
idp_alias: alias for Idp to add mapper in
- Param
payload: IdentityProviderMapperRepresentation
- update_mapper_in_idp(self, idp_alias, mapper_id, payload)¶
Update an IdP mapper
IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_update
- Param
idp_alias: alias for Idp to fetch mappers
- Param
mapper_id: Mapper Id to update
- Param
payload: IdentityProviderMapperRepresentation
- Returns
Http response
- get_idp_mappers(self, idp_alias)¶
Returns a list of ID Providers mappers
IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getmappers
- Param
idp_alias: alias for Idp to fetch mappers
- Returns
array IdentityProviderMapperRepresentation
- get_idps(self)¶
Returns a list of ID Providers,
IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityproviderrepresentation
- Returns
array IdentityProviderRepresentation
- delete_idp(self, idp_alias)¶
Deletes ID Provider,
- Param
idp_alias: idp alias name
- create_user(self, payload, exist_ok=False)¶
Create a new user. Username must be unique
UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation
- Parameters
payload – UserRepresentation
exist_ok – If False, raise KeycloakGetError if username already exists. Otherwise, return existing user ID.
- Returns
UserRepresentation
- users_count(self, query=None)¶
User counter
https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_users_resource
- Parameters
query – (dict) Query parameters for users count
- Returns
counter
- get_user_id(self, username)¶
Get internal keycloak user id from username This is required for further actions against this user.
UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation
- Parameters
username – id in UserRepresentation
- Returns
user_id
- get_user(self, user_id)¶
Get representation of the user
- Parameters
user_id – User id
UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation
- Returns
UserRepresentation
- get_user_groups(self, user_id)¶
Returns a list of groups of which the user is a member
- Parameters
user_id – User id
- Returns
user groups list
- update_user(self, user_id, payload)¶
Update the user
- Parameters
user_id – User id
payload – UserRepresentation
- Returns
Http response
- delete_user(self, user_id)¶
Delete the user
- Parameters
user_id – User id
- Returns
Http response
- set_user_password(self, user_id, password, temporary=True)¶
Set up a password for the user. If temporary is True, the user will have to reset the temporary password next time they log in.
https://www.keycloak.org/docs-api/18.0/rest-api/#_users_resource https://www.keycloak.org/docs-api/18.0/rest-api/#_credentialrepresentation
- Parameters
user_id – User id
password – New password
temporary – True if password is temporary
- Returns
- get_credentials(self, user_id)¶
Returns a list of credential belonging to the user.
CredentialRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_credentialrepresentation
- Param
user_id: user id
- Returns
Keycloak server response (CredentialRepresentation)
- delete_credential(self, user_id, credential_id)¶
Delete credential of the user.
CredentialRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_credentialrepresentation
- Param
user_id: user id
- Param
credential_id: credential id
- Returns
Keycloak server response (ClientRepresentation)
- user_logout(self, user_id)¶
Logs out user.
https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_logout
- Parameters
user_id – User id
- Returns
- user_consents(self, user_id)¶
Get consents granted by the user
UserConsentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userconsentrepresentation
- Parameters
user_id – User id
- Returns
List of UserConsentRepresentations
- get_user_social_logins(self, user_id)¶
Returns a list of federated identities/social logins of which the user has been associated with :param user_id: User id :return: federated identities list
- add_user_social_login(self, user_id, provider_id, provider_userid, provider_username)¶
Add a federated identity / social login provider to the user :param user_id: User id :param provider_id: Social login provider id :param provider_userid: userid specified by the provider :param provider_username: username specified by the provider :return:
- delete_user_social_login(self, user_id, provider_id)¶
Delete a federated identity / social login provider from the user :param user_id: User id :param provider_id: Social login provider id :return:
- send_update_account(self, user_id, payload, client_id=None, lifespan=None, redirect_uri=None)¶
Send an update account email to the user. An email contains a link the user can click to perform a set of required actions.
