def create_client_and_get_client_secret(): # Create kong client on Keycloak keycloak_admin = KeycloakAdmin(server_url=KEYCLOAK_URL, username=KEYCLOAK_ADMIN_USER, password=KEYCLOAK_ADMIN_PASSWORD, verify=True) try: keycloak_admin.create_client({ "clientId": CLIENT_NAME, "name": CLIENT_NAME, "enabled": True, "redirectUris": ["/front/*", "/api/*", "/*", "*"], }) client_uuid = keycloak_admin.get_client_id(CLIENT_NAME) keycloak_admin.generate_client_secrets(client_uuid) except KeycloakGetError as e: if e.response_code == 409: print("Keycloak Kong client already exists") client_uuid = keycloak_admin.get_client_id(CLIENT_NAME) return keycloak_admin.get_client_secrets(client_uuid)['value']
def init(): keycloack = KeycloakAdmin(server_url='http://localhost:8080/auth/', username='******', password='******', realm_name='master', verify=True) keycloack.realm_name = 'n5geh_devices' keycloack.create_user({ "username": '******', "credentials": [{ "value": "password", "type": "password", }], "enabled": True, "firstName": 'Device', "lastName": 'Wizard' }) user_id = keycloack.get_user_id("device_wizard") client_id = keycloack.get_client_id("realm-management") role = keycloack.get_client_role(client_id=client_id, role_name="manage-users") keycloack.assign_client_role(client_id=client_id, user_id=user_id, roles=[role])
def _get_service_oidc_payload(service_name, realm): client_id = KEYCLOAK_KONG_CLIENT client_secret = None # must be the public url KEYCLOAK_URL = f'{HOST}/keycloak/auth/realms' OPENID_PATH = 'protocol/openid-connect' try: # https://bitbucket.org/agriness/python-keycloak # find out client secret # 1. connect to master realm keycloak_admin = KeycloakAdmin( server_url=KC_URL, username=KC_ADMIN_USER, password=KC_ADMIN_PASSWORD, realm_name=KC_MASTER_REALM, ) # 2. change to given realm keycloak_admin.realm_name = realm # 3. get kong client internal id client_pk = keycloak_admin.get_client_id(client_id) # 4. get its secrets secret = keycloak_admin.get_client_secrets(client_pk) client_secret = secret.get('value') except KeycloakError as ke: raise RuntimeError(f'Could not get info from keycloak {str(ke)}') except Exception as e: raise RuntimeError( f'Unexpected error, do the realm and the client exist? {str(e)}') # OIDC plugin settings (same for all endpoints) return { 'name': KONG_OIDC_PLUGIN, 'config.client_id': client_id, 'config.client_secret': client_secret, 'config.cookie_domain': DOMAIN, 'config.email_key': 'email', 'config.scope': 'openid+profile+email+iss', 'config.user_info_cache_enabled': 'true', 'config.app_login_redirect_url': f'{HOST}/{realm}/{service_name}/', 'config.authorize_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/auth', 'config.service_logout_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/logout', 'config.token_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/token', 'config.user_url': f'{KEYCLOAK_URL}/{realm}/{OPENID_PATH}/userinfo', }
def main(): args = args_parse() ssl_verify = True if args.disable_ssl_verify: ssl_verify = False server_url = args.server_url + '/auth/' # Full url to access api try: keycloak_admin = KeycloakAdmin(server_url=server_url, username=args.admin_user, password=args.admin_password, realm_name='master', verify=ssl_verify) keycloak_admin.realm_name = args.realm client_id = keycloak_admin.get_client_id(args.client_name) user = keycloak_admin.get_client_service_account_user(client_id) keycloak_admin.logout(user['id']) except: formatted_lines = traceback.format_exc() print(formatted_lines) sys.exit(1) sys.exit(0)
