def before_request(): if oidc.user_loggedin: g.user = oidc.user_getfield('name') g.role = "employee" email = oidc.user_getfield('email') groups = oidc.user_getfield('groups') print('groups : ', app_config['KEYCLOAK_URL']) keycloak_admin = KeycloakAdmin(server_url=app_config['KEYCLOAK_URL'], username=app_config['USERNAME'], password=app_config['PASSWORD'], realm_name=app_config['REALM_NAME'], verify=True) users = keycloak_admin.get_users({}) #print(users) for user in users: print(user) if (email.strip().lower() == user['email'].strip().lower()): print(user['attributes']['emp_id']) print(user['attributes']['role'][0]) g.role = user['attributes']['role'][0] g.empId = user['attributes']['emp_id'][0] else: g.user = None
def _authentificate(self): self.keycloak_admin = KeycloakAdmin(server_url=self.base_url, username=self.username, password=self.password, verify=True) self.keycloak_admin.realm_name = self.realm
def create_department_group(keycloak_admin: keycloak.KeycloakAdmin, department: Department, parent_id=None, path="/"): with start_action(action_type="create_department_group", department=department.internal_name, path=path): # Create or update group keycloak_admin.create_group({"name": department.internal_name, "attributes": {"display_name": [department.name]}}, parent=parent_id, skip_exists=True) # Extend path path += department.internal_name # Get group id try: created_group = keycloak_admin.get_group_by_path(path, search_in_subgroups=True) except keycloak.KeycloakGetError as e: log_message(message_type="get_group_failed", exception=e) return # Add slash to group path path += "/" # Create groups for sub departments subgroup_names = [] for sub_department in department.children: create_department_group(keycloak_admin, sub_department, parent_id=created_group["id"], path=path) subgroup_names.append(sub_department.internal_name) # Delete old subgroups for old_group in created_group["subGroups"]: if old_group["name"] not in subgroup_names: keycloak_admin.delete_group(old_group["id"])
def create_emp_keycloak(employee): headers = {'Content-type': 'application/json'} print('config : ', app_config['CLIENT_SECRET']) keycloak_admin = KeycloakAdmin(server_url=app_config['KEYCLOAK_URL'], username=app_config['USERNAME'], password=app_config['PASSWORD'], realm_name=app_config['REALM_NAME'], verify=True) users = keycloak_admin.get_users({}) print(users[0]['attributes']['emp_id']) # attrs = user_attributes(app_config['KEYCLOAK_URL'], app_config['REALM_NAME'], app_config['KEYCLOAK_URL'], token, "Jeyasri") # print(attrs) new_user = keycloak_admin.create_user({ "email": employee[3], "username": employee[1], "enabled": True, "firstName": employee[1], "lastName": employee[2], "credentials": [{ "value": "welcome123", "type": "password", }], "attributes": { "emp_id": employee[0] } })
def init(): keycloack = KeycloakAdmin(server_url='http://localhost:8080/auth/', username='******', password='******', realm_name='master', verify=True) keycloack.realm_name = 'n5geh_devices' keycloack.create_user({ "username": '******', "credentials": [{ "value": "password", "type": "password", }], "enabled": True, "firstName": 'Device', "lastName": 'Wizard' }) user_id = keycloack.get_user_id("device_wizard") client_id = keycloack.get_client_id("realm-management") role = keycloack.get_client_role(client_id=client_id, role_name="manage-users") keycloack.assign_client_role(client_id=client_id, user_id=user_id, roles=[role])
def __init__(self): keycloak_admin = KeycloakAdmin(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')), username = os.getenv('KEYCLOAK_ADMIN_USER'), password = os.getenv('KEYCLOAK_ADMIN_PASSWORD'), realm_name = "master", verify = True) keycloak_admin.realm_name = os.getenv('CLIENT_RELM_NAME') return keycloak_admin
def get_keycload_admin(self, realm=None): ka = KeycloakAdmin(server_url=f"{self.kc_api}/auth/", username=self.kc_admin, password=self.kc_admin_pw, realm_name=self.kc_realm, verify=True) ka.realm_name = self.user_realm return ka