- Parameters
user_id – User id
payload – A list of actions for the user to complete
client_id – Client id (optional)
lifespan – Number of seconds after which the generated token expires (optional)
redirect_uri – The redirect uri (optional)
- Returns
- send_verify_email(self, user_id, client_id=None, redirect_uri=None)¶
Send a update account email to the user An email contains a link the user can click to perform a set of required actions.
- Parameters
user_id – User id
client_id – Client id (optional)
redirect_uri – Redirect uri (optional)
- Returns
- get_sessions(self, user_id)¶
Get sessions associated with the user
- Parameters
user_id – id of user
UserSessionRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_usersessionrepresentation
- Returns
UserSessionRepresentation
- get_server_info(self)¶
Get themes, social providers, auth providers, and event listeners available on this server
ServerInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_serverinforepresentation
- Returns
ServerInfoRepresentation
- get_groups(self, query=None)¶
Returns a list of groups belonging to the realm
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation
- Returns
array GroupRepresentation
- get_group(self, group_id)¶
Get group by id. Returns full group details
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation
- Parameters
group_id – The group id
- Returns
Keycloak server response (GroupRepresentation)
- get_subgroups(self, group, path)¶
Utility function to iterate through nested group structures
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation
- Parameters
name – group (GroupRepresentation)
path – group path (string)
- Returns
Keycloak server response (GroupRepresentation)
- get_group_members(self, group_id, query=None)¶
Get members by group id. Returns group members
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_userrepresentation
- Parameters
group_id – The group id
query – Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getmembers)
- Returns
Keycloak server response (UserRepresentation)
- get_group_by_path(self, path, search_in_subgroups=False)¶
Get group id based on name or path. A straight name or path match with a top-level group will return first. Subgroups are traversed, the first to match path (or name with path) is returned.
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation
- Parameters
path – group path
search_in_subgroups – True if want search in the subgroups
- Returns
Keycloak server response (GroupRepresentation)
- create_group(self, payload, parent=None, skip_exists=False)¶
Creates a group in the Realm
- Parameters
payload – GroupRepresentation
parent – parent group’s id. Required to create a sub-group.
skip_exists – If true then do not raise an error if it already exists
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation
- Returns
Group id for newly created group or None for an existing group
- update_group(self, group_id, payload)¶
Update group, ignores subgroups.
- Parameters
group_id – id of group
payload – GroupRepresentation with updated information.
GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation
- Returns
Http response
- group_set_permissions(self, group_id, enabled=True)¶
Enable/Disable permissions for a group. Cannot delete group if disabled
- Parameters
group_id – id of group
enabled – boolean
- Returns
Keycloak server response
- group_user_add(self, user_id, group_id)¶
Add user to group (user_id and group_id)
- Parameters
user_id – id of user
group_id – id of group to add to
- Returns
Keycloak server response
- group_user_remove(self, user_id, group_id)¶
Remove user from group (user_id and group_id)
- Parameters
user_id – id of user
group_id – id of group to remove from
- Returns
Keycloak server response
- delete_group(self, group_id)¶
Deletes a group in the Realm
- Parameters
group_id – id of group to delete
- Returns
Keycloak server response
- get_clients(self)¶
Returns a list of clients belonging to the realm
ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
Keycloak server response (ClientRepresentation)
- get_client(self, client_id)¶
Get representation of the client
ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Parameters
client_id – id of client (not client-id)
- Returns
Keycloak server response (ClientRepresentation)
- get_client_id(self, client_name)¶
Get internal keycloak client id from client-id. This is required for further actions against this client.
