def keycloak_details(self, realm):
keycloak_openid = KeycloakOpenID(server_url=self.server,
client_id=self.client_bearer_id,
realm_name=realm,
verify=False)
keycloak_refresh = KeycloakOpenID(server_url=self.server,
client_id=self.client_public_id,
realm_name=realm,
verify=False)
return keycloak_openid, keycloak_refresh
def __init__(self, get_response):
self.get_response = get_response
# One-time configuration and initialization.
self.config = settings.KEYCLOAK_IAM_CLIENT_CONFIG
try:
self.server_url = self.config['KEYCLOAK_SERVER_URL']
self.client_id = self.config['KEYCLOAK_CLIENT_ID']
self.realm = self.config['KEYCLOAK_REALM']
except KeyError:
raise Exception(
"KEYCLOAK_SERVER_URL, KEYCLOAK_CLIENT_ID or KEYCLOAK_REALM not found.")
self.client_secret_key = self.config.get(
'KEYCLOAK_CLIENT_SECRET_KEY', None)
self.client_public_key = self.config.get(
'KEYCLOAK_CLIENT_PUBLIC_KEY', None)
self.default_access = self.config.get(
'KEYCLOAK_DEFAULT_ACCESS', "DENY")
self.method_validate_token = self.config.get(
'KEYCLOAK_METHOD_VALIDATE_TOKEN', "INTROSPECT")
self.keycloak_authorization_config = self.config.get(
'KEYCLOAK_AUTHORIZATION_CONFIG', None)
self.keycloak = KeycloakOpenID(server_url=self.server_url,
client_id=self.client_id,
realm_name=self.realm,
client_secret_key=self.client_secret_key)
def get_oidc():
return KeycloakOpenID(
server_url=current_app.config.get('SERVER_URL'),
client_id=current_app.config.get('CLIENT_ID'),
realm_name=current_app.config.get('REALM_NAME'),
client_secret_key=current_app.config.get('CLIENT_SECRET'),
verify=True)
def from_kc_oidc_json(app,
redirect_uri,
config_path=None,
logout_path=None,
heartbeat_path=None,
keycloak_kwargs=None,
authorization_settings=None,
uri_whitelist=None,
login_path=None):
# Read config, assumed to be in Keycloak OIDC JSON format.
config_path = "keycloak.json" if config_path is None else config_path
with open(config_path, 'r') as f:
config_data = json.load(f)
# Setup the Keycloak connection.
keycloak_config = dict(
server_url=config_data["auth-server-url"],
realm_name=config_data["realm"],
client_id=config_data["resource"],
client_secret_key=config_data["credentials"]["secret"],
verify=config_data["ssl-required"] != "none")
if keycloak_kwargs is not None:
keycloak_config = {**keycloak_config, **keycloak_kwargs}
keycloak_openid = KeycloakOpenID(**keycloak_config)
if authorization_settings is not None:
keycloak_openid.load_authorization_config(authorization_settings)
return FlaskKeycloak(app,
keycloak_openid,
redirect_uri,
logout_path=logout_path,
heartbeat_path=heartbeat_path,
uri_whitelist=uri_whitelist,
login_path=login_path)
def checker(self):
"""
Provera da li je username ili email vec registrovan u Keycloak-u.
Parametri:
---------------
users -> Uzima listu svih usera sa Keycloak-a.
list_users -> list : proverava listu username-a
emails -> list : proverava listu email-a
"""
# KeycloakOpenID radi sa generalnim stvarima kao sto su(token, policies, permissions..) a KeycloakAdmin sa korisnicima
KeycloakOpenID(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')),
client_id=os.getenv('KEYCLOAK_CLIENT_NAME'),
realm_name=os.getenv('CLIENT_RELM_NAME'),
client_secret_key=os.getenv('CLIENT_RELM_SECRET'))
# users sadrzi sve informacije o korisnicima
users = self.admin.get_users()
emails = []
list_users = []
for x in users:
""" Provera email-a i username-a.