def create_client_and_get_client_secret(): # Create kong client on Keycloak keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL, username=KEYCLOAK_ADMIN_USER, password=KEYCLOAK_ADMIN_PASSWORD, verify=True) try: keycloak_admin.create_client({ "clientId": CLIENT_NAME, "name": CLIENT_NAME, "enabled": True, "redirectUris": ["/front/*", "/api/*", "/*", "*"], }) client_uuid = keycloak_admin.get_client_id(CLIENT_NAME) keycloak_admin.generate_client_secrets(client_uuid) except KeycloakGetError as e: if e.response_code == 409: print("Keycloak Kong client already exists") client_uuid = keycloak_admin.get_client_id(CLIENT_NAME) return keycloak_admin.get_client_secrets(client_uuid)['value']
def get(self, request, *args, **kwargs): keycloak_admin = KeycloakAdmin( server_url=admin_config['KEYCLOAK_SERVER_URL'], username=admin_config['KEYCLOAK_USERNAME'], password=admin_config['KEYCLOAK_PASSWORD'], realm_name=admin_config['KEYCLOAK_REALM'], verify=True) try: applications = keycloak_admin.get_clients() return response.Response(applications, status=status.HTTP_200_OK) except KeycloakError as e: print(e.__class__) return keycloak_error_response(e)
def _get_service_oidc_payload(service_name, realm): client_id = KEYCLOAK_KONG_CLIENT client_secret = None # must be the public url KEYCLOAK_URL = f'{HOST}/keycloak/auth/realms' OPENID_PATH = 'protocol/openid-connect' try: # https://bitbucket.org/agriness/python-keycloak # find out client secret # 1. connect to master realm keycloak_admin = KeycloakAdmin( server_url=KC_URL, username=KC_ADMIN_USER, password=KC_ADMIN_PASSWORD, realm_name=KC_MASTER_REALM, ) # 2. change to given realm keycloak_admin.realm_name = realm # 3. get kong client internal id client_pk = keycloak_admin.get_client_id(client_id) # 4. get its secrets secret = keycloak_admin.get_client_secrets(client_pk) client_secret = secret.get('value') except KeycloakError as ke: raise RuntimeError(f'Could not get info from keycloak {str(ke)}') except Exception as e: raise RuntimeError( f'Unexpected error, do the realm and the client exist? {str(e)}') # OIDC plugin settings (same for all endpoints) return { 'name': KONG_OIDC_PLUGIN, 'config.client_id': client_id, 'config.client_secret': client_secret, 'config.cookie_domain': DOMAIN, 'config.email_key': 'email', 'config.scope': 'openid+profile+email+iss', 'config.user_info_cache_enabled': 'true', 'config.app_login_redirect_url': f'{HOST}/{realm}/{service_name}/', 'config.authorize_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/auth', 'config.service_logout_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/logout', 'config.token_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/token', 'config.user_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/userinfo', }
def send(self, user_id_keycloak): """ Ponovo posalji email verifikaciju. user_id_keycloak -> send_verify_email send_verify_email : realm_name -> izvrsna komanda slanje verifikacije """ keycloak_admin = KeycloakAdmin(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')), username = os.getenv('KEYCLOAK_ADMIN_USER'), password = os.getenv('KEYCLOAK_ADMIN_PASSWORD'), realm_name = "master", verify = True) keycloak_admin.realm_name = os.getenv('CLIENT_RELM_NAME') # user_id_keycloak dobijamo iz prethodne funkcije koju saljemo iz main fajla keycloak_admin.send_verify_email(user_id=user_id_keycloak)
def __init__(self): self.ClientId = "admin-cli" self.Realm = "zdr" self.Username = "******" self.Password = "******" self.FQDN = "auth.mydomain.dev" self.keycloak_admin = KeycloakAdmin(server_url="https://" + self.FQDN + "/auth/", username=self.Username, password=self.Password, realm_name=self.Realm, verify=True) self.keycloak_users = self.keycloak_admin.get_users({}) self.client_id = self.keycloak_admin.get_client_id("crm")