- Parameters
client_name – name in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
client_id (uuid as string)
- get_client_authz_settings(self, client_id)¶
Get authorization json from client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
Keycloak server response
- create_client_authz_resource(self, client_id, payload, skip_exists=False)¶
Create resources of client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
payload – ResourceRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_resourcerepresentation
- Returns
Keycloak server response
- get_client_authz_resources(self, client_id)¶
Get resources from client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
Keycloak server response
- create_client_authz_role_based_policy(self, client_id, payload, skip_exists=False)¶
Create role-based policy of client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
payload – No Document
- Returns
Keycloak server response
Payload example:
payload={ "type": "role", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "name": "Policy-1", "roles": [ { "id": id } ] }
- create_client_authz_resource_based_permission(self, client_id, payload, skip_exists=False)¶
Create resource-based permission of client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
payload – PolicyRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_policyrepresentation
- Returns
Keycloak server response
Payload example:
payload={ "type": "resource", "logic": "POSITIVE", "decisionStrategy": "UNANIMOUS", "name": "Permission-Name", "resources": [ resource_id ], "policies": [ policy_id ]
- get_client_authz_scopes(self, client_id)¶
Get scopes from client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
Keycloak server response
- get_client_authz_permissions(self, client_id)¶
Get permissions from client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
Keycloak server response
- get_client_authz_policies(self, client_id)¶
Get policies from client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
Keycloak server response
- get_client_service_account_user(self, client_id)¶
Get service account user from client.
- Parameters
client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Returns
UserRepresentation
- create_client(self, payload, skip_exists=False)¶
Create a client
ClientRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Parameters
skip_exists – If true then do not raise an error if client already exists
payload – ClientRepresentation
- Returns
Client ID
- update_client(self, client_id, payload)¶
Update a client
- Parameters
client_id – Client id
payload – ClientRepresentation
- Returns
Http response
- delete_client(self, client_id)¶
Get representation of the client
ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation
- Parameters
client_id – keycloak client id (not oauth client-id)
- Returns
Keycloak server response (ClientRepresentation)
- get_client_installation_provider(self, client_id, provider_id)¶
Get content for given installation provider
Related documentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource
Possible provider_id list available in the ServerInfoRepresentation#clientInstallations https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_serverinforepresentation
- Parameters
client_id – Client id
provider_id – provider id to specify response format
- get_realm_roles(self)¶
Get all roles for the realm or client
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Returns
Keycloak server response (RoleRepresentation)
- get_realm_role_members(self, role_name, query=None)¶
Get role members of realm by role name. :param role_name: Name of the role. :param query: Additional Query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_roles_resource) :return: Keycloak Server Response (UserRepresentation)
- get_client_roles(self, client_id)¶
Get all roles for the client
- Parameters
client_id – id of client (not client-id)
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Returns
Keycloak server response (RoleRepresentation)
- get_client_role(self, client_id, role_name)¶
Get client role id by name This is required for further actions with this role.
- Parameters
client_id – id of client (not client-id)
role_name – role’s name (not id!)
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Returns
role_id
- get_client_role_id(self, client_id, role_name)¶
Warning: Deprecated
Get client role id by name This is required for further actions with this role.
- Parameters
client_id – id of client (not client-id)
role_name – role’s name (not id!)
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Returns
role_id
- create_client_role(self, client_role_id, payload, skip_exists=False)¶
Create a client role
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Parameters
client_role_id – id of client (not client-id)
payload – RoleRepresentation
skip_exists – If true then do not raise an error if client role already exists
- Returns
Client role name
- add_composite_client_roles_to_role(self, client_role_id, role_name, roles)¶
Add composite roles to client role
- Parameters
client_role_id – id of client (not client-id)
role_name – The name of the role
roles – roles list or role (use RoleRepresentation) to be updated
- Returns
Keycloak server response
- update_client_role(self, client_role_id, role_name, payload)¶
Update a client role
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Parameters
client_role_id – id of client (not client-id)
role_name – role’s name (not id!)
payload – RoleRepresentation
- delete_client_role(self, client_role_id, role_name)¶
Delete a client role
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation
- Parameters
client_role_id – id of client (not client-id)
role_name – role’s name (not id!)