Dodajemo u listu i pravimo proveru da li postoji neki korisnik sa istim email ili username\
jer su ove informacije jedinstvene na nivou svih korisnika.
"""
emails.append(x["email"])
list_users.append(x["username"])
if self.email in emails or self.username in list_users:
return {"exist": True}
else:
return {"exist": False}
def __init__(self, serverurl, realm, clientid, secret):
self.keycloak_openid = KeycloakOpenID(server_url=serverurl,
client_id=clientid,
realm_name=realm,
client_secret_key=secret,
verify=True)
config_well_know = self.keycloak_openid.well_know()
def __init__(self, get_response):
"""
:param get_response:
"""
self.config = settings.KEYCLOAK_CONFIG
# Read configurations
try:
self.server_url = self.config['KEYCLOAK_SERVER_URL']
self.client_id = self.config['KEYCLOAK_CLIENT_ID']
self.realm = self.config['KEYCLOAK_REALM']
except KeyError as e:
raise Exception("KEYCLOAK_SERVER_URL, KEYCLOAK_CLIENT_ID or KEYCLOAK_REALM not found.")
self.client_secret_key = self.config.get('KEYCLOAK_CLIENT_SECRET_KEY', None)
self.client_public_key = self.config.get('KEYCLOAK_CLIENT_PUBLIC_KEY', None)
self.default_access = self.config.get('KEYCLOAK_DEFAULT_ACCESS', "DENY")
self.method_validate_token = self.config.get('KEYCLOAK_METHOD_VALIDATE_TOKEN', "INTROSPECT")
self.keycloak_authorization_config = self.config.get('KEYCLOAK_AUTHORIZATION_CONFIG', None)
# Create Keycloak instance
self.keycloak = KeycloakOpenID(server_url=self.server_url,
client_id=self.client_id,
realm_name=self.realm,
client_secret_key=self.client_secret_key)
# Read policies
if self.keycloak_authorization_config:
self.keycloak.load_authorization_config(self.keycloak_authorization_config)
# Django
self.get_response = get_response
def keycloak_client(config: dict) -> KeycloakOpenID:
creds = config.get("credentials", None)
secret_key = creds["secret"] if creds else None
return KeycloakOpenID(
server_url=config["auth-server-url"] + "/",
realm_name=config["realm"],
client_id=config["resource"],
client_secret_key=secret_key,
)
def init_keycloak():
# Configure client
keycloak_openid = KeycloakOpenID(
server_url="http://192.168.0.223:8181/auth",
client_id="calls-gateway",
realm_name="ambulance-example",
client_secret_key="supersecret")
return keycloak_openid
def get_common_services_access_token(config):
# Configure Keycloak client
keycloak_openid = KeycloakOpenID(server_url=config.COMM_SERV_AUTH_URL,
client_id=config.COMM_SERV_CLIENT_ID,
realm_name=config.COMM_SERV_REALM,
client_secret_key=config.COMM_SERV_CLIENT_SECRET)
# Get Token
token = keycloak_openid.token('', '', 'client_credentials')
return token['access_token']
def interactive_login(realm_label):
"""Logs in interactively."""
env, config = utils.get_selected_deployment_config()
if config is not None and URL_KEY in config:
nxs.config.set_environment(config[URL_KEY])
else:
utils.error(
"You must first select a profile using the 'profiles' command")
issuer = ''
if realm_label:
try:
response = nxs.realms.fetch(realm_label)
issuer = response['_issuer']
except nxs.HTTPError as e:
print(e.response.json())
utils.error(str(e))
else:
realm = utils.get_default_realm()
if realm is None:
realm = _select_realm()
issuer = realm['_issuer']
label = realm['_label']
print("Saving realm '%s' in your profile" % realm['_label'])
utils.set_default_realm(label, issuer)
else:
issuer = realm['_issuer']
print(
"Using default realm '%s' set in your profile. Use --realm to override."