def get_kc_cookies(username): """ Login as Keycloak Admin and Impersonate User Keyword arguments: username -- Username of account to generate secret for """ admin = KeycloakAdmin( server_url="https://sso.csh.rit.edu/auth/", username=app.config["KC_ADMIN_USER"], password=app.config["KC_ADMIN_PW"], realm_name="master", verify=True, ) conn = admin.connection user = conn.raw_get( "admin/realms/csh/users?first=0&max=20&search={}@csh.rit.edu".format( username)) user_id = json.loads(user.text)[0]["id"] imp = conn.raw_post( "admin/realms/csh/users/{}/impersonation".format(user_id), data=json.dumps({ "user": user_id, "realm": "csh" }), ) return imp.cookies
def main(): args = args_parse() ssl_verify = True if args.disable_ssl_verify: ssl_verify = False server_url = args.server_url + '/auth/' # Full url to access api fp = open(args.input_yaml, 'rt') values = yaml.load(fp, Loader=yaml.FullLoader) try: session = KeycloakAdmin(server_url=server_url, username=args.admin_user, password=args.admin_password, realm_name='master', verify=ssl_verify) for realm in values: users = values[realm]['users'] for user in users: password = user['password'] if is_password_empty(password): password = generate_random_password(10) r = create_user(session, realm, user['username'], user['email'], user['firstName'], user['lastName'], password, user['temporary']) print('*** User: %s, password: %s' % (user['username'], password)) # Assign role assign_user_roles(session, realm, user['username'], user['roles']) except: formatted_lines = traceback.format_exc() print(formatted_lines) sys.exit(1) sys.exit(r)
def __get_keycloak_admin(self, realm_name="master") -> KeycloakAdmin: """Private function to get a Keycloak administration object which points at a specific realm. Uses a dict to store all instances of the Keycloak administration object as a cache. This ensures that we use one and only one admin object per realm. Args: realm_name (string): name of the realm to associate the keycloak admin object Returns: The initialised Keycloak admin object Raises: keycloak.exceptions.KeycloakConnectionError: Failed to connect to keycloak (invalid url/server unavailable) keycloak.exceptions.KeycloakAuthenticationError: Invalid user credentials """ if realm_name not in self.keycloak_admins: # Can't log directly into a non-master realm, set the realm after logging in to the 'master' realm # There's flipped logic for 'self.insecure' and 'verify', as 'verified connection == not insecure' self.keycloak_admins[realm_name] = KeycloakAdmin( server_url=self.server_url, username=self.admin_username, password=self.admin_password, realm_name="master", verify=(not self.insecure), ) self.keycloak_admins[realm_name].realm_name = realm_name return self.keycloak_admins[realm_name]
def main(): args = args_parse() ssl_verify = True if args.disable_ssl_verify: ssl_verify = False server_url = args.server_url + '/auth/' # Full url to access api fp = open(args.input_yaml, 'rt') values = yaml.load(fp, Loader=yaml.FullLoader) try: session = KeycloakAdmin(server_url=server_url, username=args.admin_user, password=args.admin_password, realm_name='master', verify=ssl_verify) for realm in values: users = values[realm]['users'] for user in users: r = delete_user(session, realm, user['username']) except: formatted_lines = traceback.format_exc() print(formatted_lines) sys.exit(1) sys.exit(r)
def get_admin_client(config: Config) -> KeycloakAdmin: params = { "server_url": config.users["provider"]["url"], "realm_name": config.users["provider"]["realm_name"], "client_secret_key": config.users["provider"]["client_secret_key"], "verify": True, } return KeycloakAdmin(**params)
def main(): keycloak_admin = KeycloakAdmin(server_url='http://localhost:8080/auth/', username='******', password='******', realm_name='master', verify=True) for user in convert_to_users(emails): print(user) create_user(keycloak_admin, user) user_id = keycloak_admin.get_user_id(user.username) print("User id: ", user_id) reset_password(keycloak_admin, user, user_id) assign_roles(keycloak_admin, user_id)