- assign_client_role(self, user_id, client_id, roles)¶
Assign a client role to a user
- Parameters
user_id – id of user
client_id – id of client (not client-id)
roles – roles list or role (use RoleRepresentation)
- Returns
Keycloak server response
- get_client_role_members(self, client_id, role_name, **query)¶
Get members by client role . :param client_id: The client id :param role_name: the name of role to be queried. :param query: Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource) :return: Keycloak server response (UserRepresentation)
- get_client_role_groups(self, client_id, role_name, **query)¶
Get group members by client role . :param client_id: The client id :param role_name: the name of role to be queried. :param query: Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource) :return: Keycloak server response
- create_realm_role(self, payload, skip_exists=False)¶
Create a new role for the realm or client
- Parameters
payload – The role (use RoleRepresentation)
skip_exists – If true then do not raise an error if realm role already exists
- Returns
Realm role name
- get_realm_role(self, role_name)¶
Get realm role by role name :param role_name: role’s name, not id!
RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation :return: role_id
- update_realm_role(self, role_name, payload)¶
Update a role for the realm by name :param role_name: The name of the role to be updated :param payload: The role (use RoleRepresentation) :return Keycloak server response
- delete_realm_role(self, role_name)¶
Delete a role for the realm by name :param payload: The role name {‘role-name’:’name-of-the-role’} :return Keycloak server response
- add_composite_realm_roles_to_role(self, role_name, roles)¶
Add composite roles to the role
- Parameters
role_name – The name of the role
roles – roles list or role (use RoleRepresentation) to be updated
- Returns
Keycloak server response
- remove_composite_realm_roles_to_role(self, role_name, roles)¶
Remove composite roles from the role
- Parameters
role_name – The name of the role
roles – roles list or role (use RoleRepresentation) to be removed
- Returns
Keycloak server response
- get_composite_realm_roles_of_role(self, role_name)¶
Get composite roles of the role
- Parameters
role_name – The name of the role
- Returns
Keycloak server response (array RoleRepresentation)
- assign_realm_roles(self, user_id, roles)¶
Assign realm roles to a user
- Parameters
user_id – id of user
roles – roles list or role (use RoleRepresentation)
- Returns
Keycloak server response
- delete_realm_roles_of_user(self, user_id, roles)¶
Deletes realm roles of a user
- Parameters
user_id – id of user
roles – roles list or role (use RoleRepresentation)
- Returns
Keycloak server response
- get_realm_roles_of_user(self, user_id)¶
Get all realm roles for a user.
- Parameters
user_id – id of user
- Returns
Keycloak server response (array RoleRepresentation)
- get_available_realm_roles_of_user(self, user_id)¶
Get all available (i.e. unassigned) realm roles for a user. :param user_id: id of user :return: Keycloak server response (array RoleRepresentation)
- get_composite_realm_roles_of_user(self, user_id)¶
Get all composite (i.e. implicit) realm roles for a user. :param user_id: id of user :return: Keycloak server response (array RoleRepresentation)
- assign_group_realm_roles(self, group_id, roles)¶
Assign realm roles to a group
- Parameters
group_id – id of groupp
roles – roles list or role (use GroupRoleRepresentation)
- Returns
Keycloak server response
- delete_group_realm_roles(self, group_id, roles)¶
Delete realm roles of a group
- Parameters
group_id – id of group
roles – roles list or role (use GroupRoleRepresentation)
- Returns
Keycloak server response
- get_group_realm_roles(self, group_id)¶
Get all realm roles for a group.
