keycloak.keycloak_uma¶
Keycloak UMA module.
The module contains a UMA compatible client for keycloak: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html
Module Contents¶
Classes¶
Keycloak UMA client. |
- class keycloak.keycloak_uma.KeycloakUMA(connection: keycloak.openid_connection.KeycloakOpenIDConnection)[source]¶
Keycloak UMA client.
- Parameters:
connection – OpenID connection manager
- property uma_well_known[source]¶
Get the well_known UMA2 config.
- Returns:
It lists endpoints and other configuration options relevant
- Return type:
dict
- static format_url(url, **kwargs)[source]¶
Substitute url path parameters.
Given a parameterized url string, returns the string after url encoding and substituting the given params. For example, format_url(“https://myserver/{my_resource}/{id}”, my_resource=”hello world”, id=”myid”) would produce https://myserver/hello+world/myid.
- Parameters:
url (str) – url string to format
kwargs (dict) – dict containing kwargs to substitute
- Returns:
formatted string
- Return type:
str
- resource_set_create(payload)[source]¶
Create a resource set.
Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1
ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
- Parameters:
payload (dict) – ResourceRepresentation
- Returns:
ResourceRepresentation with the _id property assigned
- Return type:
dict
- resource_set_update(resource_id, payload)[source]¶
Update a resource set.
Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set
ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
- Parameters:
resource_id (str) – id of the resource
payload (dict) – ResourceRepresentation
- Returns:
Response dict (empty)
- Return type:
dict
- resource_set_read(resource_id)[source]¶
Read a resource set.
Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set
ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
- Parameters:
resource_id (str) – id of the resource
- Returns:
ResourceRepresentation
- Return type:
dict
- resource_set_delete(resource_id)[source]¶
Delete a resource set.
Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set
- Parameters:
resource_id (str) – id of the resource
- Returns:
Response dict (empty)
- Return type:
dict
- resource_set_list_ids(name: str = '', exact_name: bool = False, uri: str = '', owner: str = '', resource_type: str = '', scope: str = '', first: int = 0, maximum: int = -1)[source]¶
Query for list of resource set ids.
Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
- Parameters:
name (str) – query resource name
exact_name (bool) – query exact match for resource name
uri (str) – query resource uri
owner (str) – query resource owner
resource_type (str) – query resource type
scope (str) – query resource scope
first (int) – index of first matching resource to return
maximum (int) – maximum number of resources to return (-1 for all)
- Returns:
List of ids
- Return type:
List[str]
- resource_set_list()[source]¶
List all resource sets.
Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets
ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation
- Yields:
Iterator over a list of ResourceRepresentations
- Return type:
Iterator[dict]
- permission_ticket_create(permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]¶
Create a permission ticket.
- Parameters:
permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against
- Returns:
Keycloak decision
- Return type:
boolean
- Raises:
KeycloakPostError – In case permission resource not found
- permissions_check(token, permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]¶
Check UMA permissions by user token with requested permissions.
The token endpoint is used to check UMA permissions from Keycloak. It can only be invoked by confidential clients.
https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api
- Parameters:
token (str) – user token
permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against
- Returns:
Keycloak decision
- Return type:
boolean
- policy_resource_create(resource_id, payload)[source]¶
Create permission policy for resource.
Supports name, description, scopes, roles, groups, clients
- Parameters:
resource_id (str) – _id of resource
payload (dict) – permission configuration
- Returns:
PermissionRepresentation
- Return type:
dict
- policy_update(policy_id, payload)[source]¶
Update permission policy.
https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation
- Parameters:
policy_id (str) – id of policy permission
payload (dict) – policy permission configuration
- Returns:
PermissionRepresentation
- Return type:
dict
- policy_delete(policy_id)[source]¶
Delete permission policy.
https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation
- Parameters:
policy_id (str) – id of permission policy
- Returns:
PermissionRepresentation
- Return type:
dict
- policy_query(resource: str = '', name: str = '', scope: str = '', first: int = 0, maximum: int = -1)[source]¶
Query permission policies.
https://www.keycloak.org/docs/latest/authorization_services/#querying-permission
- Parameters:
resource (str) – query resource id
name (str) – query resource name
scope (str) – query resource scope
first (int) – index of first matching resource to return
maximum (int) – maximum number of resources to return (-1 for all)
- Returns:
List of ids
- Returns:
List of ids
- Return type:
List[str]