sys.stdout.write("done\n") else: sys.stderr.write("Could not get a token. Is Keycloak \ running under {}?\n".format(args.keycloak_url)) exit(1) # Now that we obviously have all we need, let's create the # realm, clients and users, skipping what already exists. sys.stdout.write("Creating {} realm, skipping if it already exists...".format( args.realm)) keycloak_admin.create_realm( payload={ "realm": args.realm, "enabled": True, "registrationAllowed": True, "accessTokenLifespan": 1800, "ssoSessionIdleTimeout": 86400, "ssoSessionMaxLifespan": 604800, "registrationEmailAsUsername": True, }, skip_exists=True, ) sys.stdout.write("done\n") # Switching to the newly created realm keycloak_admin.realm_name = args.realm for new_client in new_clients: _check_and_create_client(keycloak_admin, new_client) for new_user in new_users: _check_and_create_user(keycloak_admin, new_user)
class KeycloakSession: def __init__(self, realm, server_url, user, pwd, ssl_verify): self.keycloak_admin = KeycloakAdmin(server_url=server_url, username=user, password=pwd, realm_name=realm, verify=ssl_verify) def create_realm(self, realm): payload = { "realm": realm, "enabled": True, "accessCodeLifespan": 7200, "accessCodeLifespanLogin": 1800, "accessCodeLifespanUserAction": 300, "accessTokenLifespan": 86400, "accessTokenLifespanForImplicitFlow": 900, "actionTokenGeneratedByAdminLifespan": 43200, "actionTokenGeneratedByUserLifespan": 300 } try: self.keycloak_admin.create_realm(payload, skip_exists=False) except KeycloakError as e: if e.response_code == 409: print('Exists, updating %s' % realm) self.keycloak_admin.update_realm(realm, payload) except: raise return 0 def create_role(self, realm, role): print('Creating role %s for realm %s' % (role, realm)) self.keycloak_admin.realm_name = realm # work around because otherwise role was getting created in master self.keycloak_admin.create_realm_role( { 'name': role, 'clientRole': False }, skip_exists=True) self.keycloak_admin.realm_name = 'master' # restore return 0 # sa_roles: service account roles def create_client(self, realm, client, secret, sa_roles=None): self.keycloak_admin.realm_name = realm # work around because otherwise client was getting created in master payload = { "clientId": client, "secret": secret, "standardFlowEnabled": True, "serviceAccountsEnabled": True, "directAccessGrantsEnabled": True, "redirectUris": ['*'], "authorizationServicesEnabled": True } try: print('Creating client %s' % client) self.keycloak_admin.create_client( payload, skip_exists=False) # If exists, update. So don't skip except KeycloakError as e: if e.response_code == 409: print('Exists, updating %s' % client) client_id = self.keycloak_admin.get_client_id(client) self.keycloak_admin.update_client(client_id, payload) except: self.keycloak_admin.realm_name = 'master' # restore raise if len(sa_roles) == 0: # Skip the below step self.keycloak_admin.realm_name = 'master' # restore return try: roles = [] # Get full role reprentation of all roles for role in sa_roles: role_rep = self.keycloak_admin.get_realm_role(role) roles.append(role_rep) client_id = self.keycloak_admin.get_client_id(client) user = self.keycloak_admin.get_client_service_account_user( client_id) params_path = { "realm-name": self.keycloak_admin.realm_name, "id": user["id"] } self.keycloak_admin.raw_post( URL_ADMIN_USER_REALM_ROLES.format(**params_path), data=json.dumps(roles)) except: self.keycloak_admin.realm_name = 'master' # restore raise self.keycloak_admin.realm_name = 'master' # restore def create_user(self, realm, uname, email, fname, lname, password, temp_flag): self.keycloak_admin.realm_name = realm payload = { "username": uname, "email": email, "firstName": fname, "lastName": lname, "enabled": True } try: print('Creating user %s' % uname) self.keycloak_admin.create_user( payload, False) # If exists, update. So don't skip user_id = self.keycloak_admin.get_user_id(uname) self.keycloak_admin.set_user_password(user_id, password, temporary=temp_flag) except KeycloakError as e: if e.response_code == 409: print('Exists, updating %s' % uname) user_id = self.keycloak_admin.get_user_id(uname) self.keycloak_admin.update_user(user_id, payload) except: self.keycloak_admin.realm_name = 'master' # restore raise self.keycloak_admin.realm_name = 'master' # restore def assign_user_roles(self, realm, username, roles): self.keycloak_admin.realm_name = realm roles = [self.keycloak_admin.get_realm_role(role) for role in roles] try: print(f'''Get user id for {username}''') user_id = self.keycloak_admin.get_user_id(username) self.keycloak_admin.assign_realm_roles(user_id, roles) except: self.keycloak_admin.realm_name = 'master' # restore raise self.keycloak_admin.realm_name = 'master' # restore
from typing import Optional, Dict from keycloak import KeycloakAdmin, json keycloak_admin = KeycloakAdmin(server_url="http://localhost:9080/auth/", username='******', password='******', realm_name="master" ) def load_json_from_file(filename: str) -> Optional[Dict]: with open(filename) as f: return json.load(f) realm_config = load_json_from_file('realm-export.json') print(realm_config) keycloak_admin.create_realm(payload=realm_config, skip_exists=False)
# Create new group group = keycloak_admin.create_group(name="Example Group") # Get all groups groups = keycloak_admin.get_groups() # Get group group = keycloak_admin.get_group(group_id='group_id') # Get group by name group = keycloak_admin.get_group_by_path(path='/group/subgroup', search_in_subgroups=True) # Function to trigger user sync from provider sync_users(storage_id="storage_di", action="action") # Get client role id from name role_id = keycloak_admin.get_client_role_id(client_id=client_id, role_name="test") # Get all roles for the realm or client realm_roles = keycloak_admin.get_roles() # Assign client role to user. Note that BOTH role_name and role_id appear to be required. keycloak_admin.assign_client_role(client_id=client_id, user_id=user_id, role_id=role_id, role_name="test") # Get all ID Providers idps = keycloak_admin.get_idps() # Create a new Realm keycloak_admin.create_realm(payload={"realm": "demo"}, skip_exists=False)