- Parameters
user_id – id of the group
- Returns
Keycloak server response (array RoleRepresentation)
- assign_group_client_roles(self, group_id, client_id, roles)¶
Assign client roles to a group
- Parameters
group_id – id of group
client_id – id of client (not client-id)
roles – roles list or role (use GroupRoleRepresentation)
- Returns
Keycloak server response
- get_group_client_roles(self, group_id, client_id)¶
Get client roles of a group
- Parameters
group_id – id of group
client_id – id of client (not client-id)
- Returns
Keycloak server response
- delete_group_client_roles(self, group_id, client_id, roles)¶
Delete client roles of a group
- Parameters
group_id – id of group
client_id – id of client (not client-id)
roles – roles list or role (use GroupRoleRepresentation)
- Returns
Keycloak server response (array RoleRepresentation)
- get_client_roles_of_user(self, user_id, client_id)¶
Get all client roles for a user.
- Parameters
user_id – id of user
client_id – id of client (not client-id)
- Returns
Keycloak server response (array RoleRepresentation)
- get_available_client_roles_of_user(self, user_id, client_id)¶
Get available client role-mappings for a user.
- Parameters
user_id – id of user
client_id – id of client (not client-id)
- Returns
Keycloak server response (array RoleRepresentation)
- get_composite_client_roles_of_user(self, user_id, client_id)¶
Get composite client role-mappings for a user.
- Parameters
user_id – id of user
client_id – id of client (not client-id)
- Returns
Keycloak server response (array RoleRepresentation)
- _get_client_roles_of_user(self, client_level_role_mapping_url, user_id, client_id)¶
- delete_client_roles_of_user(self, user_id, client_id, roles)¶
Delete client roles from a user.
- Parameters
user_id – id of user
client_id – id of client containing role (not client-id)
roles – roles list or role to delete (use RoleRepresentation)
- Returns
Keycloak server response
- get_authentication_flows(self)¶
Get authentication flows. Returns all flow details
AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation
- Returns
Keycloak server response (AuthenticationFlowRepresentation)
- get_authentication_flow_for_id(self, flow_id)¶
Get one authentication flow by it’s id. Returns all flow details
AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation
- Parameters
flow_id – the id of a flow NOT it’s alias
- Returns
Keycloak server response (AuthenticationFlowRepresentation)
- create_authentication_flow(self, payload, skip_exists=False)¶
Create a new authentication flow
AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation
- Parameters
payload – AuthenticationFlowRepresentation
skip_exists – Do not raise an error if authentication flow already exists
- Returns
Keycloak server response (RoleRepresentation)
- copy_authentication_flow(self, payload, flow_alias)¶
Copy existing authentication flow under a new name. The new name is given as ‘newName’ attribute of the passed payload.
- Parameters
payload – JSON containing ‘newName’ attribute
flow_alias – the flow alias
- Returns
Keycloak server response (RoleRepresentation)
- delete_authentication_flow(self, flow_id)¶
Delete authentication flow
AuthenticationInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationinforepresentation
- Parameters
flow_id – authentication flow id
- Returns
Keycloak server response
- get_authentication_flow_executions(self, flow_alias)¶
Get authentication flow executions. Returns all execution steps
- Parameters
flow_alias – the flow alias
- Returns
Response(json)
- update_authentication_flow_executions(self, payload, flow_alias)¶
Update an authentication flow execution
AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation
- Parameters
payload – AuthenticationExecutionInfoRepresentation
flow_alias – The flow alias
- Returns
Keycloak server response
- get_authentication_flow_execution(self, execution_id)¶
Get authentication flow execution.
AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation
- Parameters
execution_id – the execution ID
- Returns
Response(json)
- create_authentication_flow_execution(self, payload, flow_alias)¶
Create an authentication flow execution
AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation
- Parameters
payload – AuthenticationExecutionInfoRepresentation
flow_alias – The flow alias
- Returns
Keycloak server response
- delete_authentication_flow_execution(self, execution_id)¶
Delete authentication flow execution
AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation
- Parameters
execution_id – keycloak client id (not oauth client-id)
- Returns
Keycloak server response (json)
- create_authentication_flow_subflow(self, payload, flow_alias, skip_exists=False)¶
Create a new sub authentication flow for a given authentication flow
AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation
- Parameters
payload – AuthenticationFlowRepresentation
flow_alias – The flow alias
skip_exists – Do not raise an error if authentication flow already exists
- Returns
Keycloak server response (RoleRepresentation)
- get_authenticator_providers(self)¶
Get authenticator providers list.
