keycloak

Python-Keycloak library.

Subpackages

Submodules

Attributes

__version__

Exceptions

KeycloakAuthenticationError

Keycloak authentication error exception.

KeycloakAuthorizationConfigError

Keycloak authorization config exception.

KeycloakConnectionError

Keycloak connection error exception.

KeycloakDeleteError

Keycloak request delete error exception.

KeycloakDeprecationError

Keycloak deprecation error exception.

KeycloakError

Base class for custom Keycloak errors.

KeycloakGetError

Keycloak request get error exception.

KeycloakInvalidTokenError

Keycloak invalid token exception.

KeycloakOperationError

Keycloak operation error exception.

KeycloakPostError

Keycloak request post error exception.

KeycloakPutError

Keycloak request put error exception.

KeycloakRPTNotFound

Keycloak RPT not found exception.

KeycloakSecretNotFound

Keycloak secret not found exception.

Classes

ConnectionManager

Represents a simple server connection.

KeycloakAdmin

Keycloak Admin client.

KeycloakOpenID

Keycloak OpenID client.

KeycloakUMA

Keycloak UMA client.

KeycloakOpenIDConnection

A class to help with OpenID connections which can auto refresh tokens.

Package Contents

keycloak.__version__[source]
class keycloak.ConnectionManager(base_url, headers={}, timeout=60, verify=True, proxies=None, cert=None, max_retries=1)[source]

Bases: object

Represents a simple server connection.

Parameters:
  • base_url (str) – The server URL.

  • headers (dict) – The header parameters of the requests to the server.

  • timeout (int) – Timeout to use for requests to the server.

  • verify (Union[bool,str]) – Boolean value to enable or disable certificate validation or a string containing a path to a CA bundle to use

  • proxies (dict) – The proxies servers requests is sent by.

  • cert (Union[str,Tuple[str,str]]) – An SSL certificate used by the requested host to authenticate the client. Either a path to an SSL certificate file, or two-tuple of (certificate file, key file).

  • max_retries (int) – The total number of times to retry HTTP requests.

property base_url
Return base url in use for requests to the server.
Returns:

Base URL

Return type:

str

property headers
Return header request to the server.
Returns:

Request headers

Return type:

dict

property timeout
Return timeout in use for request to the server.
Returns:

Timeout

Return type:

int

property verify
Return verify in use for request to the server.
Returns:

Verify indicator

Return type:

bool

property cert
Return client certificates in use for request to the server.
Returns:

Client certificate

Return type:

Union[str,Tuple[str,str]]

_s
auth
async_s
transport
async aclose()[source]

Close the async connection on delete.

__del__()[source]

Del method.

param_headers(key)[source]

Return a specific header parameter.

Parameters:

key (str) – Header parameters key.

Returns:

If the header parameters exist, return its value.

Return type:

str

clean_headers()[source]

Clear header parameters.

exist_param_headers(key)[source]

Check if the parameter exists in the header.

Parameters:

key (str) – Header parameters key.

Returns:

If the header parameters exist, return True.

Return type:

bool

add_param_headers(key, value)[source]

Add a single parameter inside the header.

Parameters:
  • key (str) – Header parameters key.

  • value (str) – Value to be added.

del_param_headers(key)[source]

Remove a specific parameter.

Parameters:

key (str) – Key of the header parameters.

raw_get(path, **kwargs)[source]

Submit get request to the path.

Parameters:
  • path (str) – Path for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

raw_post(path, data, **kwargs)[source]

Submit post request to the path.

Parameters:
  • path (str) – Path for request.

  • data (dict) – Payload for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

raw_put(path, data, **kwargs)[source]

Submit put request to the path.

Parameters:
  • path (str) – Path for request.

  • data (dict) – Payload for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

raw_delete(path, data=None, **kwargs)[source]

Submit delete request to the path.

Parameters:
  • path (str) – Path for request.

  • data (dict | None) – Payload for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

async a_raw_get(path, **kwargs)[source]

Submit get request to the path.

Parameters:
  • path (str) – Path for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

async a_raw_post(path, data, **kwargs)[source]

Submit post request to the path.

Parameters:
  • path (str) – Path for request.

  • data (dict) – Payload for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

async a_raw_put(path, data, **kwargs)[source]

Submit put request to the path.

Parameters:
  • path (str) – Path for request.

  • data (dict) – Payload for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

async a_raw_delete(path, data=None, **kwargs)[source]

Submit delete request to the path.

Parameters:
  • path (str) – Path for request.

  • data (dict | None) – Payload for request.

  • kwargs (dict) – Additional arguments

Returns:

Response the request.

Return type:

Response

Raises:

KeycloakConnectionError – HttpError Can’t connect to server.

static _filter_query_params(query_params)[source]

Explicitly filter query params with None values for compatibility.

Httpx and requests differ in the way they handle query params with the value None, requests does not include params with the value None while httpx includes them as-is.

Parameters:

query_params (dict) – the query params

Returns:

the filtered query params

Return type:

dict

exception keycloak.KeycloakAuthenticationError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Keycloak authentication error exception.

exception keycloak.KeycloakAuthorizationConfigError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak authorization config exception.

exception keycloak.KeycloakConnectionError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Keycloak connection error exception.

exception keycloak.KeycloakDeleteError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak request delete error exception.

exception keycloak.KeycloakDeprecationError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Keycloak deprecation error exception.

exception keycloak.KeycloakError(error_message='', response_code=None, response_body=None)[source]

Bases: Exception

Base class for custom Keycloak errors.

Parameters:
  • error_message (str) – The error message

  • response_code (int) – The response status code

response_code
response_body
error_message
__str__()[source]

Str method.

Returns:

String representation of the object

Return type:

str

exception keycloak.KeycloakGetError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak request get error exception.

exception keycloak.KeycloakInvalidTokenError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak invalid token exception.

exception keycloak.KeycloakOperationError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Keycloak operation error exception.

exception keycloak.KeycloakPostError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak request post error exception.

exception keycloak.KeycloakPutError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak request put error exception.

exception keycloak.KeycloakRPTNotFound(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak RPT not found exception.

exception keycloak.KeycloakSecretNotFound(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Keycloak secret not found exception.

class keycloak.KeycloakAdmin(server_url=None, grant_type=None, username=None, password=None, token=None, totp=None, realm_name='master', client_id='admin-cli', verify=True, client_secret_key=None, custom_headers=None, user_realm_name=None, timeout=60, cert=None, max_retries=1, connection: keycloak.openid_connection.KeycloakOpenIDConnection | None = None)[source]

Keycloak Admin client.

Parameters:
  • server_url (str) – Keycloak server url

  • username (str) – admin username

  • password (str) – admin password

  • token (dict) – access and refresh tokens

  • totp (str) – Time based OTP

  • realm_name (str) – realm name

  • client_id (str) – client id

  • verify (Union[bool,str]) – Boolean value to enable or disable certificate validation or a string containing a path to a CA bundle to use

  • client_secret_key (str) – client secret key (optional, required only for access type confidential)

  • custom_headers (dict) – dict of custom header to pass to each HTML request

  • user_realm_name (str) – The realm name of the user, if different from realm_name

  • timeout (int) – connection timeout in seconds

  • cert (Union[str,Tuple[str,str]]) – An SSL certificate used by the requested host to authenticate the client. Either a path to an SSL certificate file, or two-tuple of (certificate file, key file).

  • max_retries (int) – The total number of times to retry HTTP requests.

  • connection (KeycloakOpenIDConnection) – A KeycloakOpenIDConnection as an alternative to individual params.

PAGE_SIZE = 100
property connection: keycloak.openid_connection.KeycloakOpenIDConnection

Get connection.

Returns:

Connection manager

Return type:

KeycloakOpenIDConnection

__fetch_all(url, query=None)[source]

Paginate over get requests.

Wrapper function to paginate GET requests.

Parameters:
  • url (str) – The url on which the query is executed

  • query (dict) – Existing query parameters (optional)

Returns:

Combined results of paginated queries

Return type:

list

__fetch_paginated(url, query=None)[source]

Make a specific paginated request.

Parameters:
  • url (str) – The url on which the query is executed

  • query (dict) – Pagination settings

Returns:

Response

Return type:

dict

get_current_realm() str[source]

Return the currently configured realm.

Returns:

Currently configured realm name

Return type:

str

change_current_realm(realm_name: str) None[source]

Change the current realm.

Parameters:

realm_name (str) – The name of the realm to be configured as current

import_realm(payload)[source]

Import a new realm from a RealmRepresentation.

Realm name must be unique.

RealmRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:

payload (dict) – RealmRepresentation

Returns:

RealmRepresentation

Return type:

dict

partial_import_realm(realm_name, payload)[source]

Partial import realm configuration from PartialImportRepresentation.

Realm partialImport is used for modifying configuration of existing realm.

PartialImportRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_partialimportrepresentation

Parameters:
  • realm_name (str) – Realm name (not the realm id)

  • payload (dict) – PartialImportRepresentation

Returns:

PartialImportResponse

Return type:

dict

export_realm(export_clients=False, export_groups_and_role=False)[source]

Export the realm configurations in the json format.

RealmRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_partialexport

Parameters:
  • export_clients (bool) – Skip if not want to export realm clients

  • export_groups_and_role (bool) – Skip if not want to export realm groups and roles

Returns:

realm configurations JSON

Return type:

dict

get_realms()[source]

List all realms in Keycloak deployment.

Returns:

realms list

Return type:

list

get_realm(realm_name)[source]

Get a specific realm.

RealmRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:

realm_name (str) – Realm name (not the realm id)

Returns:

RealmRepresentation

Return type:

dict

create_realm(payload, skip_exists=False)[source]

Create a realm.

RealmRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:
  • payload (dict) – RealmRepresentation

  • skip_exists (bool) – Skip if Realm already exist.

Returns:

Keycloak server response (RealmRepresentation)

Return type:

dict

update_realm(realm_name, payload)[source]

Update a realm.

This will only update top level attributes and will ignore any user, role, or client information in the payload.

RealmRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:
  • realm_name (str) – Realm name (not the realm id)

  • payload (dict) – RealmRepresentation

Returns:

Http response

Return type:

dict

delete_realm(realm_name)[source]

Delete a realm.

Parameters:

realm_name (str) – Realm name (not the realm id)

Returns:

Http response

Return type:

dict

get_users(query=None)[source]

Get all users.

Return a list of users, filtered according to query parameters

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:

query (dict) – Query parameters (optional)

Returns:

users list

Return type:

list

create_idp(payload)[source]

Create an ID Provider.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityproviderrepresentation

Param:

payload: IdentityProviderRepresentation

Returns:

Keycloak server response

Return type:

dict

update_idp(idp_alias, payload)[source]

Update an ID Provider.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identity_providers_resource

Param:

idp_alias: alias for IdP to update

Param:

payload: The IdentityProviderRepresentation

Returns:

Keycloak server response

Return type:

dict

add_mapper_to_idp(idp_alias, payload)[source]

Create an ID Provider.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityprovidermapperrepresentation

Param:

idp_alias: alias for Idp to add mapper in

Param:

payload: IdentityProviderMapperRepresentation

Returns:

Keycloak server response

Return type:

dict

update_mapper_in_idp(idp_alias, mapper_id, payload)[source]

Update an IdP mapper.

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_update

Param:

idp_alias: alias for Idp to fetch mappers

Param:

mapper_id: Mapper Id to update

Param:

payload: IdentityProviderMapperRepresentation

Returns:

Http response

Return type:

dict

get_idp_mappers(idp_alias)[source]

Get IDP mappers.

Returns a list of ID Providers mappers

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getmappers

Param:

idp_alias: alias for Idp to fetch mappers

Returns:

array IdentityProviderMapperRepresentation

Return type:

list

get_idps()[source]

Get IDPs.

Returns a list of ID Providers,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityproviderrepresentation

Returns:

array IdentityProviderRepresentation

Return type:

list

get_idp(idp_alias)[source]

Get IDP provider.

Get the representation of a specific IDP Provider.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityproviderrepresentation

Param:

idp_alias: alias for IdP to get

Returns:

IdentityProviderRepresentation

Return type:

dict

delete_idp(idp_alias)[source]

Delete an ID Provider.

Param:

idp_alias: idp alias name

Returns:

Keycloak server response

Return type:

dict

create_user(payload, exist_ok=False)[source]

Create a new user.

Username must be unique

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:
  • payload (dict) – UserRepresentation

  • exist_ok (bool) – If False, raise KeycloakGetError if username already exists. Otherwise, return existing user ID.

Returns:

user_id

Return type:

str

users_count(query=None)[source]

Count users.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_users_resource

Parameters:

query (dict) – (dict) Query parameters for users count

Returns:

counter

Return type:

int

get_user_id(username)[source]

Get internal keycloak user id from username.

This is required for further actions against this user.

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:

username (str) – id in UserRepresentation

Returns:

user_id

Return type:

str

get_user(user_id)[source]

Get representation of the user.

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:

user_id (str) – User id

Returns:

UserRepresentation

get_user_groups(user_id, query=None, brief_representation=True)[source]

Get user groups.

Returns a list of groups of which the user is a member

Parameters:
  • user_id (str) – User id

  • query (dict) – Additional query options

  • brief_representation (bool) – whether to omit attributes in the response

Returns:

user groups list

Return type:

list

update_user(user_id, payload)[source]

Update the user.

Parameters:
  • user_id (str) – User id

  • payload (dict) – UserRepresentation

Returns:

Http response

Return type:

bytes

disable_user(user_id)[source]

Disable the user from the realm. Disabled users can not log in.

Parameters:

user_id (str) – User id

Returns:

Http response

Return type:

bytes

enable_user(user_id)[source]

Enable the user from the realm.

Parameters:

user_id (str) – User id

Returns:

Http response

Return type:

bytes

disable_all_users()[source]

Disable all existing users.

enable_all_users()[source]

Disable all existing users.

delete_user(user_id)[source]

Delete the user.

Parameters:

user_id (str) – User id

Returns:

Http response

Return type:

bytes

set_user_password(user_id, password, temporary=True)[source]

Set up a password for the user.

If temporary is True, the user will have to reset the temporary password next time they log in.

https://www.keycloak.org/docs-api/24.0.2/rest-api/#_users_resource https://www.keycloak.org/docs-api/24.0.2/rest-api/#_credentialrepresentation

Parameters:
  • user_id (str) – User id

  • password (str) – New password

  • temporary (bool) – True if password is temporary

Returns:

Response

Return type:

dict

get_credentials(user_id)[source]

Get user credentials.

Returns a list of credential belonging to the user.

CredentialRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_credentialrepresentation

Param:

user_id: user id

Returns:

Keycloak server response (CredentialRepresentation)

Return type:

dict

delete_credential(user_id, credential_id)[source]

Delete credential of the user.

CredentialRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_credentialrepresentation

Param:

user_id: user id

Param:

credential_id: credential id

Returns:

Keycloak server response (ClientRepresentation)

Return type:

bytes

user_logout(user_id)[source]

Log out the user.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_logout

Parameters:

user_id (str) – User id

Returns:

Keycloak server response

Return type:

bytes

user_consents(user_id)[source]

Get consents granted by the user.

UserConsentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userconsentrepresentation

Parameters:

user_id (str) – User id

Returns:

List of UserConsentRepresentations

Return type:

list

get_user_social_logins(user_id)[source]

Get user social logins.

Returns a list of federated identities/social logins of which the user has been associated with :param user_id: User id :type user_id: str :returns: Federated identities list :rtype: list

add_user_social_login(user_id, provider_id, provider_userid, provider_username)[source]

Add a federated identity / social login provider to the user.

Parameters:
  • user_id (str) – User id

  • provider_id (str) – Social login provider id

  • provider_userid (str) – userid specified by the provider

  • provider_username (str) – username specified by the provider

Returns:

Keycloak server response

Return type:

bytes

delete_user_social_login(user_id, provider_id)[source]

Delete a federated identity / social login provider from the user.

Parameters:
  • user_id (str) – User id

  • provider_id (str) – Social login provider id

Returns:

Keycloak server response

Return type:

bytes

send_update_account(user_id, payload, client_id=None, lifespan=None, redirect_uri=None)[source]

Send an update account email to the user.

An email contains a link the user can click to perform a set of required actions.

Parameters:
  • user_id (str) – User id

  • payload (list) – A list of actions for the user to complete

  • client_id (str) – Client id (optional)

  • lifespan (int) – Number of seconds after which the generated token expires (optional)

  • redirect_uri (str) – The redirect uri (optional)

Returns:

Keycloak server response

Return type:

bytes

send_verify_email(user_id, client_id=None, redirect_uri=None)[source]

Send a update account email to the user.

An email contains a link the user can click to perform a set of required actions.

Parameters:
  • user_id (str) – User id

  • client_id (str) – Client id (optional)

  • redirect_uri (str) – Redirect uri (optional)

Returns:

Keycloak server response

Return type:

bytes

get_sessions(user_id)[source]

Get sessions associated with the user.

UserSessionRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_usersessionrepresentation

Parameters:

user_id (str) – Id of user

Returns:

UserSessionRepresentation

Return type:

dict

get_server_info()[source]

Get themes, social providers, etc. on this server.

ServerInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_serverinforepresentation

Returns:

ServerInfoRepresentation

Return type:

dict

get_groups(query=None, full_hierarchy=False)[source]

Get groups.

Returns a list of groups belonging to the realm

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Notice that when using full_hierarchy=True, the response will be a nested structure containing all the children groups. If used with query parameters, the full_hierarchy will be applied to the received groups only.

Parameters:
  • query (dict) – Additional query options

  • full_hierarchy (bool) – If True, return all of the nested children groups, otherwise only the first level children are returned

Returns:

array GroupRepresentation

Return type:

list

get_group(group_id, full_hierarchy=False)[source]

Get group by id.

Returns full group details

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • group_id (str) – The group id

  • full_hierarchy (bool) – If True, return all of the nested children groups, otherwise only the first level children are returned

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

get_subgroups(group, path)[source]

Get subgroups.

Utility function to iterate through nested group structures

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • group (dict) – group (GroupRepresentation)

  • path (str) – group path (string)

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

get_group_children(group_id, query=None, full_hierarchy=False)[source]

Get group children by parent id.

Returns full group children details

Parameters:
  • group_id (str) – The parent group id

  • query (dict) – Additional query options

  • full_hierarchy (bool) – If True, return all of the nested children groups

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

Raises:

ValueError – If both query and full_hierarchy parameters are used

get_group_members(group_id, query=None)[source]

Get members by group id.

Returns group members

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_userrepresentation

Parameters:
Returns:

Keycloak server response (UserRepresentation)

Return type:

list

get_group_by_path(path)[source]

Get group id based on name or path.

Returns full group details for a group defined by path

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:

path (str) – group path

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

create_group(payload, parent=None, skip_exists=False)[source]

Create a group in the Realm.

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • payload (dict) – GroupRepresentation

  • parent (str) – parent group’s id. Required to create a sub-group.

  • skip_exists (bool) – If true then do not raise an error if it already exists

Returns:

Group id for newly created group or None for an existing group

Return type:

str

update_group(group_id, payload)[source]

Update group, ignores subgroups.

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • group_id (str) – id of group

  • payload (dict) – GroupRepresentation with updated information.

Returns:

Http response

Return type:

bytes

groups_count(query=None)[source]

Count groups.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_groups

Parameters:

query (dict) – (dict) Query parameters for groups count

Returns:

Keycloak Server Response

Return type:

dict

group_set_permissions(group_id, enabled=True)[source]

Enable/Disable permissions for a group.

Cannot delete group if disabled

Parameters:
  • group_id (str) – id of group

  • enabled (bool) – Enabled flag

Returns:

Keycloak server response

Return type:

bytes

group_user_add(user_id, group_id)[source]

Add user to group (user_id and group_id).

Parameters:
  • user_id (str) – id of user

  • group_id (str) – id of group to add to

Returns:

Keycloak server response

Return type:

bytes

group_user_remove(user_id, group_id)[source]

Remove user from group (user_id and group_id).

Parameters:
  • user_id (str) – id of user

  • group_id (str) – id of group to remove from

Returns:

Keycloak server response

Return type:

bytes

delete_group(group_id)[source]

Delete a group in the Realm.

Parameters:

group_id (str) – id of group to delete

Returns:

Keycloak server response

Return type:

bytes

get_clients()[source]

Get clients.

Returns a list of clients belonging to the realm

ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response (ClientRepresentation)

Return type:

list

get_client(client_id)[source]

Get representation of the client.

ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

dict

get_client_id(client_id)[source]

Get internal keycloak client id from client-id.

This is required for further actions against this client.

Parameters:

client_id (str) – clientId in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

client_id (uuid as string)

Return type:

str

get_client_authz_settings(client_id)[source]

Get authorization json from client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

dict

create_client_authz_resource(client_id, payload, skip_exists=False)[source]

Create resources of client.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

update_client_authz_resource(client_id, resource_id, payload)[source]

Update resource of client.

Any parameter missing from the ResourceRepresentation in the payload WILL be set to default by the Keycloak server.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

delete_client_authz_resource(client_id: str, resource_id: str)[source]

Delete a client resource.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

get_client_authz_resources(client_id)[source]

Get resources from client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response (ResourceRepresentation)

Return type:

list

get_client_authz_resource(client_id: str, resource_id: str)[source]

Get a client resource.

Parameters:
Returns:

Keycloak server response (ResourceRepresentation)

Return type:

dict

create_client_authz_role_based_policy(client_id, payload, skip_exists=False)[source]

Create role-based policy of client.

Payload example:

payload={
    "type": "role",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Policy-1",
    "roles": [
        {
        "id": id
        }
    ]
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

create_client_authz_policy(client_id, payload, skip_exists=False)[source]

Create an authz policy of client.

Payload example:

payload={
    "name": "Policy-time-based",
    "type": "time",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {
        "hourEnd": "18",
        "hour": "9"
    }
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

create_client_authz_resource_based_permission(client_id, payload, skip_exists=False)[source]

Create resource-based permission of client.

Payload example:

payload={
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Permission-Name",
    "resources": [
        resource_id
    ],
    "policies": [
        policy_id
    ]
Parameters:
Returns:

Keycloak server response

Return type:

bytes

get_client_authz_scopes(client_id)[source]

Get scopes from client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

create_client_authz_scopes(client_id, payload)[source]

Create scopes for client.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

get_client_authz_permissions(client_id)[source]

Get permissions from client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

get_client_authz_policies(client_id)[source]

Get policies from client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

delete_client_authz_policy(client_id, policy_id)[source]

Delete a policy from client.

Parameters:
Returns:

Keycloak server response

Return type:

dict

get_client_authz_policy(client_id, policy_id)[source]

Get a policy from client.

Parameters:
Returns:

Keycloak server response

Return type:

dict

get_client_service_account_user(client_id)[source]

Get service account user from client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

UserRepresentation

Return type:

dict

get_client_default_client_scopes(client_id)[source]

Get all default client scopes from client.

Parameters:

client_id (str) – id of the client in which the new default client scope should be added

Returns:

list of client scopes with id and name

Return type:

list

add_client_default_client_scope(client_id, client_scope_id, payload)[source]

Add a client scope to the default client scopes from client.

Payload example:

payload={
    "realm":"testrealm",
    "client":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "clientScopeId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}
Parameters:
  • client_id (str) – id of the client in which the new default client scope should be added

  • client_scope_id (str) – id of the new client scope that should be added

  • payload (dict) – dictionary with realm, client and clientScopeId

Returns:

Http response

Return type:

bytes

delete_client_default_client_scope(client_id, client_scope_id)[source]

Delete a client scope from the default client scopes of the client.

Parameters:
  • client_id (str) – id of the client in which the default client scope should be deleted

  • client_scope_id (str) – id of the client scope that should be deleted

Returns:

list of client scopes with id and name

Return type:

list

get_client_optional_client_scopes(client_id)[source]

Get all optional client scopes from client.

Parameters:

client_id (str) – id of the client in which the new optional client scope should be added

Returns:

list of client scopes with id and name

Return type:

list

add_client_optional_client_scope(client_id, client_scope_id, payload)[source]

Add a client scope to the optional client scopes from client.

Payload example:

payload={
    "realm":"testrealm",
    "client":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "clientScopeId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}
Parameters:
  • client_id (str) – id of the client in which the new optional client scope should be added

  • client_scope_id (str) – id of the new client scope that should be added

  • payload (dict) – dictionary with realm, client and clientScopeId

Returns:

Http response

Return type:

bytes

delete_client_optional_client_scope(client_id, client_scope_id)[source]

Delete a client scope from the optional client scopes of the client.

Parameters:
  • client_id (str) – id of the client in which the optional client scope should be deleted

  • client_scope_id (str) – id of the client scope that should be deleted

Returns:

list of client scopes with id and name

Return type:

list

create_initial_access_token(count: int = 1, expiration: int = 1)[source]

Create an initial access token.

Parameters:
  • count (int) – Number of clients that can be registered

  • expiration (int) – Days until expireation

Returns:

initial access token

Return type:

str

create_client(payload, skip_exists=False)[source]

Create a client.

ClientRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:
  • skip_exists (bool) – If true then do not raise an error if client already exists

  • payload (dict) – ClientRepresentation

Returns:

Client ID

Return type:

str

update_client(client_id, payload)[source]

Update a client.

Parameters:
  • client_id (str) – Client id

  • payload (dict) – ClientRepresentation

Returns:

Http response

Return type:

bytes

delete_client(client_id)[source]

Get representation of the client.

ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:

client_id (str) – keycloak client id (not oauth client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

bytes

get_client_installation_provider(client_id, provider_id)[source]

Get content for given installation provider.

Related documentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clients_resource

Possible provider_id list available in the ServerInfoRepresentation#clientInstallations https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_serverinforepresentation

Parameters:
  • client_id (str) – Client id

  • provider_id (str) – provider id to specify response format

Returns:

Installation providers

Return type:

list

get_realm_roles(brief_representation=True, search_text='')[source]

Get all roles for the realm or client.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • brief_representation (bool) – whether to omit role attributes in the response

  • search_text (str) – optional search text to limit the returned result.

Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

get_realm_role_groups(role_name, query=None, brief_representation=True)[source]

Get role groups of realm by role name.

Parameters:
Returns:

Keycloak Server Response (GroupRepresentation)

Return type:

list

get_realm_role_members(role_name, query=None)[source]

Get role members of realm by role name.

Parameters:
Returns:

Keycloak Server Response (UserRepresentation)

Return type:

list

get_default_realm_role_id()[source]

Get the ID of the default realm role.

Returns:

Realm role ID

Return type:

str

get_realm_default_roles()[source]

Get all the default realm roles.

Returns:

Keycloak Server Response (UserRepresentation)

Return type:

list

remove_realm_default_roles(payload)[source]

Remove a set of default realm roles.

Parameters:

payload (list) – List of RoleRepresentations

Returns:

Keycloak Server Response

Return type:

dict

add_realm_default_roles(payload)[source]

Add a set of default realm roles.

Parameters:

payload (list) – List of RoleRepresentations

Returns:

Keycloak Server Response

Return type:

dict

get_client_roles(client_id, brief_representation=True)[source]

Get all roles for the client.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • brief_representation (bool) – whether to omit role attributes in the response

Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

get_client_role(client_id, role_name)[source]

Get client role id by name.

This is required for further actions with this role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

Returns:

role_id

Return type:

str

get_client_role_id(client_id, role_name)[source]

Get client role id by name.

This is required for further actions with this role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

Returns:

role_id

Return type:

str

create_client_role(client_role_id, payload, skip_exists=False)[source]

Create a client role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • payload (dict) – RoleRepresentation

  • skip_exists (bool) – If true then do not raise an error if client role already exists

Returns:

Client role name

Return type:

str

add_composite_client_roles_to_role(client_role_id, role_name, roles)[source]

Add composite roles to client role.

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be updated

Returns:

Keycloak server response

Return type:

bytes

remove_composite_client_roles_from_role(client_role_id, role_name, roles)[source]

Remove composite roles from a client role.

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be removed

Returns:

Keycloak server response

Return type:

bytes

update_client_role(client_id, role_name, payload)[source]

Update a client role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

  • payload (dict) – RoleRepresentation

Returns:

Keycloak server response

Return type:

bytes

delete_client_role(client_role_id, role_name)[source]

Delete a client role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

Returns:

Keycloak server response

Return type:

bytes

assign_client_role(user_id, client_id, roles)[source]

Assign a client role to a user.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

get_client_role_members(client_id, role_name, **query)[source]

Get members by client role.

Parameters:
Returns:

Keycloak server response (UserRepresentation)

Return type:

list

get_client_role_groups(client_id, role_name, **query)[source]

Get group members by client role.

Parameters:
Returns:

Keycloak server response

Return type:

list

get_role_by_id(role_id)[source]

Get a specific role’s representation.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_id (str) – id of role

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

update_role_by_id(role_id, payload)[source]

Update the role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • payload (dict) – RoleRepresentation

  • role_id (str) – id of role

Returns:

Keycloak server response

Return type:

bytes

delete_role_by_id(role_id)[source]

Delete a role by its id.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_id (str) – id of role

Returns:

Keycloak server response

Return type:

bytes

create_realm_role(payload, skip_exists=False)[source]

Create a new role for the realm or client.