def get_instance(self) -> KeycloakAdmin: return KeycloakAdmin( server_url=settings.OIDC_RP_SERVER_URL, realm_name=settings.OIDC_RP_REALM_NAME, client_id=settings.OIDC_RP_CLIENT_ID, client_secret_key=settings.OIDC_RP_CLIENT_SECRET, verify=True, auto_refresh_token=["get", "post", "put", "delete"], )
def wrapper(*args, **kwargs): nonlocal obj try: return obj(*args, **kwargs) except KeycloakError: # retry logger.debug("got keycloak error, retry.") self.keycloak_admin = KeycloakAdmin(*self._args, **self._kwargs) obj = getattr(self.keycloak_admin, item) return obj(*args, **kwargs)
def test_keycloak(): from keycloak import KeycloakOpenID # Configure client # keycloak_openid = KeycloakOpenID(server_url="http://127.0.0.1:8080/auth/", # client_id="master-realm", # realm_name="master", # client_secret_key="c5c25fef-b247-4876-8f8e-c8b90780daee") # # Get WellKnow # config_well_know = keycloak_openid.well_know() # # # Get Token # token = keycloak_openid.token("omar", "omar19") # # token = keycloak_openid.token("user", "password", totp="012345") # return token # # # Get Userinfo # userinfo = keycloak_openid.userinfo(token['access_token']) # return userinfo from keycloak import KeycloakAdmin # connect to keycloak server admin = KeycloakAdmin(server_url='http://127.0.0.1:8080/auth/', username='******', password='******', realm_name='master', verify=True) user_groups = admin.get_user_groups(user_id="9018d0fe-4dc6-41bf-ad9f-02fd5fe3cd1a") # return user_groups # Add user # new_user = admin.create_user({"email": "*****@*****.**", # "username": "******", # "enabled": True, # "firstName": "Example", # "lastName": "Example"}) # return new_user # Get User user = admin.get_user("58b704de-f5e6-422b-aa59-bf36a45d62f5") return user
def admin_api(): conf = app.config['keycloak'] keycloak_admin = KeycloakAdmin(server_url=conf['serverUrl'], username=conf['username'], password=conf['password'], realm_name=conf['realm'], client_id=conf['clientId'], user_realm_name=conf['userRealm'], verify=True) return keycloak_admin
def create_keycloak_admin_client() -> KeycloakAdmin: with start_action(action_type="create_keycloak_admin_client"): return KeycloakAdmin( server_url=settings.keycloak_url, realm_name=settings.realm, client_id=settings.client_id, client_secret_key=settings.client_secret, user_realm_name="master", verify=True, auto_refresh_token=['get', 'post', 'put', 'delete'])
def keycloak_api(self): """ one limitation of this api endpoint is that you must first connect to the master realm, then connect to the desired realm. To get the api for a different realm, use self.get_keycloak_api """ server_url = f"{self.saml_endpoint}/" realm = self.realms.get('master') return KeycloakAdmin(server_url=server_url, realm_name=realm, username=self.username, password=self.password)
def client(): # connect to master realm try: keycloak_admin = KeycloakAdmin( server_url=KC_URL, username=KC_ADMIN_USER, password=KC_ADMIN_PASSWORD, realm_name=KC_MASTER_REALM, ) return keycloak_admin except KeycloakError as ke: raise RuntimeError(f'Could not get info from keycloak {str(ke)}')
def test_KeycloakAdmin_custom_header(self): class FakeToken: @staticmethod def get(string_val): return "faketoken" fake_token = FakeToken() with mock.patch.object(KeycloakOpenID, "__init__", return_value=None) as mock_keycloak_open_id: with mock.patch("keycloak.keycloak_openid.KeycloakOpenID.token", return_value=fake_token): with mock.patch( "keycloak.connection.ConnectionManager.__init__", return_value=None) as mock_connection_manager: with mock.patch( "keycloak.connection.ConnectionManager.