- Returns
Response(json)
- get_authenticator_provider_config_description(self, provider_id)¶
Get authenticator’s provider configuration description.
AuthenticatorConfigInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticatorconfiginforepresentation
- Parameters
provider_id – Provider Id
- Returns
AuthenticatorConfigInfoRepresentation
- get_authenticator_config(self, config_id)¶
Get authenticator configuration. Returns all configuration details.
- Parameters
config_id – Authenticator config id
- Returns
Response(json)
- update_authenticator_config(self, payload, config_id)¶
Update an authenticator configuration.
AuthenticatorConfigRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticatorconfigrepresentation
- Parameters
payload – AuthenticatorConfigRepresentation
config_id – Authenticator config id
- Returns
Response(json)
- delete_authenticator_config(self, config_id)¶
Delete a authenticator configuration. https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authentication_management_resource
- Parameters
config_id – Authenticator config id
- Returns
Keycloak server Response
- sync_users(self, storage_id, action)¶
Function to trigger user sync from provider
- Parameters
storage_id – The id of the user storage provider
action – Action can be “triggerFullSync” or “triggerChangedUsersSync”
- Returns
- get_client_scopes(self)¶
Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes
- Returns
Keycloak server response Array of (ClientScopeRepresentation)
- get_client_scope(self, client_scope_id)¶
Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes
- Parameters
client_scope_id – The id of the client scope
- Returns
Keycloak server response (ClientScopeRepresentation)
- get_client_scope_by_name(self, client_scope_name)¶
Get representation of the client scope identified by the client scope name.
https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes :param client_scope_name: (str) Name of the client scope :returns: ClientScopeRepresentation or None
- create_client_scope(self, payload, skip_exists=False)¶
Create a client scope
ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes
- Parameters
payload – ClientScopeRepresentation
skip_exists – If true then do not raise an error if client scope already exists
- Returns
Client scope id
- update_client_scope(self, client_scope_id, payload)¶
Update a client scope
ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_client_scopes_resource
- Parameters
client_scope_id – The id of the client scope
payload – ClientScopeRepresentation
- Returns
Keycloak server response (ClientScopeRepresentation)
- delete_client_scope(self, client_scope_id)¶
Delete existing client scope.
ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_client_scopes_resource
- Parameters
client_scope_id – The id of the client scope
- Returns
Keycloak server response
- get_mappers_from_client_scope(self, client_scope_id)¶
Get a list of all mappers connected to the client scope
https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocol_mappers_resource :param client_scope_id: Client scope id :returns: Keycloak server response (ProtocolMapperRepresentation)
- add_mapper_to_client_scope(self, client_scope_id, payload)¶
Add a mapper to a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_create_mapper
- Parameters
client_scope_id – The id of the client scope
payload – ProtocolMapperRepresentation
- Returns
Keycloak server Response
- delete_mapper_from_client_scope(self, client_scope_id, protocol_mapper_id)¶
Delete a mapper from a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_delete_mapper
- Parameters
client_scope_id – The id of the client scope
protocol_mapper_id – Protocol mapper id
- Returns
Keycloak server Response
- update_mapper_in_client_scope(self, client_scope_id, protocol_mapper_id, payload)¶
Update an existing protocol mapper in a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocol_mappers_resource
- Parameters
client_scope_id – The id of the client scope
protocol_mapper_id – The id of the protocol mapper which exists in the client scope and should to be updated
payload – ProtocolMapperRepresentation
- Returns
Keycloak server Response
- get_default_default_client_scopes(self)¶
Return list of default default client scopes
- Returns
Keycloak server response
- delete_default_default_client_scope(self, scope_id)¶
Delete default default client scope
- Parameters
scope_id – default default client scope id
- Returns
Keycloak server response
- add_default_default_client_scope(self, scope_id)¶
Add default default client scope
- Parameters
scope_id – default default client scope id
- Returns
Keycloak server response
- get_default_optional_client_scopes(self)¶
Return list of default optional client scopes
- Returns
Keycloak server response
- delete_default_optional_client_scope(self, scope_id)¶
Delete default optional client scope
- Parameters
scope_id – default optional client scope id
- Returns
Keycloak server response
- add_default_optional_client_scope(self, scope_id)¶
Add default optional client scope
- Parameters
scope_id – default optional client scope id
- Returns
Keycloak server response
- get_mappers_from_client(self, client_id)¶
List of all client mappers.