Parameters:
  • payload (dict) – The role (use RoleRepresentation)

  • skip_exists (bool) – If true then do not raise an error if realm role already exists

Returns:

Realm role name

Return type:

str

get_realm_role(role_name)[source]

Get realm role by role name.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_name (str) – role’s name, not id!

Returns:

role

Return type:

dict

get_realm_role_by_id(role_id: str)[source]

Get realm role by role id.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_id (str) – role’s id, not name!

Returns:

role

Return type:

dict

update_realm_role(role_name, payload)[source]

Update a role for the realm by name.

Parameters:
  • role_name (str) – The name of the role to be updated

  • payload (dict) – The role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

delete_realm_role(role_name)[source]

Delete a role for the realm by name.

Parameters:

role_name (str) – The role name

Returns:

Keycloak server response

Return type:

bytes

add_composite_realm_roles_to_role(role_name, roles)[source]

Add composite roles to the role.

Parameters:
  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be updated

Returns:

Keycloak server response

Return type:

bytes

remove_composite_realm_roles_to_role(role_name, roles)[source]

Remove composite roles from the role.

Parameters:
  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be removed

Returns:

Keycloak server response

Return type:

bytes

get_composite_realm_roles_of_role(role_name)[source]

Get composite roles of the role.

Parameters:

role_name (str) – The name of the role

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

assign_realm_roles_to_client_scope(client_id, roles)[source]

Assign realm roles to a client’s scope.

Parameters:
  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

delete_realm_roles_of_client_scope(client_id, roles)[source]

Delete realm roles of a client’s scope.

Parameters:
  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

get_realm_roles_of_client_scope(client_id)[source]

Get all realm roles for a client’s scope.

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

assign_client_roles_to_client_scope(client_id, client_roles_owner_id, roles)[source]

Assign client roles to a client’s dedicated scope.

To assign roles to a client scope, use add_client_specific_roles_to_client_scope.

Parameters:
  • client_id (str) – id of client (not client-id) who is assigned the roles

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

delete_client_roles_of_client_scope(client_id, client_roles_owner_id, roles)[source]

Delete client roles of a client’s dedicated scope.

To delete roles from a client scope, use remove_client_specific_roles_of_client_scope.

Parameters:
  • client_id (str) – id of client (not client-id) who is assigned the roles

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

get_client_roles_of_client_scope(client_id, client_roles_owner_id)[source]

Get all client roles for a client’s dedicated scope.

To get roles for a client scope, use get_client_specific_roles_of_client_scope.

Parameters:
  • client_id (str) – id of client (not client-id)

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

assign_realm_roles(user_id, roles)[source]

Assign realm roles to a user.

Parameters:
  • user_id (str) – id of user

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

delete_realm_roles_of_user(user_id, roles)[source]

Delete realm roles of a user.

Parameters:
  • user_id (str) – id of user

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

get_realm_roles_of_user(user_id)[source]

Get all realm roles for a user.

Parameters:

user_id (str) – id of user

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

get_available_realm_roles_of_user(user_id)[source]

Get all available (i.e. unassigned) realm roles for a user.

Parameters:

user_id (str) – id of user

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

get_composite_realm_roles_of_user(user_id, brief_representation=True)[source]

Get all composite (i.e. implicit) realm roles for a user.

Parameters:
  • user_id (str) – id of user

  • brief_representation (bool) – whether to omit role attributes in the response

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

assign_group_realm_roles(group_id, roles)[source]

Assign realm roles to a group.

Parameters:
  • group_id (str) – id of group

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

delete_group_realm_roles(group_id, roles)[source]

Delete realm roles of a group.

Parameters:
  • group_id (str) – id of group

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

get_group_realm_roles(group_id, brief_representation=True)[source]

Get all realm roles for a group.

Parameters:
  • group_id (str) – id of the group

  • brief_representation (bool) – whether to omit role attributes in the response

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

assign_group_client_roles(group_id, client_id, roles)[source]

Assign client roles to a group.

Parameters:
  • group_id (str) – id of group

  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

get_group_client_roles(group_id, client_id)[source]

Get client roles of a group.

Parameters:
  • group_id (str) – id of group

  • client_id (str) – id of client (not client-id)

Returns:

Keycloak server response

Return type:

list

delete_group_client_roles(group_id, client_id, roles)[source]

Delete client roles of a group.

Parameters:
  • group_id (str) – id of group

  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

bytes

get_all_roles_of_user(user_id)[source]

Get all level roles for a user.

Parameters:

user_id (str) – id of user

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

get_client_roles_of_user(user_id, client_id)[source]

Get all client roles for a user.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

get_available_client_roles_of_user(user_id, client_id)[source]

Get available client role-mappings for a user.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

get_composite_client_roles_of_user(user_id, client_id, brief_representation=False)[source]

Get composite client role-mappings for a user.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

  • brief_representation (bool) – whether to omit attributes in the response

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

_get_client_roles_of_user(client_level_role_mapping_url, user_id, client_id, **params)[source]

Get client roles of a single user helper.

Parameters:
  • client_level_role_mapping_url (str) – Url for the client role mapping

  • user_id (str) – User id

  • client_id (str) – Client id

  • params (dict) – Additional parameters

Returns:

Client roles of a user

Return type:

list

delete_client_roles_of_user(user_id, client_id, roles)[source]

Delete client roles from a user.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client containing role (not client-id)

  • roles (list) – roles list or role to delete (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

get_authentication_flows()[source]

Get authentication flows.

Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Returns:

Keycloak server response (AuthenticationFlowRepresentation)

Return type:

list

get_authentication_flow_for_id(flow_id)[source]

Get one authentication flow by it’s id.

Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Parameters:

flow_id (str) – the id of a flow NOT it’s alias

Returns:

Keycloak server response (AuthenticationFlowRepresentation)

Return type:

dict

create_authentication_flow(payload, skip_exists=False)[source]

Create a new authentication flow.

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Parameters:
  • payload (dict) – AuthenticationFlowRepresentation

  • skip_exists (bool) – Do not raise an error if authentication flow already exists

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

copy_authentication_flow(payload, flow_alias)[source]

Copy existing authentication flow under a new name.

The new name is given as ‘newName’ attribute of the passed payload.

Parameters:
  • payload (dict) – JSON containing ‘newName’ attribute

  • flow_alias (str) – the flow alias

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

delete_authentication_flow(flow_id)[source]

Delete authentication flow.

AuthenticationInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationinforepresentation

Parameters:

flow_id (str) – authentication flow id

Returns:

Keycloak server response

Return type:

bytes

get_authentication_flow_executions(flow_alias)[source]

Get authentication flow executions.

Returns all execution steps

Parameters:

flow_alias (str) – the flow alias

Returns:

Response(json)

Return type:

list

update_authentication_flow_executions(payload, flow_alias)[source]

Update an authentication flow execution.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:
  • payload (dict) – AuthenticationExecutionInfoRepresentation

  • flow_alias (str) – The flow alias

Returns:

Keycloak server response

Return type:

bytes

get_authentication_flow_execution(execution_id)[source]

Get authentication flow execution.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:

execution_id (str) – the execution ID

Returns:

Response(json)

Return type:

dict

create_authentication_flow_execution(payload, flow_alias)[source]

Create an authentication flow execution.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:
  • payload (dict) – AuthenticationExecutionInfoRepresentation

  • flow_alias (str) – The flow alias

Returns:

Keycloak server response

Return type:

bytes

delete_authentication_flow_execution(execution_id)[source]

Delete authentication flow execution.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:

execution_id (str) – keycloak client id (not oauth client-id)

Returns:

Keycloak server response (json)

Return type:

bytes

create_authentication_flow_subflow(payload, flow_alias, skip_exists=False)[source]

Create a new sub authentication flow for a given authentication flow.

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Parameters:
  • payload (dict) – AuthenticationFlowRepresentation

  • flow_alias (str) – The flow alias

  • skip_exists (bool) – Do not raise an error if authentication flow already exists

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

get_authenticator_providers()[source]

Get authenticator providers list.

Returns:

Authenticator providers

Return type:

list

get_authenticator_provider_config_description(provider_id)[source]

Get authenticator’s provider configuration description.

AuthenticatorConfigInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticatorconfiginforepresentation

Parameters:

provider_id (str) – Provider Id

Returns:

AuthenticatorConfigInfoRepresentation

Return type:

dict

get_authenticator_config(config_id)[source]

Get authenticator configuration.

Returns all configuration details.

Parameters:

config_id (str) – Authenticator config id

Returns:

Response(json)

Return type:

dict

update_authenticator_config(payload, config_id)[source]

Update an authenticator configuration.

AuthenticatorConfigRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticatorconfigrepresentation

Parameters:
  • payload (dict) – AuthenticatorConfigRepresentation

  • config_id (str) – Authenticator config id

Returns:

Response(json)

Return type:

bytes

delete_authenticator_config(config_id)[source]

Delete a authenticator configuration.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authentication_management_resource

Parameters:

config_id (str) – Authenticator config id

Returns:

Keycloak server Response

Return type:

bytes

sync_users(storage_id, action)[source]

Trigger user sync from provider.

Parameters:
  • storage_id (str) – The id of the user storage provider

  • action (str) – Action can be “triggerFullSync” or “triggerChangedUsersSync”

Returns:

Keycloak server response

Return type:

bytes

get_client_scopes()[source]

Get client scopes.

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes

Returns:

Keycloak server response Array of (ClientScopeRepresentation)

Return type:

list

get_client_scope(client_scope_id)[source]

Get client scope.

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes

Parameters:

client_scope_id (str) – The id of the client scope

Returns:

Keycloak server response (ClientScopeRepresentation)

Return type:

dict

get_client_scope_by_name(client_scope_name)[source]

Get client scope by name.

Get representation of the client scope identified by the client scope name.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes :param client_scope_name: (str) Name of the client scope :type client_scope_name: str :returns: ClientScopeRepresentation or None :rtype: dict

create_client_scope(payload, skip_exists=False)[source]

Create a client scope.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes

Parameters:
  • payload (dict) – ClientScopeRepresentation

  • skip_exists (bool) – If true then do not raise an error if client scope already exists

Returns:

Client scope id

Return type:

str

update_client_scope(client_scope_id, payload)[source]

Update a client scope.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_client_scopes_resource

Parameters:
  • client_scope_id (str) – The id of the client scope

  • payload (dict) – ClientScopeRepresentation

Returns:

Keycloak server response (ClientScopeRepresentation)

Return type:

bytes

delete_client_scope(client_scope_id)[source]

Delete existing client scope.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_client_scopes_resource

Parameters:

client_scope_id (str) – The id of the client scope

Returns:

Keycloak server response

Return type:

bytes

get_mappers_from_client_scope(client_scope_id)[source]

Get a list of all mappers connected to the client scope.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocol_mappers_resource :param client_scope_id: Client scope id :type client_scope_id: str :returns: Keycloak server response (ProtocolMapperRepresentation) :rtype: list

add_mapper_to_client_scope(client_scope_id, payload)[source]

Add a mapper to a client scope.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_create_mapper

Parameters:
  • client_scope_id (str) – The id of the client scope

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server Response

Return type:

bytes

delete_mapper_from_client_scope(client_scope_id, protocol_mapper_id)[source]

Delete a mapper from a client scope.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_delete_mapper

Parameters:
  • client_scope_id (str) – The id of the client scope

  • protocol_mapper_id (str) – Protocol mapper id

Returns:

Keycloak server Response

Return type:

bytes

update_mapper_in_client_scope(client_scope_id, protocol_mapper_id, payload)[source]

Update an existing protocol mapper in a client scope.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocol_mappers_resource

Parameters:
  • client_scope_id (str) – The id of the client scope

  • protocol_mapper_id (str) – The id of the protocol mapper which exists in the client scope and should to be updated

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server Response

Return type:

bytes

get_default_default_client_scopes()[source]

Get default default client scopes.

Return list of default default client scopes

Returns:

Keycloak server response

Return type:

list

delete_default_default_client_scope(scope_id)[source]

Delete default default client scope.

Parameters:

scope_id (str) – default default client scope id

Returns:

Keycloak server response

Return type:

list

add_default_default_client_scope(scope_id)[source]

Add default default client scope.

Parameters:

scope_id (str) – default default client scope id

Returns:

Keycloak server response

Return type:

bytes

get_default_optional_client_scopes()[source]

Get default optional client scopes.

Return list of default optional client scopes

Returns:

Keycloak server response

Return type:

list

delete_default_optional_client_scope(scope_id)[source]

Delete default optional client scope.

Parameters:

scope_id (str) – default optional client scope id

Returns:

Keycloak server response

Return type:

bytes

add_default_optional_client_scope(scope_id)[source]

Add default optional client scope.

Parameters:

scope_id (str) – default optional client scope id

Returns:

Keycloak server response

Return type:

bytes

add_client_specific_roles_to_client_scope(client_scope_id, client_roles_owner_id, roles)[source]

Assign client roles to a client scope.

To assign roles to a client’s dedicated scope, use assign_client_roles_to_client_scope.

Parameters:
  • client_scope_id (str) – client scope id

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation, must include id and name)

Returns:

Keycloak server response

Return type:

dict

remove_client_specific_roles_of_client_scope(client_scope_id, client_roles_owner_id, roles)[source]

Delete client roles of a client scope.

To delete roles from a client’s dedicated scope, use delete_client_roles_of_client_scope.

Parameters:
  • client_scope_id (str) – client scope id

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation, must include id and name)

Returns:

Keycloak server response

Return type:

dict

get_client_specific_roles_of_client_scope(client_scope_id, client_roles_owner_id)[source]

Get client roles for a client scope, for a specific client.

To get roles for a client’s dedicated scope, use get_client_roles_of_client_scope.

Parameters:
  • client_scope_id (str) – client scope id

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

get_all_roles_of_client_scope(client_scope_id)[source]

Get all client roles for a client scope.

To get roles for a client’s dedicated scope, use get_client_roles_of_client_scope.

Parameters:

client_scope_id (str) – client scope id

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

get_mappers_from_client(client_id)[source]

List of all client mappers.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocolmapperrepresentation

Parameters:

client_id (str) – Client id

Returns:

KeycloakServerResponse (list of ProtocolMapperRepresentation)

Return type:

list

add_mapper_to_client(client_id, payload)[source]

Add a mapper to a client.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_create_mapper

Parameters:
  • client_id (str) – The id of the client

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server Response

Return type:

bytes

update_client_mapper(client_id, mapper_id, payload)[source]

Update client mapper.