__del__", return_value=None ) as mock_connection_manager_delete: server_url = "https://localhost/auth/" username = "******" password = "******" realm_name = "master" headers = {'Custom': 'test-custom-header'} KeycloakAdmin(server_url=server_url, username=username, password=password, realm_name=realm_name, verify=False, custom_headers=headers) mock_keycloak_open_id.assert_called_with( server_url=server_url, realm_name=realm_name, client_id='admin-cli', client_secret_key=None, verify=False, custom_headers=headers) expected_header = { 'Authorization': 'Bearer faketoken', 'Content-Type': 'application/json', 'Custom': 'test-custom-header' } mock_connection_manager.assert_called_with( base_url=server_url, headers=expected_header, timeout=60, verify=False) mock_connection_manager_delete.assert_called_once_with( )
class KeycloakHelper: def __init__(self, base_url: str, realm: str, username: str, password: str): self.base_url: str = base_url self.realm: str = realm self.username: str = username self.password: str = password self.keycloak_admin: Union[KeycloakAdmin, None] = None self._authentificate() self.user_endpoint = f"{self.base_url}/admin/realms/{self.realm}/users" self.group_endpoint = f"{self.base_url}/admin/realms/{self.realm}/groups" def _authentificate(self): self.keycloak_admin = KeycloakAdmin(server_url=self.base_url, username=self.username, password=self.password, verify=True) self.keycloak_admin.realm_name = self.realm @classmethod def from_config(cls, config): return cls( base_url=config.KEYCLOAK_BASE_URL, realm=config.KEYCLOAK_REALM, username=config.KEYCLOAK_USERNAME, password=config.KEYCLOAK_PASSWORD ) def update_user_at_creation(self, user_id: str, first_name: str, last_name: str, attributes: dict) -> bool: self._authentificate() body = { "firstName": first_name, "lastName": last_name, "attributes": attributes } current_app.logger.info(f"User id : {user_id}") self.keycloak_admin.update_user(user_id=user_id, payload=body) return True def update_user_attributes(self, user_id: str, attributes: dict) -> bool: self._authentificate() body = { "attributes": attributes } self.keycloak_admin.update_user(user_id=user_id, payload=body) return True def assign_to_group(self, user_id: str, group_name: str) -> bool: self._authentificate() current_app.logger.info(f"group_name {group_name}") group_id = self.keycloak_admin.get_group_by_path(f"/{group_name}")["id"] self.keycloak_admin.group_user_add(user_id=user_id, group_id=group_id) return True
def resend(self, username): """ Uzmi Keycloak user id. Parametri: --------------- user_id_keycloak -> username : None -> bool(False) - ako nema username user_id_keycloak -> username : bool(True), user_id - ima username """ keycloak_admin = KeycloakAdmin(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')), username = os.getenv('KEYCLOAK_ADMIN_USER'), password = os.getenv('KEYCLOAK_ADMIN_PASSWORD'), realm_name = "master", verify = True) keycloak_admin.realm_name = os.getenv('CLIENT_RELM_NAME') user_id_keycloak = keycloak_admin.get_user_id(self.username) if user_id_keycloak == None: return {"exist" : False} else: return {"exist" : True, "user_id_keycloak" : user_id_keycloak}
def init_kc_admin(): logging.info('Initializing keycloak admin client...') try: kc.admin = KeycloakAdmin( server_url=KEYCLOAK_SERVER, username=KEYCLOAK_USERNAME, password=KEYCLOAK_PASSWORD, realm_name='master', verify=True, auto_refresh_token=['get', 'put', 'post', 'delete']) logging.info('Initialized keycloak admin client') except: logging.error('Failed initializing keycloak admin client')
def get_admin_client(self): """ Setup and return a keycloak admin client The client will connect to the Keycloak server with the default admin credentials and connects to the 'master' realm. The client uses the application realm for read/write to the Keycloak server :return: KeycloakAdmin """ user = "******" passwd = get_api_password() if not getattr(self, "_admin_client", None): self._admin_client = KeycloakAdmin( server_url=get_server_url(), username=user, password=passwd, realm_name=get_auth_realm(), user_realm_name='master', verify=True) return self._admin_client