https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocolmapperrepresentation
- Parameters
client_id – Client id
- Returns
KeycloakServerResponse (list of ProtocolMapperRepresentation)
- add_mapper_to_client(self, client_id, payload)¶
Add a mapper to a client https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_create_mapper
- Parameters
client_id – The id of the client
payload – ProtocolMapperRepresentation
- Returns
Keycloak server Response
- update_client_mapper(self, client_id, mapper_id, payload)¶
Update client mapper :param client_id: The id of the client :param client_mapper_id: The id of the mapper to be deleted :param payload: ProtocolMapperRepresentation :return: Keycloak server response
- remove_client_mapper(self, client_id, client_mapper_id)¶
Removes a mapper from the client https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_protocol_mappers_resource :param client_id: The id of the client :param client_mapper_id: The id of the mapper to be deleted :return: Keycloak server response
- generate_client_secrets(self, client_id)¶
Generate a new secret for the client https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_regeneratesecret
- Parameters
client_id – id of client (not client-id)
- Returns
Keycloak server response (ClientRepresentation)
- get_client_secrets(self, client_id)¶
Get representation of the client secrets https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientsecret
- Parameters
client_id – id of client (not client-id)
- Returns
Keycloak server response (ClientRepresentation)
- get_components(self, query=None)¶
Return a list of components, filtered according to query parameters
ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation
- Parameters
query – Query parameters (optional)
- Returns
components list
- create_component(self, payload)¶
Create a new component.
ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation
- Parameters
payload – ComponentRepresentation
- Returns
Component id
- get_component(self, component_id)¶
Get representation of the component
- Parameters
component_id – Component id
ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation
- Returns
ComponentRepresentation
- update_component(self, component_id, payload)¶
Update the component
- Parameters
component_id – Component id
payload – ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation
- Returns
Http response
- delete_component(self, component_id)¶
Delete the component
- Parameters
component_id – Component id
- Returns
Http response
- get_keys(self)¶
Return a list of keys, filtered according to query parameters
KeysMetadataRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_key_resource
- Returns
keys list
- get_events(self, query=None)¶
Return a list of events, filtered according to query parameters
EventRepresentation array https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_eventrepresentation
- Returns
events list
- set_events(self, payload)¶
Set realm events configuration
RealmEventsConfigRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmeventsconfigrepresentation
- Returns
Http response
- raw_get(self, *args, **kwargs)¶
Calls connection.raw_get.
If auto_refresh is set for get and access_token is expired, it will refresh the token and try get once more.
- raw_post(self, *args, **kwargs)¶
Calls connection.raw_post.
If auto_refresh is set for post and access_token is expired, it will refresh the token and try post once more.
- raw_put(self, *args, **kwargs)¶
Calls connection.raw_put.
If auto_refresh is set for put and access_token is expired, it will refresh the token and try put once more.
- raw_delete(self, *args, **kwargs)¶
Calls connection.raw_delete.
If auto_refresh is set for delete and access_token is expired, it will refresh the token and try delete once more.