Parameters:
  • client_id (str) – The id of the client

  • mapper_id (str) – The id of the mapper to be deleted

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server response

Return type:

bytes

remove_client_mapper(client_id, client_mapper_id)[source]

Remove a mapper from the client.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocol_mappers_resource

Parameters:
  • client_id (str) – The id of the client

  • client_mapper_id (str) – The id of the mapper to be deleted

Returns:

Keycloak server response

Return type:

bytes

generate_client_secrets(client_id)[source]

Generate a new secret for the client.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_regeneratesecret

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

bytes

get_client_secrets(client_id)[source]

Get representation of the client secrets.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientsecret

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

list

get_components(query=None)[source]

Get components.

Return a list of components, filtered according to query parameters

ComponentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_componentrepresentation

Parameters:

query (dict) – Query parameters (optional)

Returns:

components list

Return type:

list

create_component(payload)[source]

Create a new component.

ComponentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_componentrepresentation

Parameters:

payload (dict) – ComponentRepresentation

Returns:

Component id

Return type:

str

get_component(component_id)[source]

Get representation of the component.

Parameters:

component_id – Component id

ComponentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_componentrepresentation

Parameters:

component_id (str) – Id of the component

Returns:

ComponentRepresentation

Return type:

dict

update_component(component_id, payload)[source]

Update the component.

Parameters:
Returns:

Http response

Return type:

bytes

delete_component(component_id)[source]

Delete the component.

Parameters:

component_id (str) – Component id

Returns:

Http response

Return type:

bytes

get_keys()[source]

Get keys.

Return a list of keys, filtered according to query parameters

KeysMetadataRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_key_resource

Returns:

keys list

Return type:

list

get_admin_events(query=None)[source]

Get Administrative events.

Return a list of events, filtered according to query parameters

AdminEvents Representation array https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getevents https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_get_adminrealmsrealmadmin_events

Parameters:

query (dict) – Additional query parameters

Returns:

events list

Return type:

list

get_events(query=None)[source]

Get events.

Return a list of events, filtered according to query parameters

EventRepresentation array https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_eventrepresentation

Parameters:

query (dict) – Additional query parameters

Returns:

events list

Return type:

list

set_events(payload)[source]

Set realm events configuration.

RealmEventsConfigRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmeventsconfigrepresentation

Parameters:

payload (dict) – Payload object for the events configuration

Returns:

Http response

Return type:

bytes

get_client_all_sessions(client_id)[source]

Get sessions associated with the client.

UserSessionRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_usersessionrepresentation

Parameters:

client_id (str) – id of client

Returns:

UserSessionRepresentation

Return type:

list

get_client_sessions_stats()[source]

Get current session count for all clients with active sessions.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientsessionstats

Returns:

Dict of clients and session count

Return type:

dict

get_client_management_permissions(client_id)[source]

Get management permissions for a client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

update_client_management_permissions(payload, client_id)[source]

Update management permissions for a client.

ManagementPermissionReference https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_managementpermissionreference

Payload example:

payload={
    "enabled": true
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

get_client_authz_policy_scopes(client_id, policy_id)[source]

Get scopes for a given policy.

Parameters:
Returns:

Keycloak server response

Return type:

list

get_client_authz_policy_resources(client_id, policy_id)[source]

Get resources for a given policy.

Parameters:
Returns:

Keycloak server response

Return type:

list

get_client_authz_scope_permission(client_id, scope_id)[source]

Get permissions for a given scope.

Parameters:
Returns:

Keycloak server response

Return type:

list

create_client_authz_scope_permission(payload, client_id)[source]

Create permissions for a authz scope.

Payload example:

payload={
    "name": "My Permission Name",
    "type": "scope",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [some_scope_id],
    "policies": [some_policy_id],
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

update_client_authz_scope_permission(payload, client_id, scope_id)[source]

Update permissions for a given scope.

Payload example:

payload={
    "id": scope_id,
    "name": "My Permission Name",
    "type": "scope",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [some_scope_id],
    "policies": [some_policy_id],
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

update_client_authz_resource_permission(payload, client_id, resource_id)[source]

Update permissions for a given resource.

Payload example:

payload={
    "id": resource_id,
    "name": "My Permission Name",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [],
    "policies": [some_policy_id],
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

get_client_authz_client_policies(client_id)[source]

Get policies for a given client.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

get_client_authz_permission_associated_policies(client_id, policy_id)[source]

Get associated policies for a given client permission.

Parameters:
Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

create_client_authz_client_policy(payload, client_id)[source]

Create a new policy for a given client.

Payload example:

payload={
    "type": "client",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "My Policy",
    "clients": [other_client_id],
}
Parameters:
Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

get_composite_client_roles_of_group(client_id, group_id, brief_representation=True)[source]

Get the composite client roles of the given group for the given client.

Parameters:
  • client_id (str) – id of the client.

  • group_id (str) – id of the group.

  • brief_representation (bool) – whether to omit attributes in the response

Returns:

the composite client roles of the group (list of RoleRepresentation).

Return type:

list

get_role_client_level_children(client_id, role_id)[source]

Get the child roles of which the given composite client role is composed of.

Parameters:
  • client_id (str) – id of the client.

  • role_id (str) – id of the role.

Returns:

the child roles (list of RoleRepresentation).

Return type:

list

upload_certificate(client_id, certcont)[source]

Upload a new certificate for the client.

Parameters:
  • client_id (str) – id of the client.

  • certcont (str) – the content of the certificate.

Returns:

dictionary {“certificate”: “<certcont>”}, where <certcont> is the content of the uploaded certificate.

Return type:

dict

get_required_action_by_alias(action_alias)[source]

Get a required action by its alias.

Parameters:

action_alias (str) – the alias of the required action.

Returns:

the required action (RequiredActionProviderRepresentation).

Return type:

dict

get_required_actions()[source]

Get the required actions for the realms.

Returns:

the required actions (list of RequiredActionProviderRepresentation).

Return type:

list

update_required_action(action_alias, payload)[source]

Update a required action.

Parameters:
  • action_alias (str) – the action alias.

  • payload (dict) – the new required action (RequiredActionProviderRepresentation).

Returns:

empty dictionary.

Return type:

dict

get_bruteforce_detection_status(user_id)[source]

Get bruteforce detection status for user.

Parameters:

user_id (str) – User id

Returns:

Bruteforce status.

Return type:

dict

clear_bruteforce_attempts_for_user(user_id)[source]

Clear bruteforce attempts for user.

Parameters:

user_id (str) – User id

Returns:

empty dictionary.

Return type:

dict

clear_all_bruteforce_attempts()[source]

Clear bruteforce attempts for all users in realm.

Returns:

empty dictionary.

Return type:

dict

clear_keys_cache()[source]

Clear keys cache.

Returns:

empty dictionary.

Return type:

dict

clear_realm_cache()[source]

Clear realm cache.

Returns:

empty dictionary.

Return type:

dict

clear_user_cache()[source]

Clear user cache.

Returns:

empty dictionary.

Return type:

dict

async a___fetch_all(url, query=None)[source]

Paginate asynchronously over get requests .

Wrapper function to paginate GET requests.

Parameters:
  • url (str) – The url on which the query is executed

  • query (dict) – Existing query parameters (optional)

Returns:

Combined results of paginated queries

Return type:

list

async a___fetch_paginated(url, query=None)[source]

Make a specific paginated request asynchronously.

Parameters:
  • url (str) – The url on which the query is executed

  • query (dict) – Pagination settings

Returns:

Response

Return type:

dict

async a_get_current_realm() str[source]

Return the currently configured realm asynchronously.

Returns:

Currently configured realm name

Return type:

str

async a_change_current_realm(realm_name: str) None[source]

Change the current realm asynchronously.

Parameters:

realm_name (str) – The name of the realm to be configured as current

async a_import_realm(payload)[source]

Import a new realm asynchronously from a RealmRepresentation.

Realm name must be unique.

RealmRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:

payload (dict) – RealmRepresentation

Returns:

RealmRepresentation

Return type:

dict

async a_partial_import_realm(realm_name, payload)[source]

Partial import realm configuration asynchronously from PartialImportRepresentation.

Realm partialImport is used for modifying configuration of existing realm.

PartialImportRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_partialimportrepresentation

Parameters:
  • realm_name (str) – Realm name (not the realm id)

  • payload (dict) – PartialImportRepresentation

Returns:

PartialImportResponse

Return type:

dict

async a_export_realm(export_clients=False, export_groups_and_role=False)[source]

Export the realm configurations asynchronously in the json format.

RealmRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_partialexport

Parameters:
  • export_clients (bool) – Skip if not want to export realm clients

  • export_groups_and_role (bool) – Skip if not want to export realm groups and roles

Returns:

realm configurations JSON

Return type:

dict

async a_get_realms()[source]

List all realms in asynchronouslyKeycloak deployment.

Returns:

realms list

Return type:

list

async a_get_realm(realm_name)[source]

Get a specific realm asynchronously.

RealmRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:

realm_name (str) – Realm name (not the realm id)

Returns:

RealmRepresentation

Return type:

dict

async a_create_realm(payload, skip_exists=False)[source]

Create a realm asynchronously.

RealmRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:
  • payload (dict) – RealmRepresentation

  • skip_exists (bool) – Skip if Realm already exist.

Returns:

Keycloak server response (RealmRepresentation)

Return type:

dict

async a_update_realm(realm_name, payload)[source]

Update a realm asynchronously.

This will only update top level attributes and will ignore any user, role, or client information in the payload.

RealmRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmrepresentation

Parameters:
  • realm_name (str) – Realm name (not the realm id)

  • payload (dict) – RealmRepresentation

Returns:

Http response

Return type:

dict

async a_delete_realm(realm_name)[source]

Delete a realm asynchronously.

Parameters:

realm_name (str) – Realm name (not the realm id)

Returns:

Http response

Return type:

dict

async a_get_users(query=None)[source]

Get all users asynchronously.

Return a list of users, filtered according to query parameters

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:

query (dict) – Query parameters (optional)

Returns:

users list

Return type:

list

async a_create_idp(payload)[source]

Create an ID Provider asynchronously.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityproviderrepresentation

Param:

payload: IdentityProviderRepresentation

Returns:

Keycloak server response

Return type:

dict

async a_update_idp(idp_alias, payload)[source]

Update an ID Provider asynchronously.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identity_providers_resource

Param:

idp_alias: alias for IdP to update

Param:

payload: The IdentityProviderRepresentation

Returns:

Keycloak server response

Return type:

dict

async a_add_mapper_to_idp(idp_alias, payload)[source]

Create an ID Provider asynchronously.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityprovidermapperrepresentation

Param:

idp_alias: alias for Idp to add mapper in

Param:

payload: IdentityProviderMapperRepresentation

Returns:

Keycloak server response

Return type:

dict

async a_update_mapper_in_idp(idp_alias, mapper_id, payload)[source]

Update an IdP mapper asynchronously.

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_update

Param:

idp_alias: alias for Idp to fetch mappers

Param:

mapper_id: Mapper Id to update

Param:

payload: IdentityProviderMapperRepresentation

Returns:

Http response

Return type:

dict

async a_get_idp_mappers(idp_alias)[source]

Get IDP mappers asynchronously.

Returns a list of ID Providers mappers

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getmappers

Param:

idp_alias: alias for Idp to fetch mappers

Returns:

array IdentityProviderMapperRepresentation

Return type:

list

async a_get_idps()[source]

Get IDPs asynchronously.

Returns a list of ID Providers,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityproviderrepresentation

Returns:

array IdentityProviderRepresentation

Return type:

list

async a_get_idp(idp_alias)[source]

Get IDP provider asynchronously.

Get the representation of a specific IDP Provider.

IdentityProviderRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_identityproviderrepresentation

Param:

idp_alias: alias for IdP to get

Returns:

IdentityProviderRepresentation

Return type:

dict

async a_delete_idp(idp_alias)[source]

Delete an ID Provider asynchronously.

Param:

idp_alias: idp alias name

Returns:

Keycloak server response

Return type:

dict

async a_create_user(payload, exist_ok=False)[source]

Create a new user asynchronously.

Username must be unique

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:
  • payload (dict) – UserRepresentation

  • exist_ok (bool) – If False, raise KeycloakGetError if username already exists. Otherwise, return existing user ID.

Returns:

user_id

Return type:

str

async a_users_count(query=None)[source]

Count users asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_users_resource

Parameters:

query (dict) – (dict) Query parameters for users count

Returns:

counter

Return type:

int

async a_get_user_id(username)[source]

Get internal keycloak user id from username asynchronously.

This is required for further actions against this user.

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:

username (str) – id in UserRepresentation

Returns:

user_id

Return type:

str

async a_get_user(user_id)[source]

Get representation of the user asynchronously.

UserRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userrepresentation

Parameters:

user_id (str) – User id

Returns:

UserRepresentation

async a_get_user_groups(user_id, query=None, brief_representation=True)[source]

Get user groups asynchronously.

Returns a list of groups of which the user is a member

Parameters:
  • user_id (str) – User id

  • query (dict) – Additional query options

  • brief_representation (bool) – whether to omit attributes in the response

Returns:

user groups list

Return type:

list

async a_update_user(user_id, payload)[source]

Update the user asynchronously.

Parameters:
  • user_id (str) – User id

  • payload (dict) – UserRepresentation

Returns:

Http response

Return type:

bytes

async a_disable_user(user_id)[source]

Disable the user asynchronously from the realm. Disabled users can not log in.

Parameters:

user_id (str) – User id

Returns:

Http response

Return type:

bytes

async a_enable_user(user_id)[source]

Enable the user from the realm asynchronously.

Parameters:

user_id (str) – User id

Returns:

Http response

Return type:

bytes

async a_disable_all_users()[source]

Disable all existing users asynchronously.

async a_enable_all_users()[source]

Disable all existing users asynchronously.

async a_delete_user(user_id)[source]

Delete the user asynchronously.

Parameters:

user_id (str) – User id

Returns:

Http response

Return type:

bytes

async a_set_user_password(user_id, password, temporary=True)[source]

Set up a password for the user asynchronously.

If temporary is True, the user will have to reset the temporary password next time they log in.

https://www.keycloak.org/docs-api/24.0.2/rest-api/#_users_resource https://www.keycloak.org/docs-api/24.0.2/rest-api/#_credentialrepresentation

Parameters:
  • user_id (str) – User id

  • password (str) – New password

  • temporary (bool) – True if password is temporary

Returns:

Response

Return type:

dict

async a_get_credentials(user_id)[source]

Get user credentials asynchronously.

Returns a list of credential belonging to the user.

CredentialRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_credentialrepresentation

Param:

user_id: user id

Returns:

Keycloak server response (CredentialRepresentation)

Return type:

dict

async a_delete_credential(user_id, credential_id)[source]

Delete credential of the user asynchronously.

CredentialRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_credentialrepresentation

Param:

user_id: user id

Param:

credential_id: credential id

Returns:

Keycloak server response (ClientRepresentation)

Return type:

bytes

async a_user_logout(user_id)[source]

Log out the user.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_logout

Parameters:

user_id (str) – User id

Returns:

Keycloak server response

Return type:

bytes

async a_user_consents(user_id)[source]

Get consents granted asynchronously by the user.

UserConsentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_userconsentrepresentation

Parameters:

user_id (str) – User id

Returns:

List of UserConsentRepresentations

Return type:

list

async a_get_user_social_logins(user_id)[source]

Get user social logins asynchronously.

Returns a list of federated identities/social logins of which the user has been associated with :param user_id: User id :type user_id: str :returns: Federated identities list :rtype: list

async a_add_user_social_login(user_id, provider_id, provider_userid, provider_username)[source]

Add a federated identity / social login provider asynchronously to the user.

Parameters:
  • user_id (str) – User id

  • provider_id (str) – Social login provider id

  • provider_userid (str) – userid specified by the provider

  • provider_username (str) – username specified by the provider

Returns:

Keycloak server response

Return type:

bytes

async a_delete_user_social_login(user_id, provider_id)[source]

Delete a federated identity / social login provider asynchronously from the user.

Parameters:
  • user_id (str) – User id

  • provider_id (str) – Social login provider id

Returns:

Keycloak server response

Return type:

bytes

async a_send_update_account(user_id, payload, client_id=None, lifespan=None, redirect_uri=None)[source]

Send an update account email to the user asynchronously.

An email contains a link the user can click to perform a set of required actions.

Parameters:
  • user_id (str) – User id

  • payload (list) – A list of actions for the user to complete

  • client_id (str) – Client id (optional)

  • lifespan (int) – Number of seconds after which the generated token expires (optional)

  • redirect_uri (str) – The redirect uri (optional)

Returns:

Keycloak server response

Return type:

bytes

async a_send_verify_email(user_id, client_id=None, redirect_uri=None)[source]

Send a update account email to the user asynchronously.

An email contains a link the user can click to perform a set of required actions.

Parameters:
  • user_id (str) – User id

  • client_id (str) – Client id (optional)

  • redirect_uri (str) – Redirect uri (optional)

Returns:

Keycloak server response

Return type:

bytes

async a_get_sessions(user_id)[source]

Get sessions associated with the user asynchronously.

UserSessionRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_usersessionrepresentation

Parameters:

user_id (str) – Id of user

Returns:

UserSessionRepresentation

Return type:

dict

async a_get_server_info()[source]

Get themes, social providers, etc. on this server asynchronously.

ServerInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_serverinforepresentation

Returns:

ServerInfoRepresentation

Return type:

dict

async a_get_groups(query=None, full_hierarchy=False)[source]

Get groups asynchronously.

Returns a list of groups belonging to the realm

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Notice that when using full_hierarchy=True, the response will be a nested structure containing all the children groups. If used with query parameters, the full_hierarchy will be applied to the received groups only.

Parameters:
  • query (dict) – Additional query options

  • full_hierarchy (bool) – If True, return all of the nested children groups, otherwise only the first level children are returned

Returns:

array GroupRepresentation

Return type:

list

async a_get_group(group_id, full_hierarchy=False)[source]

Get group by id asynchronously.

Returns full group details

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • group_id (str) – The group id

  • full_hierarchy (bool) – If True, return all of the nested children groups, otherwise only the first level children are returned

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

async a_get_subgroups(group, path)[source]

Get subgroups asynchronously.

Utility function to iterate through nested group structures

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • group (dict) – group (GroupRepresentation)

  • path (str) – group path (string)

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

async a_get_group_children(group_id, query=None, full_hierarchy=False)[source]

Get group children by parent id asynchronously.

Returns full group children details

Parameters:
  • group_id (str) – The parent group id

  • query (dict) – Additional query options

  • full_hierarchy (bool) – If True, return all of the nested children groups

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

Raises:

ValueError – If both query and full_hierarchy parameters are used

async a_get_group_members(group_id, query=None)[source]

Get members by group id asynchronously.

Returns group members

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_userrepresentation

Parameters:
Returns:

Keycloak server response (UserRepresentation)

Return type:

list

async a_get_group_by_path(path)[source]

Get group id based on name or path asynchronously .

Returns full group details for a group defined by path

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:

path (str) – group path

Returns:

Keycloak server response (GroupRepresentation)

Return type:

dict

async a_create_group(payload, parent=None, skip_exists=False)[source]

Create a group in the Realm asynchronously.

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • payload (dict) – GroupRepresentation

  • parent (str) – parent group’s id. Required to create a sub-group.

  • skip_exists (bool) – If true then do not raise an error if it already exists

Returns:

Group id for newly created group or None for an existing group

Return type:

str

async a_update_group(group_id, payload)[source]

Update group, ignores subgroups asynchronously.

GroupRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/#_grouprepresentation

Parameters:
  • group_id (str) – id of group

  • payload (dict) – GroupRepresentation with updated information.

Returns:

Http response

Return type:

bytes

async a_groups_count(query=None)[source]

Count groups asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_groups

Parameters:

query (dict) – (dict) Query parameters for groups count

Returns:

Keycloak Server Response

Return type:

dict

async a_group_set_permissions(group_id, enabled=True)[source]

Enable/Disable permissions for a group asynchronously.

Cannot delete group if disabled

Parameters:
  • group_id (str) – id of group

  • enabled (bool) – Enabled flag

Returns:

Keycloak server response

Return type:

bytes

async a_group_user_add(user_id, group_id)[source]

Add user to group (user_id and group_id) asynchronously.

Parameters:
  • user_id (str) – id of user

  • group_id (str) – id of group to add to

Returns:

Keycloak server response

Return type:

bytes

async a_group_user_remove(user_id, group_id)[source]

Remove user from group (user_id and group_id) asynchronously.

Parameters:
  • user_id (str) – id of user

  • group_id (str) – id of group to remove from

Returns:

Keycloak server response

Return type:

bytes

async a_delete_group(group_id)[source]

Delete a group in the Realm asynchronously.

Parameters:

group_id (str) – id of group to delete

Returns:

Keycloak server response

Return type:

bytes

async a_get_clients()[source]

Get clients asynchronously.

Returns a list of clients belonging to the realm

ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response (ClientRepresentation)

Return type:

list

async a_get_client(client_id)[source]

Get representation of the client asynchronously.

ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

dict

async a_get_client_id(client_id)[source]

Get internal keycloak client id from client-id asynchronously.

This is required for further actions against this client.

Parameters:

client_id (str) – clientId in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

client_id (uuid as string)

Return type:

str

async a_get_client_authz_settings(client_id)[source]

Get authorization json from client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

dict

async a_create_client_authz_resource(client_id, payload, skip_exists=False)[source]

Create resources of client asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_update_client_authz_resource(client_id, resource_id, payload)[source]

Update resource of client asynchronously.

Any parameter missing from the ResourceRepresentation in the payload WILL be set to default by the Keycloak server.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_delete_client_authz_resource(client_id: str, resource_id: str)[source]

Delete a client resource asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_get_client_authz_resources(client_id)[source]

Get resources from client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response (ResourceRepresentation)

Return type:

list

async a_get_client_authz_resource(client_id: str, resource_id: str)[source]

Get a client resource asynchronously.

Parameters:
Returns:

Keycloak server response (ResourceRepresentation)

Return type:

dict

async a_create_client_authz_role_based_policy(client_id, payload, skip_exists=False)[source]

Create role-based policy of client asynchronously.

Payload example:

payload={
    "type": "role",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Policy-1",
    "roles": [
        {
        "id": id
        }
    ]
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_create_client_authz_policy(client_id, payload, skip_exists=False)[source]

Create an authz policy of client asynchronously.

Payload example:

payload={
    "name": "Policy-time-based",
    "type": "time",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {
        "hourEnd": "18",
        "hour": "9"
    }
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_create_client_authz_resource_based_permission(client_id, payload, skip_exists=False)[source]

Create resource-based permission of client asynchronously.

Payload example:

payload={
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Permission-Name",
    "resources": [
        resource_id
    ],
    "policies": [
        policy_id
    ]
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_get_client_authz_scopes(client_id)[source]

Get scopes from client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

async a_create_client_authz_scopes(client_id, payload)[source]

Create scopes for client asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_get_client_authz_permissions(client_id)[source]

Get permissions from client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

async a_get_client_authz_policies(client_id)[source]

Get policies from client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

async a_delete_client_authz_policy(client_id, policy_id)[source]

Delete a policy from client asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

dict

async a_get_client_authz_policy(client_id, policy_id)[source]

Get a policy from client asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

dict

async a_get_client_service_account_user(client_id)[source]

Get service account user from client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

UserRepresentation

Return type:

dict

async a_get_client_default_client_scopes(client_id)[source]

Get all default client scopes from client asynchronously.

Parameters:

client_id (str) – id of the client in which the new default client scope should be added

Returns:

list of client scopes with id and name

Return type:

list

async a_add_client_default_client_scope(client_id, client_scope_id, payload)[source]

Add a client scope to the default client scopes from client asynchronously.

Payload example:

payload={
    "realm":"testrealm",
    "client":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "clientScopeId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}
Parameters:
  • client_id (str) – id of the client in which the new default client scope should be added

  • client_scope_id (str) – id of the new client scope that should be added

  • payload (dict) – dictionary with realm, client and clientScopeId

Returns:

Http response

Return type:

bytes

async a_delete_client_default_client_scope(client_id, client_scope_id)[source]

Delete a client scope from the default client scopes of the client asynchronously.

Parameters:
  • client_id (str) – id of the client in which the default client scope should be deleted

  • client_scope_id (str) – id of the client scope that should be deleted

Returns:

list of client scopes with id and name

Return type:

list

async a_get_client_optional_client_scopes(client_id)[source]

Get all optional client scopes from client asynchronously.

Parameters:

client_id (str) – id of the client in which the new optional client scope should be added

Returns:

list of client scopes with id and name

Return type:

list

async a_add_client_optional_client_scope(client_id, client_scope_id, payload)[source]

Add a client scope to the optional client scopes from client asynchronously.

Payload example:

payload={
    "realm":"testrealm",
    "client":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
    "clientScopeId":"bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}
Parameters:
  • client_id (str) – id of the client in which the new optional client scope should be added

  • client_scope_id (str) – id of the new client scope that should be added

  • payload (dict) – dictionary with realm, client and clientScopeId

Returns:

Http response

Return type:

bytes

async a_delete_client_optional_client_scope(client_id, client_scope_id)[source]

Delete a client scope from the optional client scopes of the client asynchronously.

Parameters:
  • client_id (str) – id of the client in which the optional client scope should be deleted

  • client_scope_id (str) – id of the client scope that should be deleted

Returns:

list of client scopes with id and name

Return type:

list

async a_create_initial_access_token(count: int = 1, expiration: int = 1)[source]

Create an initial access token asynchronously.

Parameters:
  • count (int) – Number of clients that can be registered

  • expiration (int) – Days until expireation

Returns:

initial access token

Return type:

str

async a_create_client(payload, skip_exists=False)[source]

Create a client asynchronously.

ClientRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:
  • skip_exists (bool) – If true then do not raise an error if client already exists

  • payload (dict) – ClientRepresentation

Returns:

Client ID

Return type:

str

async a_update_client(client_id, payload)[source]

Update a client asynchronously.

Parameters:
  • client_id (str) – Client id

  • payload (dict) – ClientRepresentation

Returns:

Http response

Return type:

bytes

async a_delete_client(client_id)[source]

Get representation of the client asynchronously.

ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:

client_id (str) – keycloak client id (not oauth client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

bytes

async a_get_client_installation_provider(client_id, provider_id)[source]

Get content for given installation provider asynchronously.

Related documentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clients_resource

Possible provider_id list available in the ServerInfoRepresentation#clientInstallations https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_serverinforepresentation

Parameters:
  • client_id (str) – Client id

  • provider_id (str) – provider id to specify response format

Returns:

Installation providers

Return type:

list

async a_get_realm_roles(brief_representation=True, search_text='')[source]

Get all roles for the realm or client asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • brief_representation (bool) – whether to omit role attributes in the response

  • search_text (str) – optional search text to limit the returned result.

Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

async a_get_realm_role_groups(role_name, query=None, brief_representation=True)[source]

Get role groups of realm by role name asynchronously.

Parameters:
Returns:

Keycloak Server Response (GroupRepresentation)

Return type:

list

async a_get_realm_role_members(role_name, query=None)[source]

Get role members of realm by role name asynchronously.

Parameters:
Returns:

Keycloak Server Response (UserRepresentation)

Return type:

list

async a_get_default_realm_role_id()[source]

Get the ID of the default realm role asynchronously.

Returns:

Realm role ID

Return type:

str

async a_get_realm_default_roles()[source]

Get all the default realm roles asyncho asynchronously.

Returns:

Keycloak Server Response (UserRepresentation)

Return type:

list

async a_remove_realm_default_roles(payload)[source]

Remove a set of default realm roles asynchronously.

Parameters:

payload (list) – List of RoleRepresentations

Returns:

Keycloak Server Response

Return type:

dict

async a_add_realm_default_roles(payload)[source]

Add a set of default realm roles asynchronously.

Parameters:

payload (list) – List of RoleRepresentations

Returns:

Keycloak Server Response

Return type:

dict

async a_get_client_roles(client_id, brief_representation=True)[source]

Get all roles for the client asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • brief_representation (bool) – whether to omit role attributes in the response

Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

async a_get_client_role(client_id, role_name)[source]

Get client role id by name asynchronously.

This is required for further actions with this role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

Returns:

role_id

Return type:

str

async a_get_client_role_id(client_id, role_name)[source]

Get client role id by name asynchronously.

This is required for further actions with this role.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

Returns:

role_id

Return type:

str

async a_create_client_role(client_role_id, payload, skip_exists=False)[source]

Create a client role asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • payload (dict) – RoleRepresentation

  • skip_exists (bool) – If true then do not raise an error if client role already exists

Returns:

Client role name

Return type:

str

async a_add_composite_client_roles_to_role(client_role_id, role_name, roles)[source]

Add composite roles to client role asynchronously.

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be updated

Returns:

Keycloak server response

Return type:

bytes

async a_remove_composite_client_roles_from_role(client_role_id, role_name, roles)[source]

Remove composite roles from a client role asynchronously.

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be removed

Returns:

Keycloak server response

Return type:

bytes

async a_update_client_role(client_id, role_name, payload)[source]

Update a client role asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

  • payload (dict) – RoleRepresentation

Returns:

Keycloak server response

Return type:

bytes

async a_delete_client_role(client_role_id, role_name)[source]

Delete a client role asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • client_role_id (str) – id of client (not client-id)

  • role_name (str) – role’s name (not id!)