% realm['_label'])
default_client_id = utils.get_default_client_id()
client_id = input("Please enter the client ID [%s]: " % default_client_id)
if not client_id:
client_id = default_client_id
utils.set_default_client_id(client_id)
detected_user = getpass.getuser()
username = input("Username [%s]: " % detected_user)
if not username:
username = detected_user
password = getpass.getpass()
try:
url, name = issuer.split("realms/")
keycloak_openid = KeycloakOpenID(server_url=url,
client_id=client_id,
realm_name=name,
verify=True)
response = keycloak_openid.token(username, password)
token = response['access_token']
_set_token(token)
utils.success(
"Authentication successful. Use 'view-token' to show your credentials."
)
except KeycloakError as e:
utils.error("Authentication failed: %s" % e)
def get_keycloak_token(configs):
"""Retrieves Keycloak bearer token"""
keycloak_openid = KeycloakOpenID(
server_url=configs['url'],
client_id=configs['client_id'],
realm_name=configs['realm_name'],
client_secret_key=None,
verify=configs['secure'])
return keycloak_openid.token(configs['username'], configs['password'])
def get_token(url):
if config_file_valid:
config.read(_config_file_name())
keycloak_openid = KeycloakOpenID(
server_url=f'https://{url}/auth/',
client_id="admin-cli",
realm_name="master",
)
return keycloak_openid.refresh_token(
config[url]['refresh_token'])['access_token']
def get_kc_token():
keycloak_openid = KeycloakOpenID(
server_url = config.gpap_token_auth['server_url'],
client_id = config.gpap_token_auth['client_id'],
realm_name = config.gpap_token_auth['realm_name'],
client_secret_key = config.gpap_token_auth['client_secret_key'],
verify = False
)
token = keycloak_openid.token(config.gpap_token_required[1], config.gpap_token_required[2])
return token
def _check_token():
token = request.headers.get('AUTHORIZATION')
from keycloak import KeycloakOpenID
keycloak_openid = KeycloakOpenID(
server_url=app.config.get("SERVER_URL"),
client_id=app.config.get("CLIENT_ID"),
realm_name=app.config.get("REALM_NAME"),
client_secret_key=app.config.get("CLIENT_SECRET_KEY"))
token_info = keycloak_openid.introspect(token)
return True
def init_openid():
logging.info('Initializing openid client...')
try:
kc.openid = KeycloakOpenID(server_url=KEYCLOAK_SERVER,
client_id=KEYCLOAK_CLIENT,
realm_name=KEYCLOAK_REALM,
client_secret_key=SECRET_KEY)
logging.info('Initialized openid client')
except:
logging.error('Failed initializing openid client')
def __init__(self, app):
self.app = app
self.url = self.app.config['KEYCLOAK_URL']
self.client_id = self.app.config['CLIENT_ID']
self.client_secret = self.app.config['CLIENT_SECRET']
self.keycloak_openid = KeycloakOpenID(
server_url=self.url,
client_id=self.client_id,
realm_name='apartments',
client_secret_key=self.client_secret,
verify=False)
def __init__(self, config_file=''):
"""
:param config_file: Path to the generated keycloak configuration file
"""
self.config_file = config_file
self.realm = None
self.auth_server_url = None
self.client_id = None
self.secret_key = None
self._load_configs()
self.keycloak = KeycloakOpenID(self.auth_server_url, self.realm, self.client_id, self.secret_key)
def get_token(auth_url: str, auth_client_id: str, auth_realm: str):
username = args.username
password = args.password
from keycloak import KeycloakOpenID
keycloak_openid = KeycloakOpenID(server_url=auth_url,
client_id=auth_client_id,
realm_name=auth_realm)
# Get Token
token = keycloak_openid.token(username, password)
return token, keycloak_openid
def authenticate(cls, username=None, password=None):
"""
Return 2tuple, representing authorized user or (None,None) on fail
First tuple element is String ID representing a distingushed