- get_token(self)¶
- refresh_token(self)¶
- get_client_all_sessions(self, client_id)¶
Get sessions associated with the client
- Parameters
client_id – id of client
UserSessionRepresentation http://www.keycloak.org/docs-api/18.0/rest-api/index.html#_usersessionrepresentation
- Returns
UserSessionRepresentation
- get_client_sessions_stats(self)¶
Get current session count for all clients with active sessions
https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientsessionstats
- Returns
Dict of clients and session count
- class keycloak.KeycloakOpenID(server_url, realm_name, client_id, client_secret_key=None, verify=True, custom_headers=None, proxies=None)[source]¶
Keycloak OpenID client.
- Parameters
server_url – Keycloak server url
client_id – client id
realm_name – realm name
client_secret_key – client secret key
verify – True if want check connection SSL
custom_headers – dict of custom header to pass to each HTML request
proxies – dict of proxies to sent the request by.
- property client_id(self)¶
- property client_secret_key(self)¶
- property realm_name(self)¶
- property connection(self)¶
- property authorization(self)¶
- _add_secret_key(self, payload)¶
Add secret key if exist.
- Parameters
payload –
- Returns
- _build_name_role(self, role)¶
- Parameters
role –
- Returns
- _token_info(self, token, method_token_info, **kwargs)¶
- Parameters
token –
method_token_info –
kwargs –
- Returns
- well_known(self)¶
The most important endpoint to understand is the well-known configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in Keycloak.
:return It lists endpoints and other configuration options relevant.
- auth_url(self, redirect_uri)¶
http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
- Returns
- token(self, username='', password='', grant_type=['password'], code='', redirect_uri='', totp=None, **extra)¶
The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.
http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- Parameters
username –
password –
grant_type –
code –
redirect_uri –
totp –
- Returns
- refresh_token(self, refresh_token, grant_type=['refresh_token'])¶
The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.
http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- Parameters
refresh_token –
grant_type –
- Returns
- exchange_token(self, token: str, client_id: str, audience: str, subject: str) dict ¶
Use a token to obtain an entirely different token. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
- Parameters
token –
client_id –
audience –
subject –
- Returns
- userinfo(self, token)¶
The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
- Parameters
token –
- Returns
- logout(self, refresh_token)¶
The logout endpoint logs out the authenticated user. :param refresh_token: :return:
- certs(self)¶
The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens.
https://tools.ietf.org/html/rfc7517
- Returns
- public_key(self)¶
The public key is exposed by the realm page directly.
- Returns
- entitlement(self, token, resource_server_id)¶
Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.
- Returns
- introspect(self, token, rpt=None, token_type_hint=None)¶
The introspection endpoint is used to retrieve the active state of a token. It is can only be invoked by confidential clients.
https://tools.ietf.org/html/rfc7662
- Parameters
token –
rpt –
token_type_hint –
- Returns
- decode_token(self, token, key, algorithms=['RS256'], **kwargs)¶
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.
https://tools.ietf.org/html/rfc7517
- Parameters
token –
key –
algorithms –
- Returns
- load_authorization_config(self, path)¶
Load Keycloak settings (authorization)
- Parameters
path – settings file (json)
- Returns
- get_policies(self, token, method_token_info='introspect', **kwargs)¶
Get policies by user token
- Parameters
token – user token
- Returns
policies list
- get_permissions(self, token, method_token_info='introspect', **kwargs)¶
Get permission by user token
- Parameters
token – user token
method_token_info – Decode token method
kwargs – parameters for decode
- Returns
permissions list
- uma_permissions(self, token, permissions='')¶
Get UMA permissions by user token with requested permissions
The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be invoked by confidential clients.
http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- Parameters
token – user token
permissions – list of uma permissions list(resource:scope) requested by the user
- Returns
permissions list
- has_uma_access(self, token, permissions)¶
Determine whether user has uma permissions with specified user token
- Parameters
token – user token
permissions – list of uma permissions (resource:scope)
- Returns
auth status