Returns:

Keycloak server response

Return type:

bytes

async a_assign_client_role(user_id, client_id, roles)[source]

Assign a client role to a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_get_client_role_members(client_id, role_name, **query)[source]

Get members by client role asynchronously.

Parameters:
Returns:

Keycloak server response (UserRepresentation)

Return type:

list

async a_get_client_role_groups(client_id, role_name, **query)[source]

Get group members by client role asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

list

async a_get_role_by_id(role_id)[source]

Get a specific role’s representation asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_id (str) – id of role

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

async a_update_role_by_id(role_id, payload)[source]

Update the role asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:
  • payload (dict) – RoleRepresentation

  • role_id (str) – id of role

Returns:

Keycloak server response

Return type:

bytes

async a_delete_role_by_id(role_id)[source]

Delete a role by its id asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_id (str) – id of role

Returns:

Keycloak server response

Return type:

bytes

async a_create_realm_role(payload, skip_exists=False)[source]

Create a new role for the realm or client asynchronously.

Parameters:
  • payload (dict) – The role (use RoleRepresentation)

  • skip_exists (bool) – If true then do not raise an error if realm role already exists

Returns:

Realm role name

Return type:

str

async a_get_realm_role(role_name)[source]

Get realm role by role name asynchronously.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_name (str) – role’s name, not id!

Returns:

role

Return type:

dict

async a_get_realm_role_by_id(role_id: str)[source]

Get realm role by role id.

RoleRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_rolerepresentation

Parameters:

role_id (str) – role’s id, not name!

Returns:

role

Return type:

dict

async a_update_realm_role(role_name, payload)[source]

Update a role for the realm by name asynchronously.

Parameters:
  • role_name (str) – The name of the role to be updated

  • payload (dict) – The role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_delete_realm_role(role_name)[source]

Delete a role for the realm by name asynchronously.

Parameters:

role_name (str) – The role name

Returns:

Keycloak server response

Return type:

bytes

async a_add_composite_realm_roles_to_role(role_name, roles)[source]

Add composite roles to the role asynchronously.

Parameters:
  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be updated

Returns:

Keycloak server response

Return type:

bytes

async a_remove_composite_realm_roles_to_role(role_name, roles)[source]

Remove composite roles from the role asynchronously.

Parameters:
  • role_name (str) – The name of the role

  • roles (list) – roles list or role (use RoleRepresentation) to be removed

Returns:

Keycloak server response

Return type:

bytes

async a_get_composite_realm_roles_of_role(role_name)[source]

Get composite roles of the role asynchronously.

Parameters:

role_name (str) – The name of the role

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_assign_realm_roles_to_client_scope(client_id, roles)[source]

Assign realm roles to a client’s scope asynchronously.

Parameters:
  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

async a_delete_realm_roles_of_client_scope(client_id, roles)[source]

Delete realm roles of a client’s scope asynchronously.

Parameters:
  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

async a_get_realm_roles_of_client_scope(client_id)[source]

Get all realm roles for a client’s scope.

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

async a_assign_client_roles_to_client_scope(client_id, client_roles_owner_id, roles)[source]

Assign client roles to a client’s dedicated scope asynchronously.

To assign roles to a client scope, use a_add_client_specific_roles_to_client_scope.

Parameters:
  • client_id (str) – id of client (not client-id) who is assigned the roles

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

async a_delete_client_roles_of_client_scope(client_id, client_roles_owner_id, roles)[source]

Delete client roles of a client’s dedicated scope asynchronously.

To remove roles from a client scope, use a_remove_client_specific_roles_of_client_scope.

Parameters:
  • client_id (str) – id of client (not client-id) who is assigned the roles

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

dict

async a_get_client_roles_of_client_scope(client_id, client_roles_owner_id)[source]

Get all client roles for a client’s scope asynchronously.

To get roles from a client scope, use a_get_client_roles_of_client_scope.

Parameters:
  • client_id (str) – id of client (not client-id)

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

async a_assign_realm_roles(user_id, roles)[source]

Assign realm roles to a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_delete_realm_roles_of_user(user_id, roles)[source]

Delete realm roles of a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • roles (list) – roles list or role (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_get_realm_roles_of_user(user_id)[source]

Get all realm roles for a user asynchronously.

Parameters:

user_id (str) – id of user

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_get_available_realm_roles_of_user(user_id)[source]

Get all available (i.e. unassigned) realm roles for a user asynchronously.

Parameters:

user_id (str) – id of user

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_get_composite_realm_roles_of_user(user_id, brief_representation=True)[source]

Get all composite (i.e. implicit) realm roles for a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • brief_representation (bool) – whether to omit role attributes in the response

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_assign_group_realm_roles(group_id, roles)[source]

Assign realm roles to a group asynchronously.

Parameters:
  • group_id (str) – id of group

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_delete_group_realm_roles(group_id, roles)[source]

Delete realm roles of a group asynchronously.

Parameters:
  • group_id (str) – id of group

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_get_group_realm_roles(group_id, brief_representation=True)[source]

Get all realm roles for a group asynchronously.

Parameters:
  • group_id (str) – id of the group

  • brief_representation (bool) – whether to omit role attributes in the response

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_assign_group_client_roles(group_id, client_id, roles)[source]

Assign client roles to a group asynchronously.

Parameters:
  • group_id (str) – id of group

  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_get_group_client_roles(group_id, client_id)[source]

Get client roles of a group asynchronously.

Parameters:
  • group_id (str) – id of group

  • client_id (str) – id of client (not client-id)

Returns:

Keycloak server response

Return type:

list

async a_delete_group_client_roles(group_id, client_id, roles)[source]

Delete client roles of a group asynchronously.

Parameters:
  • group_id (str) – id of group

  • client_id (str) – id of client (not client-id)

  • roles (list) – roles list or role (use GroupRoleRepresentation)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

bytes

async a_get_all_roles_of_user(user_id)[source]

Get all level roles for a user asynchronously.

Parameters:

user_id (str) – id of user

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_get_client_roles_of_user(user_id, client_id)[source]

Get all client roles for a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_get_available_client_roles_of_user(user_id, client_id)[source]

Get available client role-mappings for a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a_get_composite_client_roles_of_user(user_id, client_id, brief_representation=False)[source]

Get composite client role-mappings for a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client (not client-id)

  • brief_representation (bool) – whether to omit attributes in the response

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

list

async a__get_client_roles_of_user(client_level_role_mapping_url, user_id, client_id, **params)[source]

Get client roles of a single user helper asynchronously.

Parameters:
  • client_level_role_mapping_url (str) – Url for the client role mapping

  • user_id (str) – User id

  • client_id (str) – Client id

  • params (dict) – Additional parameters

Returns:

Client roles of a user

Return type:

list

async a_delete_client_roles_of_user(user_id, client_id, roles)[source]

Delete client roles from a user asynchronously.

Parameters:
  • user_id (str) – id of user

  • client_id (str) – id of client containing role (not client-id)

  • roles (list) – roles list or role to delete (use RoleRepresentation)

Returns:

Keycloak server response

Return type:

bytes

async a_get_authentication_flows()[source]

Get authentication flows asynchronously.

Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Returns:

Keycloak server response (AuthenticationFlowRepresentation)

Return type:

list

async a_get_authentication_flow_for_id(flow_id)[source]

Get one authentication flow by it’s id asynchronously.

Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Parameters:

flow_id (str) – the id of a flow NOT it’s alias

Returns:

Keycloak server response (AuthenticationFlowRepresentation)

Return type:

dict

async a_create_authentication_flow(payload, skip_exists=False)[source]

Create a new authentication flow asynchronously.

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Parameters:
  • payload (dict) – AuthenticationFlowRepresentation

  • skip_exists (bool) – Do not raise an error if authentication flow already exists

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

async a_copy_authentication_flow(payload, flow_alias)[source]

Copy existing authentication flow under a new name asynchronously.

The new name is given as ‘newName’ attribute of the passed payload.

Parameters:
  • payload (dict) – JSON containing ‘newName’ attribute

  • flow_alias (str) – the flow alias

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

async a_delete_authentication_flow(flow_id)[source]

Delete authentication flow asynchronously.

AuthenticationInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationinforepresentation

Parameters:

flow_id (str) – authentication flow id

Returns:

Keycloak server response

Return type:

bytes

async a_get_authentication_flow_executions(flow_alias)[source]

Get authentication flow executions asynchronously.

Returns all execution steps

Parameters:

flow_alias (str) – the flow alias

Returns:

Response(json)

Return type:

list

async a_update_authentication_flow_executions(payload, flow_alias)[source]

Update an authentication flow execution asynchronously.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:
  • payload (dict) – AuthenticationExecutionInfoRepresentation

  • flow_alias (str) – The flow alias

Returns:

Keycloak server response

Return type:

bytes

async a_get_authentication_flow_execution(execution_id)[source]

Get authentication flow execution asynchronously.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:

execution_id (str) – the execution ID

Returns:

Response(json)

Return type:

dict

async a_create_authentication_flow_execution(payload, flow_alias)[source]

Create an authentication flow execution asynchronously.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:
  • payload (dict) – AuthenticationExecutionInfoRepresentation

  • flow_alias (str) – The flow alias

Returns:

Keycloak server response

Return type:

bytes

async a_delete_authentication_flow_execution(execution_id)[source]

Delete authentication flow execution asynchronously.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters:

execution_id (str) – keycloak client id (not oauth client-id)

Returns:

Keycloak server response (json)

Return type:

bytes

async a_create_authentication_flow_subflow(payload, flow_alias, skip_exists=False)[source]

Create a new sub authentication flow for a given authentication flow asynchronously.

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticationflowrepresentation

Parameters:
  • payload (dict) – AuthenticationFlowRepresentation

  • flow_alias (str) – The flow alias

  • skip_exists (bool) – Do not raise an error if authentication flow already exists

Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

async a_get_authenticator_providers()[source]

Get authenticator providers list asynchronously.

Returns:

Authenticator providers

Return type:

list

async a_get_authenticator_provider_config_description(provider_id)[source]

Get authenticator’s provider configuration description asynchronously.

AuthenticatorConfigInfoRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticatorconfiginforepresentation

Parameters:

provider_id (str) – Provider Id

Returns:

AuthenticatorConfigInfoRepresentation

Return type:

dict

async a_get_authenticator_config(config_id)[source]

Get authenticator configuration asynchronously.

Returns all configuration details.

Parameters:

config_id (str) – Authenticator config id

Returns:

Response(json)

Return type:

dict

async a_update_authenticator_config(payload, config_id)[source]

Update an authenticator configuration asynchronously.

AuthenticatorConfigRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authenticatorconfigrepresentation

Parameters:
  • payload (dict) – AuthenticatorConfigRepresentation

  • config_id (str) – Authenticator config id

Returns:

Response(json)

Return type:

bytes

async a_delete_authenticator_config(config_id)[source]

Delete a authenticator configuration asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_authentication_management_resource

Parameters:

config_id (str) – Authenticator config id

Returns:

Keycloak server Response

Return type:

bytes

async a_sync_users(storage_id, action)[source]

Trigger user sync from provider asynchronously.

Parameters:
  • storage_id (str) – The id of the user storage provider

  • action (str) – Action can be “triggerFullSync” or “triggerChangedUsersSync”

Returns:

Keycloak server response

Return type:

bytes

async a_get_client_scopes()[source]

Get client scopes asynchronously.

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes

Returns:

Keycloak server response Array of (ClientScopeRepresentation)

Return type:

list

async a_get_client_scope(client_scope_id)[source]

Get client scope asynchronously.

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes

Parameters:

client_scope_id (str) – The id of the client scope

Returns:

Keycloak server response (ClientScopeRepresentation)

Return type:

dict

async a_get_client_scope_by_name(client_scope_name)[source]

Get client scope by name asynchronously.

Get representation of the client scope identified by the client scope name.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes :param client_scope_name: (str) Name of the client scope :type client_scope_name: str :returns: ClientScopeRepresentation or None :rtype: dict

async a_create_client_scope(payload, skip_exists=False)[source]

Create a client scope asynchronously.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientscopes

Parameters:
  • payload (dict) – ClientScopeRepresentation

  • skip_exists (bool) – If true then do not raise an error if client scope already exists

Returns:

Client scope id

Return type:

str

async a_update_client_scope(client_scope_id, payload)[source]

Update a client scope asynchronously.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_client_scopes_resource

Parameters:
  • client_scope_id (str) – The id of the client scope

  • payload (dict) – ClientScopeRepresentation

Returns:

Keycloak server response (ClientScopeRepresentation)

Return type:

bytes

async a_delete_client_scope(client_scope_id)[source]

Delete existing client scope asynchronously.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_client_scopes_resource

Parameters:

client_scope_id (str) – The id of the client scope

Returns:

Keycloak server response

Return type:

bytes

async a_get_mappers_from_client_scope(client_scope_id)[source]

Get a list of all mappers connected to the client scope asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocol_mappers_resource :param client_scope_id: Client scope id :type client_scope_id: str :returns: Keycloak server response (ProtocolMapperRepresentation) :rtype: list

async a_add_mapper_to_client_scope(client_scope_id, payload)[source]

Add a mapper to a client scope asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_create_mapper

Parameters:
  • client_scope_id (str) – The id of the client scope

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server Response

Return type:

bytes

async a_delete_mapper_from_client_scope(client_scope_id, protocol_mapper_id)[source]

Delete a mapper from a client scope asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_delete_mapper

Parameters:
  • client_scope_id (str) – The id of the client scope

  • protocol_mapper_id (str) – Protocol mapper id

Returns:

Keycloak server Response

Return type:

bytes

async a_update_mapper_in_client_scope(client_scope_id, protocol_mapper_id, payload)[source]

Update an existing protocol mapper in a client scope asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocol_mappers_resource

Parameters:
  • client_scope_id (str) – The id of the client scope

  • protocol_mapper_id (str) – The id of the protocol mapper which exists in the client scope and should to be updated

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server Response

Return type:

bytes

async a_get_default_default_client_scopes()[source]

Get default default client scopes asynchronously.

Return list of default default client scopes

Returns:

Keycloak server response

Return type:

list

async a_delete_default_default_client_scope(scope_id)[source]

Delete default default client scope asynchronously.

Parameters:

scope_id (str) – default default client scope id

Returns:

Keycloak server response

Return type:

list

async a_add_default_default_client_scope(scope_id)[source]

Add default default client scope asynchronously.

Parameters:

scope_id (str) – default default client scope id

Returns:

Keycloak server response

Return type:

bytes

async a_get_default_optional_client_scopes()[source]

Get default optional client scopes asynchronously.