name for external users, e.g.:
"[email protected],ou=People,o=warehouse-external"
Second tuple element is Dict, representing a decoded ODIC access
token
>>> b = KeycloakBackend()
>>> b.authenticate()
(None, None)
>>> # Check username
>>> b.authenticate("*****@*****.**", "anything")
(None, None)
>>> # Check bogus username
>>> b.authenticate("Test", "anything")
(None, None)
"""
user_identifier = None
decoded_token = None
if username is not None:
u = None #auth may have failed: prepare to return None
# setup OIDC client
conf = config_loader.get_api_config()
auth_url = conf['external.keycloak.url']
dw_client_id = conf['external.keycloak.warehouse_client_id']
auth_client = KeycloakOpenID(server_url=auth_url
,client_id=dw_client_id, realm_name="master"
,client_secret_key="value-doesnt-matter"
,verify=False)
try:
# login
encoded_token = auth_client.token(username, password)
# get server public key
iss_url = auth_url+'realms/master'
json_iss = requests.get(iss_url, verify=False).json()
pub_key = add_pem_headfoot(json_iss['public_key'])
# decode server response
decode_opts = {"verify_signature":True, "verify_aud": True, "exp": True}
decoded_token = auth_client.decode_token(
encoded_token['access_token']
,key=pub_key, options=decode_opts)
user_dn = oidc_token_to_ldap_style_name(decoded_token)
#login is valid
user_identifier = user_dn #return
except KeycloakAuthenticationError:
pass #login is invalid
return user_identifier, decoded_token
def start_keycloak():
"""
Start Keycloak client according to credentials stored in env variables.
"""
# Instantiate keycloak client
keycloak_openid = KeycloakOpenID(
server_url=environ.get('OIDC_URL'),
realm_name=environ.get('OIDC_REALM'),
client_id=environ.get('OIDC_CLIENT_ID'),
client_secret_key=environ.get('OIDC_CLIENT_SECRET'))
return keycloak_openid
def __init__(self, ex, parameters=None):
if parameters is None:
parameters = {}
self.ex = ex
self.server_url = parameters["server_url"]
self.client_id = parameters["client_id"]
self.realm_name = parameters["realm_name"]
self.client_secret_key = parameters["client_secret_key"]
self.keycloak_manager = KeycloakOpenID(
server_url=self.server_url,
client_id=self.client_id,
realm_name=self.realm_name,
client_secret_key=self.client_secret_key)
UserManagement.__init__(self, ex)
def get_token(envs):
username = args.username
password = args.password
from keycloak import KeycloakOpenID
print(f"Auth Url: {envs['auth']['url']}")
print(f"Auth ClientId: {envs['auth']['clientId']}")
print(f"Auth Realm: {envs['auth']['realm']}")
keycloak_openid = KeycloakOpenID(server_url=envs['auth']['url'],
client_id=envs['auth']['clientId'],
realm_name=envs['auth']['realm'])
# Get Token
token = keycloak_openid.token(username, password)
return token, keycloak_openid
def manager_login(url, username, password):
realm = 'master'
if username == 'smartcity':
realm = 'smartcity'
keycloak_openid = KeycloakOpenID(
server_url=f'https://{url}/auth/',
client_id="admin-cli",
realm_name=realm,
client_secret_key="secret",
)
if password:
response = keycloak_openid.token(username, password)
else:
password = config.get_password(url, username)
response = keycloak_openid.token(username, password)
config.store_token(url, username, password, response['refresh_token'])
def keycloak_handler(keycloak_config):
"""
Keycloak token is required for many API calls
"""
# Configure client
keycloak_openid = KeycloakOpenID(
server_url=keycloak_config['url'],
client_id=get_envar(keycloak_config['client_id']),
realm_name=keycloak_config['realm'],
client_secret_key=get_envar(keycloak_config['client_secret']))
# Get Token
token = keycloak_openid.token(get_envar(keycloak_config['user']),
get_envar(keycloak_config['password']))