class KeycloakSession: def __init__(self, realm, server_url, user, pwd, ssl_verify): self.keycloak_admin = KeycloakAdmin(server_url=server_url, username=user, password=pwd, realm_name=realm, verify=ssl_verify) def create_realm(self, realm): payload = { "realm": realm, "enabled": True, "accessCodeLifespan": 7200, "accessCodeLifespanLogin": 1800, "accessCodeLifespanUserAction": 300, "accessTokenLifespan": 86400, "accessTokenLifespanForImplicitFlow": 900, "actionTokenGeneratedByAdminLifespan": 43200, "actionTokenGeneratedByUserLifespan": 300 } try: self.keycloak_admin.create_realm(payload, skip_exists=False) except KeycloakError as e: if e.response_code == 409: print('Exists, updating %s' % realm) self.keycloak_admin.update_realm(realm, payload) except: raise return 0 def create_role(self, realm, role): print('Creating role %s for realm %s' % (role, realm)) self.keycloak_admin.realm_name = realm # work around because otherwise role was getting created in master self.keycloak_admin.create_realm_role( { 'name': role, 'clientRole': False }, skip_exists=True) self.keycloak_admin.realm_name = 'master' # restore return 0 # sa_roles: service account roles def create_client(self, realm, client, secret, sa_roles=None): self.keycloak_admin.realm_name = realm # work around because otherwise client was getting created in master payload = { "clientId": client, "secret": secret, "standardFlowEnabled": True, "serviceAccountsEnabled": True, "directAccessGrantsEnabled": True, "redirectUris": ['*'], "authorizationServicesEnabled": True } try: print('Creating client %s' % client) self.keycloak_admin.create_client( payload, skip_exists=False) # If exists, update. So don't skip except KeycloakError as e: if e.response_code == 409: print('Exists, updating %s' % client) client_id = self.keycloak_admin.get_client_id(client) self.keycloak_admin.update_client(client_id, payload) except: self.keycloak_admin.realm_name = 'master' # restore raise if len(sa_roles) == 0: # Skip the below step self.keycloak_admin.realm_name = 'master' # restore return try: roles = [] # Get full role reprentation of all roles for role in sa_roles: role_rep = self.keycloak_admin.get_realm_role(role) roles.append(role_rep) client_id = self.keycloak_admin.get_client_id(client) user = self.keycloak_admin.get_client_service_account_user( client_id) params_path = { "realm-name": self.keycloak_admin.realm_name, "id": user["id"] } self.keycloak_admin.raw_post( URL_ADMIN_USER_REALM_ROLES.format(**params_path), data=json.dumps(roles)) except: self.keycloak_admin.realm_name = 'master' # restore raise self.keycloak_admin.realm_name = 'master' # restore def create_user(self, realm, uname, email, fname, lname, password, temp_flag): self.keycloak_admin.realm_name = realm payload = { "username": uname, "email": email, "firstName": fname, "lastName": lname, "enabled": True } try: print('Creating user %s' % uname) self.keycloak_admin.create_user( payload, False) # If exists, update. So don't skip user_id = self.keycloak_admin.get_user_id(uname) self.keycloak_admin.set_user_password(user_id, password, temporary=temp_flag) except KeycloakError as e: if e.response_code == 409: print('Exists, updating %s' % uname) user_id = self.keycloak_admin.get_user_id(uname) self.keycloak_admin.update_user(user_id, payload) except: self.keycloak_admin.realm_name = 'master' # restore raise self.keycloak_admin.realm_name = 'master' # restore def assign_user_roles(self, realm, username, roles): self.keycloak_admin.realm_name = realm roles = [self.keycloak_admin.get_realm_role(role) for role in roles] try: print(f'''Get user id for {username}''') user_id = self.keycloak_admin.get_user_id(username) self.keycloak_admin.assign_realm_roles(user_id, roles) except: self.keycloak_admin.realm_name = 'master' # restore raise self.keycloak_admin.realm_name = 'master' # restore
keycloack.create_user({ "username": '******', "credentials": [{ "value": "n5geh", "type": "password", }], "enabled": True, "firstName": 'n5geh', "lastName": 'n5geh' }) user_id = keycloack.get_user_id("n5geh") client_id = keycloack.get_client_id("realm-management") role = keycloack.get_client_role(client_id=client_id, role_name="manage-users") keycloack.assign_client_role(client_id=client_id, user_id=user_id, roles=[role]) keycloack.realm_name = 'n5geh_devices' # Create a new user for device wizard user_id = keycloack.get_user_id("device_wizard") if user_id is None: keycloack.create_user({ "username": '******', "credentials": [{ "value": "password",