Return list of default optional client scopes

Returns:

Keycloak server response

Return type:

list

async a_delete_default_optional_client_scope(scope_id)[source]

Delete default optional client scope asynchronously.

Parameters:

scope_id (str) – default optional client scope id

Returns:

Keycloak server response

Return type:

bytes

async a_add_default_optional_client_scope(scope_id)[source]

Add default optional client scope asynchronously.

Parameters:

scope_id (str) – default optional client scope id

Returns:

Keycloak server response

Return type:

bytes

async a_add_client_specific_roles_to_client_scope(client_scope_id, client_roles_owner_id, roles)[source]

Assign client roles to a client scope asynchronously.

To assign roles to a client’s dedicated scope, use a_assign_client_roles_to_client_scope.

Parameters:
  • client_scope_id (str) – client scope id

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation, must include id and name)

Returns:

Keycloak server response

Return type:

dict

async a_remove_client_specific_roles_of_client_scope(client_scope_id, client_roles_owner_id, roles)[source]

Delete client roles of a client scope asynchronously.

To delete roles from a client’s dedicated scope, use a_delete_client_roles_of_client_scope.

Parameters:
  • client_scope_id (str) – client scope id

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

  • roles (list) – roles list or role (use RoleRepresentation, must include id and name)

Returns:

Keycloak server response

Return type:

dict

async a_get_client_specific_roles_of_client_scope(client_scope_id, client_roles_owner_id)[source]

Get all client roles for a client scope asynchronously.

To get roles for a client’s dedicated scope, use a_get_client_roles_of_client_scope.

Parameters:
  • client_scope_id (str) – client scope id

  • client_roles_owner_id (str) – id of client (not client-id) who has the roles

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

async a_get_all_roles_of_client_scope(client_scope_id)[source]

Get all client roles for a client scope.

To get roles for a client’s dedicated scope, use a_get_client_roles_of_client_scope.

Parameters:

client_scope_id (str) – client scope id

Returns:

Keycloak server response (array RoleRepresentation)

Return type:

dict

async a_get_mappers_from_client(client_id)[source]

List of all client mappers asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocolmapperrepresentation

Parameters:

client_id (str) – Client id

Returns:

KeycloakServerResponse (list of ProtocolMapperRepresentation)

Return type:

list

async a_add_mapper_to_client(client_id, payload)[source]

Add a mapper to a client asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_create_mapper

Parameters:
  • client_id (str) – The id of the client

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server Response

Return type:

bytes

async a_update_client_mapper(client_id, mapper_id, payload)[source]

Update client mapper asynchronously.

Parameters:
  • client_id (str) – The id of the client

  • mapper_id (str) – The id of the mapper to be deleted

  • payload (dict) – ProtocolMapperRepresentation

Returns:

Keycloak server response

Return type:

bytes

async a_remove_client_mapper(client_id, client_mapper_id)[source]

Remove a mapper from the client asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_protocol_mappers_resource

Parameters:
  • client_id (str) – The id of the client

  • client_mapper_id (str) – The id of the mapper to be deleted

Returns:

Keycloak server response

Return type:

bytes

async a_generate_client_secrets(client_id)[source]

Generate a new secret for the client asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_regeneratesecret

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

bytes

async a_get_client_secrets(client_id)[source]

Get representation of the client secrets asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientsecret

Parameters:

client_id (str) – id of client (not client-id)

Returns:

Keycloak server response (ClientRepresentation)

Return type:

list

async a_get_components(query=None)[source]

Get components asynchronously.

Return a list of components, filtered according to query parameters

ComponentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_componentrepresentation

Parameters:

query (dict) – Query parameters (optional)

Returns:

components list

Return type:

list

async a_create_component(payload)[source]

Create a new component asynchronously.

ComponentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_componentrepresentation

Parameters:

payload (dict) – ComponentRepresentation

Returns:

Component id

Return type:

str

async a_get_component(component_id)[source]

Get representation of the component asynchronously.

Parameters:

component_id – Component id

ComponentRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_componentrepresentation

Parameters:

component_id (str) – Id of the component

Returns:

ComponentRepresentation

Return type:

dict

async a_update_component(component_id, payload)[source]

Update the component asynchronously.

Parameters:
Returns:

Http response

Return type:

bytes

async a_delete_component(component_id)[source]

Delete the component asynchronously.

Parameters:

component_id (str) – Component id

Returns:

Http response

Return type:

bytes

async a_get_keys()[source]

Get keys asynchronously.

Return a list of keys, filtered according to query parameters

KeysMetadataRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_key_resource

Returns:

keys list

Return type:

list

async a_get_admin_events(query=None)[source]

Get Administrative events asynchronously.

Return a list of events, filtered according to query parameters

AdminEvents Representation array https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getevents https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_get_adminrealmsrealmadmin_events

Parameters:

query (dict) – Additional query parameters

Returns:

events list

Return type:

list

async a_get_events(query=None)[source]

Get events asynchronously.

Return a list of events, filtered according to query parameters

EventRepresentation array https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_eventrepresentation

Parameters:

query (dict) – Additional query parameters

Returns:

events list

Return type:

list

async a_set_events(payload)[source]

Set realm events configuration asynchronously.

RealmEventsConfigRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_realmeventsconfigrepresentation

Parameters:

payload (dict) – Payload object for the events configuration

Returns:

Http response

Return type:

bytes

async a_get_client_all_sessions(client_id)[source]

Get sessions associated with the client asynchronously.

UserSessionRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_usersessionrepresentation

Parameters:

client_id (str) – id of client

Returns:

UserSessionRepresentation

Return type:

list

async a_get_client_sessions_stats()[source]

Get current session count for all clients with active sessions asynchronously.

https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_getclientsessionstats

Returns:

Dict of clients and session count

Return type:

dict

async a_get_client_management_permissions(client_id)[source]

Get management permissions for a client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response

Return type:

list

async a_update_client_management_permissions(payload, client_id)[source]

Update management permissions for a client asynchronously.

ManagementPermissionReference https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_managementpermissionreference

Payload example:

payload={
    "enabled": true
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_get_client_authz_policy_scopes(client_id, policy_id)[source]

Get scopes for a given policy asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

list

async a_get_client_authz_policy_resources(client_id, policy_id)[source]

Get resources for a given policy asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

list

async a_get_client_authz_scope_permission(client_id, scope_id)[source]

Get permissions for a given scope asynchronously.

Parameters:
Returns:

Keycloak server response

Return type:

list

async a_create_client_authz_scope_permission(payload, client_id)[source]

Create permissions for a authz scope asynchronously.

Payload example:

payload={
    "name": "My Permission Name",
    "type": "scope",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [some_scope_id],
    "policies": [some_policy_id],
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_update_client_authz_scope_permission(payload, client_id, scope_id)[source]

Update permissions for a given scope asynchronously.

Payload example:

payload={
    "id": scope_id,
    "name": "My Permission Name",
    "type": "scope",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [some_scope_id],
    "policies": [some_policy_id],
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_update_client_authz_resource_permission(payload, client_id, resource_id)[source]

Update permissions for a given resource asynchronously.

Payload example:

payload={
    "id": resource_id,
    "name": "My Permission Name",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [],
    "policies": [some_policy_id],
}
Parameters:
Returns:

Keycloak server response

Return type:

bytes

async a_get_client_authz_client_policies(client_id)[source]

Get policies for a given client asynchronously.

Parameters:

client_id (str) – id in ClientRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

async a_get_client_authz_permission_associated_policies(client_id, policy_id)[source]

Get associated policies for a given client permission asynchronously.

Parameters:
Returns:

Keycloak server response (RoleRepresentation)

Return type:

list

async a_create_client_authz_client_policy(payload, client_id)[source]

Create a new policy for a given client asynchronously.

Payload example:

payload={
    "type": "client",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "My Policy",
    "clients": [other_client_id],
}
Parameters:
Returns:

Keycloak server response (RoleRepresentation)

Return type:

bytes

async a_get_composite_client_roles_of_group(client_id, group_id, brief_representation=True)[source]

Get the composite client roles of the given group for the given client asynchronously.

Parameters:
  • client_id (str) – id of the client.

  • group_id (str) – id of the group.

  • brief_representation (bool) – whether to omit attributes in the response

Returns:

the composite client roles of the group (list of RoleRepresentation).

Return type:

list

async a_get_role_client_level_children(client_id, role_id)[source]

Get the child roles async of which the given composite client role is composed of.

Parameters:
  • client_id (str) – id of the client.

  • role_id (str) – id of the role.

Returns:

the child roles (list of RoleRepresentation).

Return type:

list

async a_upload_certificate(client_id, certcont)[source]

Upload a new certificate for the client asynchronously.

Parameters:
  • client_id (str) – id of the client.

  • certcont (str) – the content of the certificate.

Returns:

dictionary {“certificate”: “<certcont>”}, where <certcont> is the content of the uploaded certificate.

Return type:

dict

async a_get_required_action_by_alias(action_alias)[source]

Get a required action by its alias asynchronously.

Parameters:

action_alias (str) – the alias of the required action.

Returns:

the required action (RequiredActionProviderRepresentation).

Return type:

dict

async a_get_required_actions()[source]

Get the required actions for the realms asynchronously.

Returns:

the required actions (list of RequiredActionProviderRepresentation).

Return type:

list

async a_update_required_action(action_alias, payload)[source]

Update a required action asynchronously.

Parameters:
  • action_alias (str) – the action alias.

  • payload (dict) – the new required action (RequiredActionProviderRepresentation).

Returns:

empty dictionary.

Return type:

dict

async a_get_bruteforce_detection_status(user_id)[source]

Get bruteforce detection status for user asynchronously.

Parameters:

user_id (str) – User id

Returns:

Bruteforce status.

Return type:

dict

async a_clear_bruteforce_attempts_for_user(user_id)[source]

Clear bruteforce attempts for user asynchronously.

Parameters:

user_id (str) – User id

Returns:

empty dictionary.

Return type:

dict

async a_clear_all_bruteforce_attempts()[source]

Clear bruteforce attempts for all users in realm asynchronously.

Returns:

empty dictionary.

Return type:

dict

async a_clear_keys_cache()[source]

Clear keys cache asynchronously.

Returns:

empty dictionary.

Return type:

dict

async a_clear_realm_cache()[source]

Clear realm cache asynchronously.

Returns:

empty dictionary.

Return type:

dict

async a_clear_user_cache()[source]

Clear user cache asynchronously.

Returns:

empty dictionary.

Return type:

dict

class keycloak.KeycloakOpenID(server_url, realm_name, client_id, client_secret_key=None, verify=True, custom_headers=None, proxies=None, timeout=60, cert=None, max_retries=1)[source]

Keycloak OpenID client.

Parameters:
  • server_url – Keycloak server url

  • client_id – client id

  • realm_name – realm name

  • client_secret_key – client secret key

  • verify – Boolean value to enable or disable certificate validation or a string containing a path to a CA bundle to use

  • custom_headers – dict of custom header to pass to each HTML request

  • proxies – dict of proxies to sent the request by.

  • timeout – connection timeout in seconds

  • cert – An SSL certificate used by the requested host to authenticate the client. Either a path to an SSL certificate file, or two-tuple of (certificate file, key file).

  • max_retries (int) – The total number of times to retry HTTP requests.

property client_id
Get client id.
Returns:

Client id

Return type:

str

property client_secret_key
Get the client secret key.
Returns:

Client secret key

Return type:

str

property realm_name
Get the realm name.
Returns:

Realm name

Return type:

str

headers
property connection
Get connection.
Returns:

Connection manager object

Return type:

ConnectionManager

property authorization
Get authorization.
Returns:

The authorization manager

Return type:

Authorization

_add_secret_key(payload)[source]

Add secret key if exists.

Parameters:

payload (dict) – Payload

Returns:

Payload with the secret key

Return type:

dict

_build_name_role(role)[source]

Build name of a role.

Parameters:

role (str) – Role name

Returns:

Role path

Return type:

str

_token_info(token, method_token_info, **kwargs)[source]

Getter for the token data.

Parameters:
  • token (str) – Token

  • method_token_info (str) – Token info method to use

  • kwargs (dict) – Additional keyword arguments passed to the decode_token method

Returns:

Token info

Return type:

dict

well_known()[source]

Get the well_known object.

The most important endpoint to understand is the well-known configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in Keycloak.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

auth_url(redirect_uri, scope='email', state='', nonce='')[source]

Get authorization URL endpoint.

Parameters:
  • redirect_uri (str) – Redirect url to receive oauth code

  • scope (str) – Scope of authorization request, split with the blank space

  • state (str) – State will be returned to the redirect_uri

  • nonce (str) – Associates a Client session with an ID Token to mitigate replay attacks

Returns:

Authorization URL Full Build

Return type:

str

token(username='', password='', grant_type='password', code='', redirect_uri='', totp=None, scope='openid', **extra)[source]

Retrieve user token.

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters:
  • username (str) – Username

  • password (str) – Password

  • grant_type (str) – Grant type

  • code (str) – Code

  • redirect_uri (str) – Redirect URI

  • totp (int) – Time-based one-time password

  • scope (str) – Scope, defaults to openid

  • extra (dict) – Additional extra arguments

Returns:

Keycloak token

Return type:

dict

refresh_token(refresh_token, grant_type='refresh_token')[source]

Refresh the user token.

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters:
  • refresh_token (str) – Refresh token from Keycloak

  • grant_type (str) – Grant type

Returns:

New token

Return type:

dict

exchange_token(token: str, audience: str | None = None, subject: str | None = None, subject_token_type: str | None = None, subject_issuer: str | None = None, requested_issuer: str | None = None, requested_token_type: str = 'urn:ietf:params:oauth:token-type:refresh_token', scope: str = 'openid') dict[source]

Exchange user token.

Use a token to obtain an entirely different token. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Parameters:
  • token (str) – Access token

  • audience (str) – Audience

  • subject (str) – Subject

  • subject_token_type (Optional[str]) – Token Type specification

  • subject_issuer (Optional[str]) – Issuer

  • requested_issuer (Optional[str]) – Issuer

  • requested_token_type (str) – Token type specification

  • scope (str) – Scope, defaults to openid

Returns:

Exchanged token

Return type:

dict

userinfo(token)[source]

Get the user info object.

The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.

http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Parameters:

token (str) – Access token

Returns:

Userinfo object

Return type:

dict

logout(refresh_token)[source]

Log out the authenticated user.

Parameters:

refresh_token (str) – Refresh token from Keycloak

Returns:

Keycloak server response

Return type:

dict

certs()[source]

Get certificates.

The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens.

https://tools.ietf.org/html/rfc7517

Returns:

Certificates

Return type:

dict

public_key()[source]

Retrieve the public key.