token = token['access_token']
return {'Authorization': f'Bearer {token}'}
def login():
# Configure client
keycloak_openid = KeycloakOpenID(server_url="http://10.255.230.159:8181/auth/",
client_id="calls-gateway",
realm_name="ambulance-example",
client_secret_key="supersecret")
# Get WellKnow
# config_well_know = keycloak_openid.well_know()
# Get Token
token = keycloak_openid.token("user1", "user1")
# token = keycloak_openid.token("user", "password", totp="012345")
# Get Userinfo
# userinfo = keycloak_openid.userinfo(token['access_token'])
return token
def __init__(self, server, resource, realm, secret, admin_user,
admin_pass):
self.openid = KeycloakOpenID(
server_url=server,
client_id=resource,
realm_name=realm,
client_secret_key=secret,
)
self.admin = _KeycloakAdmin(
server_url=server,
client_id=resource,
realm_name=realm,
client_secret_key=secret,
username=admin_user,
password=admin_pass,
auto_refresh_token=['get', 'put', 'post', 'delete'],
)
def init_app(self, app):
self.provider = app.config['THROAT_CONFIG'].auth.provider
if self.provider == 'KEYCLOAK':
cfg = app.config['THROAT_CONFIG'].auth.keycloak
self.keycloak_admin = KeycloakAdmin(server_url=cfg.server,
realm_name=cfg.user_realm,
user_realm_name=cfg.admin_realm,
client_id=cfg.admin_client,
client_secret_key=cfg.admin_secret,
verify=True,
auto_refresh_token=['get', 'put', 'post', 'delete'])
self.keycloak_openid = KeycloakOpenID(server_url=cfg.server,
client_id=cfg.auth_client,
client_secret_key=cfg.auth_secret,
realm_name=cfg.user_realm,
verify=True)
def new_user(self):
"""
Kreira korisnikas na Keycloak-u.
Parametri:
---------------
email : str
username : str
firstName : str
lastName : str
secret : str
: -> dict
Rezultat:
---------------
: -> New User
"""
KeycloakOpenID(server_url="{}/auth/".format(os.getenv('KEYCLOAK_URL')),
client_id=os.getenv('KEYCLOAK_CLIENT_NAME'),
realm_name=os.getenv('CLIENT_RELM_NAME'),
client_secret_key=os.getenv('CLIENT_RELM_SECRET'))
email_check = Is_email_valid(self.email).check()
if email_check['exist'] == True:
# Kreiranje korisnika zahteva dict za slanje informacija o korisniku i zatim kreira jednog sa poslatim informacijama
self.admin.create_user({
"email":
self.email,
"username":
self.username,
"enabled":
"True",
"firstName":
self.firstName,
"lastName":
self.lastName,
"credentials": [{
"value": self.secret,
"type": "password"
}]
})
else:
return {"exist": False}
def on_logged_out(self, user_id, device_id, access_token):
"""Close session on keycloak server
"""
def _clear_keycloak_tokens(txn):
sql = """
UPDATE keycloak_provider_tokens
SET refresh_tokens = ARRAY[]::TEXT[]
WHERE user_id = '{}'
"""
txn.execute(sql.format(user_id))
def _get_refresh_tokens(txn):
sql = """
SELECT refresh_tokens
FROM keycloak_provider_tokens
WHERE user_id = '{}'
"""
txn.execute(sql.format(user_id))
return txn.fetchone()
res = yield self.account_handler.run_db_interaction(
"get_refresh_tokens", _get_refresh_tokens)
keycloak_openid = KeycloakOpenID(server_url=self.url,
client_id=self.client_id,
realm_name=self.realm_name,
client_secret_key=self.secret_key)
# We can't separate current session and close all sessions off this user
# close keycloack sessions
for refresh_token in res[0]:
keycloak_openid.logout(refresh_token)
# close other sysnapse sessions
device_handler = self.account_handler.hs.get_device_handler()
yield device_handler.delete_all_devices_for_user(user_id)
# .. and then delete any access tokens which weren't associated with
# devices.
auth_handler = self.account_handler.hs.get_auth_handler()
yield auth_handler.delete_access_tokens_for_user(user_id)
res = self.account_handler.run_db_interaction("clear_keycloak_tokens",
_clear_keycloak_tokens)
defer.returnValue(True)
