sys.stdout.write("done\n")
else:
sys.stderr.write("Could not get a token. Is Keycloak \
running under {}?\n".format(args.keycloak_url))
exit(1)
# Now that we obviously have all we need, let's create the
# realm, clients and users, skipping what already exists.
sys.stdout.write("Creating {} realm, skipping if it already exists...".format(
args.realm))
keycloak_admin.create_realm(
payload={
"realm": args.realm,
"enabled": True,
"registrationAllowed": True,
"accessTokenLifespan": 1800,
"ssoSessionIdleTimeout": 86400,
"ssoSessionMaxLifespan": 604800,
"registrationEmailAsUsername": True,
},
skip_exists=True,
)
sys.stdout.write("done\n")
# Switching to the newly created realm
keycloak_admin.realm_name = args.realm
for new_client in new_clients:
_check_and_create_client(keycloak_admin, new_client)
for new_user in new_users:
_check_and_create_user(keycloak_admin, new_user)
class KeycloakSession:
def __init__(self, realm, server_url, user, pwd, ssl_verify):
self.keycloak_admin = KeycloakAdmin(server_url=server_url,
username=user,
password=pwd,
realm_name=realm,
verify=ssl_verify)
def create_realm(self, realm):
payload = {
"realm": realm,
"enabled": True,
"accessCodeLifespan": 7200,
"accessCodeLifespanLogin": 1800,
"accessCodeLifespanUserAction": 300,
"accessTokenLifespan": 86400,
"accessTokenLifespanForImplicitFlow": 900,
"actionTokenGeneratedByAdminLifespan": 43200,
"actionTokenGeneratedByUserLifespan": 300
}
try:
self.keycloak_admin.create_realm(payload, skip_exists=False)
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % realm)
self.keycloak_admin.update_realm(realm, payload)
except:
raise
return 0
def create_role(self, realm, role):
print('Creating role %s for realm %s' % (role, realm))
self.keycloak_admin.realm_name = realm # work around because otherwise role was getting created in master
self.keycloak_admin.create_realm_role(
{
'name': role,
'clientRole': False
}, skip_exists=True)
self.keycloak_admin.realm_name = 'master' # restore
return 0
# sa_roles: service account roles
def create_client(self, realm, client, secret, sa_roles=None):
self.keycloak_admin.realm_name = realm # work around because otherwise client was getting created in master
payload = {
"clientId": client,
"secret": secret,
"standardFlowEnabled": True,
"serviceAccountsEnabled": True,
"directAccessGrantsEnabled": True,
"redirectUris": ['*'],
"authorizationServicesEnabled": True
}
try:
print('Creating client %s' % client)
self.keycloak_admin.create_client(
payload, skip_exists=False) # If exists, update. So don't skip
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % client)
client_id = self.keycloak_admin.get_client_id(client)
self.keycloak_admin.update_client(client_id, payload)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
if len(sa_roles) == 0: # Skip the below step
self.keycloak_admin.realm_name = 'master' # restore
return
try:
roles = [] # Get full role reprentation of all roles
for role in sa_roles:
role_rep = self.keycloak_admin.get_realm_role(role)
roles.append(role_rep)
client_id = self.keycloak_admin.get_client_id(client)
user = self.keycloak_admin.get_client_service_account_user(
client_id)
params_path = {
"realm-name": self.keycloak_admin.realm_name,
"id": user["id"]
}
self.keycloak_admin.raw_post(
URL_ADMIN_USER_REALM_ROLES.format(**params_path),
data=json.dumps(roles))
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
def create_user(self, realm, uname, email, fname, lname, password,
temp_flag):
self.keycloak_admin.realm_name = realm
payload = {
"username": uname,
"email": email,
"firstName": fname,
"lastName": lname,
"enabled": True
}
try:
print('Creating user %s' % uname)
self.keycloak_admin.create_user(
payload, False) # If exists, update. So don't skip
user_id = self.keycloak_admin.get_user_id(uname)
self.keycloak_admin.set_user_password(user_id,
password,
temporary=temp_flag)
except KeycloakError as e:
if e.response_code == 409:
print('Exists, updating %s' % uname)
user_id = self.keycloak_admin.get_user_id(uname)
self.keycloak_admin.update_user(user_id, payload)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
def assign_user_roles(self, realm, username, roles):
self.keycloak_admin.realm_name = realm
roles = [self.keycloak_admin.get_realm_role(role) for role in roles]
try:
print(f'''Get user id for {username}''')
user_id = self.keycloak_admin.get_user_id(username)
self.keycloak_admin.assign_realm_roles(user_id, roles)
except:
self.keycloak_admin.realm_name = 'master' # restore
raise
self.keycloak_admin.realm_name = 'master' # restore
from typing import Optional, Dict
from keycloak import KeycloakAdmin, json
keycloak_admin = KeycloakAdmin(server_url="http://localhost:9080/auth/",
username='******',
password='******',
realm_name="master"
)
def load_json_from_file(filename: str) -> Optional[Dict]:
with open(filename) as f:
return json.load(f)
realm_config = load_json_from_file('realm-export.json')
print(realm_config)
keycloak_admin.create_realm(payload=realm_config, skip_exists=False)
# Create new group
group = keycloak_admin.create_group(name="Example Group")
# Get all groups
groups = keycloak_admin.get_groups()
# Get group
group = keycloak_admin.get_group(group_id='group_id')
# Get group by name
group = keycloak_admin.get_group_by_path(path='/group/subgroup', search_in_subgroups=True)
# Function to trigger user sync from provider
sync_users(storage_id="storage_di", action="action")
# Get client role id from name
role_id = keycloak_admin.get_client_role_id(client_id=client_id, role_name="test")
# Get all roles for the realm or client
realm_roles = keycloak_admin.get_roles()
# Assign client role to user. Note that BOTH role_name and role_id appear to be required.
keycloak_admin.assign_client_role(client_id=client_id, user_id=user_id, role_id=role_id, role_name="test")
# Get all ID Providers
idps = keycloak_admin.get_idps()
# Create a new Realm
keycloak_admin.create_realm(payload={"realm": "demo"}, skip_exists=False)