class KeycloakAdm(object): def __init__(self): self.ClientId = "admin-cli" self.Realm = "zdr" self.Username = "******" self.Password = "******" self.FQDN = "auth.mydomain.dev" self.keycloak_admin = KeycloakAdmin(server_url="https://" + self.FQDN + "/auth/", username=self.Username, password=self.Password, realm_name=self.Realm, verify=True) self.keycloak_users = self.keycloak_admin.get_users({}) self.client_id = self.keycloak_admin.get_client_id("crm") def __del__(self): # Get users Returns a list of users, filtered according to query parameters users = self.keycloak_admin.get_users({}) for user in users: if user['username'] == self.Username: my_sessions = self.keycloak_admin.get_sessions(user['id']) for my_session in my_sessions: ret = self.keycloak_admin.connection.raw_delete( "admin/realms/" + self.Realm + "/sessions/" + my_session['id']) def GetLastUserSessionTime(self, user): lastAccess = None sessions = self.keycloak_admin.get_sessions(user['id']) for sess in sessions: sestime = int(sess['lastAccess']) if lastAccess is not None: if lastAccess < sestime: lastAccess = sestime else: lastAccess = sestime return lastAccess def GetIdBySip(self, sip): lastAccess = None retId = None for user in self.keycloak_users: if 'attributes' in user: attributes = user['attributes'] if 'sip' in attributes: if str(attributes['sip'][0]) == str(sip): if self.GetClientRoleOfUserByRoleName( 'dev', user['id']) == None: sestime = self.GetLastUserSessionTime(user) if lastAccess is not None: if lastAccess < sestime: lastAccess = sestime retId = user['id'] else: lastAccess = sestime retId = user['id'] return retId def GetNameBySip(self, sip): lastAccess = None ret = None for user in self.keycloak_users: if 'attributes' in user: attributes = user['attributes'] if 'sip' in attributes: if str(attributes['sip'][0]) == str(sip): if self.GetClientRoleOfUserByRoleName( 'dev', user['id']) == None: sestime = self.GetLastUserSessionTime(user) if lastAccess is not None: if lastAccess < sestime: lastAccess = sestime ret = user['username'] else: lastAccess = sestime ret = user['username'] return ret def GetClientRoleOfUserByRoleName(self, roleName, userID): rolesOfUser = self.keycloak_admin.get_client_roles_of_user( user_id=userID, client_id=self.client_id) #keycloak_admin.get_available_client_roles_of_user(user_id="user_id", client_id="client_id") #print user['username'], user['id'] for role in rolesOfUser: if roleName == role['name']: return role return None
payload=json.dumps(['UPDATE_PASSWORD'])) # Send Verify Email response = keycloak_admin.send_verify_email(user_id="user-id-keycloak") # Get sessions associated with the user sessions = keycloak_admin.get_sessions(user_id="user-id-keycloak") # Get themes, social providers, auth providers, and event listeners available on this server server_info = keycloak_admin.get_server_info() # Get clients belonging to the realm Returns a list of clients belonging to the realm clients = keycloak_admin.get_clients() # Get client - id (not client-id) from client by name client_id=keycloak_admin.get_client_id("my-client") # Get representation of the client - id of client (not client-id) client = keycloak_admin.get_client(client_id="client_id") # Get all roles for the realm or client realm_roles = keycloak_admin.get_realm_roles() # Get all roles for the client client_roles = keycloak_admin.get_client_roles(client_id="client_id") # Get client role role = keycloak_admin.get_client_role(client_id="client_id", role_name="role_name") # Warning: Deprecated # Get client role id from name