The public key is exposed by the realm page directly.

Returns:

The public key

Return type:

str

entitlement(token, resource_server_id)[source]

Get entitlements from the token.

Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.

Parameters:
  • token (str) – Access token

  • resource_server_id (str) – Resource server ID

Returns:

Entitlements

Return type:

dict

introspect(token, rpt=None, token_type_hint=None)[source]

Introspect the user token.

The introspection endpoint is used to retrieve the active state of a token. It is can only be invoked by confidential clients.

https://tools.ietf.org/html/rfc7662

Parameters:
  • token (str) – Access token

  • rpt (str) – Requesting party token

  • token_type_hint (str) – Token type hint

Returns:

Token info

Return type:

dict

Raises:

KeycloakRPTNotFound – In case of RPT not specified

decode_token(token, validate: bool = True, **kwargs)[source]

Decode user token.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.

https://tools.ietf.org/html/rfc7517

Parameters:
  • token (str) – Keycloak token

  • validate (bool) – Determines whether the token should be validated with the public key. Defaults to True.

  • kwargs (dict) – Additional keyword arguments for jwcrypto’s JWT object

Returns:

Decoded token

Return type:

dict

load_authorization_config(path)[source]

Load Keycloak settings (authorization).

Parameters:

path (str) – settings file (json)

get_policies(token, method_token_info='introspect', **kwargs)[source]

Get policies by user token.

Parameters:
  • token (str) – User token

  • method_token_info (str) – Method for token info decoding

  • kwargs (dict) – Additional keyword arguments

Returns:

Policies

Return type:

dict

Raises:
get_permissions(token, method_token_info='introspect', **kwargs)[source]

Get permission by user token .

Parameters:
  • token (str) – user token

  • method_token_info (str) – Decode token method

  • kwargs (dict) – parameters for decode

Returns:

permissions list

Return type:

list

Raises:
uma_permissions(token, permissions='')[source]

Get UMA permissions by user token with requested permissions.

The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be invoked by confidential clients.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters:
  • token (str) – user token

  • permissions (str) – list of uma permissions list(resource:scope) requested by the user

Returns:

Keycloak server response

Return type:

dict

has_uma_access(token, permissions)[source]

Determine whether user has uma permissions with specified user token.

Parameters:
  • token (str) – user token

  • permissions (str) – list of uma permissions (resource:scope)

Returns:

Authentication status

Return type:

AuthStatus

Raises:
register_client(token: str, payload: dict)[source]

Create a client.

ClientRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:
  • token (str) – Initial access token

  • payload (dict) – ClientRepresentation

Returns:

Client Representation

Return type:

dict

device(scope: str = '')[source]

Get device authorization grant.

The device endpoint is used to obtain a user code verification and user authentication. The response contains a device_code, user_code, verification_uri, verification_uri_complete, expires_in (lifetime in seconds for device_code and user_code), and polling interval. Users can either follow the verification_uri and enter the user_code or follow the verification_uri_complete. After authenticating with valid credentials, users can obtain tokens using the “urn:ietf:params:oauth:grant-type:device_code” grant_type and the device_code.

https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md#how-to-try-it

Parameters:

scope (str) – Scope of authorization request, split with the blank space

Returns:

Device Authorization Response

Return type:

dict

update_client(token: str, client_id: str, payload: dict)[source]

Update a client.

ClientRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:
  • token (str) – registration access token

  • client_id (str) – Keycloak client id

  • payload (dict) – ClientRepresentation

Returns:

Client Representation

Return type:

dict

async a_well_known()[source]

Get the well_known object asynchronously.

The most important endpoint to understand is the well-known configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in Keycloak.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

async a_auth_url(redirect_uri, scope='email', state='', nonce='')[source]

Get authorization URL endpoint asynchronously.

Parameters:
  • redirect_uri (str) – Redirect url to receive oauth code

  • scope (str) – Scope of authorization request, split with the blank space

  • state (str) – State will be returned to the redirect_uri

  • nonce (str) – Associates a Client session with an ID Token to mitigate replay attacks

Returns:

Authorization URL Full Build

Return type:

str

async a_token(username='', password='', grant_type='password', code='', redirect_uri='', totp=None, scope='openid', **extra)[source]

Retrieve user token asynchronously.

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters:
  • username (str) – Username

  • password (str) – Password

  • grant_type (str) – Grant type

  • code (str) – Code

  • redirect_uri (str) – Redirect URI

  • totp (int) – Time-based one-time password

  • scope (str) – Scope, defaults to openid

  • extra (dict) – Additional extra arguments

Returns:

Keycloak token

Return type:

dict

async a_refresh_token(refresh_token, grant_type='refresh_token')[source]

Refresh the user token asynchronously.

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters:
  • refresh_token (str) – Refresh token from Keycloak

  • grant_type (str) – Grant type

Returns:

New token

Return type:

dict

async a_exchange_token(token: str, audience: str | None = None, subject: str | None = None, subject_token_type: str | None = None, subject_issuer: str | None = None, requested_issuer: str | None = None, requested_token_type: str = 'urn:ietf:params:oauth:token-type:refresh_token', scope: str = 'openid') dict[source]

Exchange user token asynchronously.

Use a token to obtain an entirely different token. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Parameters:
  • token (str) – Access token

  • audience (str) – Audience

  • subject (str) – Subject

  • subject_token_type (Optional[str]) – Token Type specification

  • subject_issuer (Optional[str]) – Issuer

  • requested_issuer (Optional[str]) – Issuer

  • requested_token_type (str) – Token type specification

  • scope (str) – Scope, defaults to openid

Returns:

Exchanged token

Return type:

dict

async a_userinfo(token)[source]

Get the user info object asynchronously.

The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.

http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Parameters:

token (str) – Access token

Returns:

Userinfo object

Return type:

dict

async a_logout(refresh_token)[source]

Log out the authenticated user asynchronously.

Parameters:

refresh_token (str) – Refresh token from Keycloak

Returns:

Keycloak server response

Return type:

dict

async a_certs()[source]

Get certificates asynchronously.

The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens.

https://tools.ietf.org/html/rfc7517

Returns:

Certificates

Return type:

dict

async a_public_key()[source]

Retrieve the public key asynchronously.

The public key is exposed by the realm page directly.

Returns:

The public key

Return type:

str

async a_entitlement(token, resource_server_id)[source]

Get entitlements from the token asynchronously.

Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.

Parameters:
  • token (str) – Access token

  • resource_server_id (str) – Resource server ID

Returns:

Entitlements

Return type:

dict

async a_introspect(token, rpt=None, token_type_hint=None)[source]

Introspect the user token asynchronously.

The introspection endpoint is used to retrieve the active state of a token. It is can only be invoked by confidential clients.

https://tools.ietf.org/html/rfc7662

Parameters:
  • token (str) – Access token

  • rpt (str) – Requesting party token

  • token_type_hint (str) – Token type hint

Returns:

Token info

Return type:

dict

Raises:

KeycloakRPTNotFound – In case of RPT not specified

async a_decode_token(token, validate: bool = True, **kwargs)[source]

Decode user token asynchronously.

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.

https://tools.ietf.org/html/rfc7517

Parameters:
  • token (str) – Keycloak token

  • validate (bool) – Determines whether the token should be validated with the public key. Defaults to True.

  • kwargs (dict) – Additional keyword arguments for jwcrypto’s JWT object

Returns:

Decoded token

Return type:

dict

async a_load_authorization_config(path)[source]

Load Keycloak settings (authorization) asynchronously.

Parameters:

path (str) – settings file (json)

async a_get_policies(token, method_token_info='introspect', **kwargs)[source]

Get policies by user token asynchronously.

Parameters:
  • token (str) – User token

  • method_token_info (str) – Method for token info decoding

  • kwargs (dict) – Additional keyword arguments

Returns:

Policies

Return type:

dict

Raises:
async a_get_permissions(token, method_token_info='introspect', **kwargs)[source]

Get permission by user token asynchronously.

Parameters:
  • token (str) – user token

  • method_token_info (str) – Decode token method

  • kwargs (dict) – parameters for decode

Returns:

permissions list

Return type:

list

Raises:
async a_uma_permissions(token, permissions='')[source]

Get UMA permissions by user token with requested permissions asynchronously.

The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be invoked by confidential clients.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters:
  • token (str) – user token

  • permissions (str) – list of uma permissions list(resource:scope) requested by the user

Returns:

Keycloak server response

Return type:

dict

async a_has_uma_access(token, permissions)[source]

Determine whether user has uma permissions with specified user token asynchronously.

Parameters:
  • token (str) – user token

  • permissions (str) – list of uma permissions (resource:scope)

Returns:

Authentication status

Return type:

AuthStatus

Raises:
async a_register_client(token: str, payload: dict)[source]

Create a client asynchronously.

ClientRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:
  • token (str) – Initial access token

  • payload (dict) – ClientRepresentation

Returns:

Client Representation

Return type:

dict

async a_device(scope: str = '')[source]

Get device authorization grant asynchronously.

The device endpoint is used to obtain a user code verification and user authentication. The response contains a device_code, user_code, verification_uri, verification_uri_complete, expires_in (lifetime in seconds for device_code and user_code), and polling interval. Users can either follow the verification_uri and enter the user_code or follow the verification_uri_complete. After authenticating with valid credentials, users can obtain tokens using the “urn:ietf:params:oauth:grant-type:device_code” grant_type and the device_code.

https://auth0.com/docs/get-started/authentication-and-authorization-flow/device-authorization-flow https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md#how-to-try-it

Parameters:

scope (str) – Scope of authorization request, split with the blank space

Returns:

Device Authorization Response

Return type:

dict

async a_update_client(token: str, client_id: str, payload: dict)[source]

Update a client asynchronously.

ClientRepresentation: https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_clientrepresentation

Parameters:
  • token (str) – registration access token

  • client_id (str) – Keycloak client id

  • payload (dict) – ClientRepresentation

Returns:

Client Representation

Return type:

dict

class keycloak.KeycloakUMA(connection: keycloak.openid_connection.KeycloakOpenIDConnection)[source]

Keycloak UMA client.

Parameters:

connection – OpenID connection manager

connection
_well_known = None
_fetch_well_known()[source]
static format_url(url, **kwargs)[source]

Substitute url path parameters.

Given a parameterized url string, returns the string after url encoding and substituting the given params. For example, format_url(“https://myserver/{my_resource}/{id}”, my_resource=”hello world”, id=”myid”) would produce https://myserver/hello+world/myid.

Parameters:
  • url (str) – url string to format

  • kwargs (dict) – dict containing kwargs to substitute

Returns:

formatted string

Return type:

str

static a_format_url(url, **kwargs)[source]
Async:

Substitute url path parameters.

Given a parameterized url string, returns the string after url encoding and substituting the given params. For example, format_url(“https://myserver/{my_resource}/{id}”, my_resource=”hello world”, id=”myid”) would produce https://myserver/hello+world/myid.

Parameters:
  • url (str) – url string to format

  • kwargs (dict) – dict containing kwargs to substitute

Returns:

formatted string

Return type:

str

property uma_well_known
Get the well_known UMA2 config.
Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

async a_uma_well_known()[source]

Get the well_known UMA2 config async.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

resource_set_create(payload)[source]

Create a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

payload (dict) – ResourceRepresentation

Returns:

ResourceRepresentation with the _id property assigned

Return type:

dict

resource_set_update(resource_id, payload)[source]

Update a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:
  • resource_id (str) – id of the resource

  • payload (dict) – ResourceRepresentation

Returns:

Response dict (empty)

Return type:

dict

resource_set_read(resource_id)[source]

Read a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

resource_id (str) – id of the resource

Returns:

ResourceRepresentation

Return type:

dict

resource_set_delete(resource_id)[source]

Delete a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set

Parameters:

resource_id (str) – id of the resource

Returns:

Response dict (empty)

Return type:

dict

resource_set_list_ids(name: str = '', exact_name: bool = False, uri: str = '', owner: str = '', resource_type: str = '', scope: str = '', matchingUri: bool = False, first: int = 0, maximum: int = -1)[source]

Query for list of resource set ids.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

Parameters:
  • name (str) – query resource name

  • exact_name (bool) – query exact match for resource name

  • uri (str) – query resource uri

  • owner (str) – query resource owner

  • resource_type (str) – query resource type

  • scope (str) – query resource scope

  • matchingUri (bool) – enable URI matching

  • first (int) – index of first matching resource to return

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Return type:

List[str]

resource_set_list()[source]

List all resource sets.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Yields:

Iterator over a list of ResourceRepresentations

Return type:

Iterator[dict]

permission_ticket_create(permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Create a permission ticket.

Parameters:

permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

Raises:

KeycloakPostError – In case permission resource not found

permissions_check(token, permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Check UMA permissions by user token with requested permissions.

The token endpoint is used to check UMA permissions from Keycloak. It can only be invoked by confidential clients.

https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api

Parameters:
  • token (str) – user token

  • permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

policy_resource_create(resource_id, payload)[source]

Create permission policy for resource.

Supports name, description, scopes, roles, groups, clients

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource

Parameters:
  • resource_id (str) – _id of resource

  • payload (dict) – permission configuration

Returns:

PermissionRepresentation

Return type:

dict

policy_update(policy_id, payload)[source]

Update permission policy.

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:
  • policy_id (str) – id of policy permission

  • payload (dict) – policy permission configuration

Returns:

PermissionRepresentation

Return type:

dict

policy_delete(policy_id)[source]

Delete permission policy.

https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:

policy_id (str) – id of permission policy

Returns:

PermissionRepresentation

Return type:

dict

policy_query(resource: str = '', name: str = '', scope: str = '', first: int = 0, maximum: int = -1)[source]

Query permission policies.

https://www.keycloak.org/docs/latest/authorization_services/#querying-permission

Parameters:
  • resource (str) – query resource id

  • name (str) – query resource name

  • scope (str) – query resource scope

  • first (int) – index of first matching resource to return

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Returns:

List of ids

Return type:

List[str]

async a__fetch_well_known()[source]

Get the well_known UMA2 config async.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

async a_resource_set_create(payload)[source]

Create a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

payload (dict) – ResourceRepresentation

Returns:

ResourceRepresentation with the _id property assigned

Return type:

dict

async a_resource_set_update(resource_id, payload)[source]

Update a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:
  • resource_id (str) – id of the resource

  • payload (dict) – ResourceRepresentation

Returns:

Response dict (empty)

Return type:

dict

async a_resource_set_read(resource_id)[source]

Read a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

resource_id (str) – id of the resource

Returns:

ResourceRepresentation

Return type:

dict

async a_resource_set_delete(resource_id)[source]

Delete a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set

Parameters:

resource_id (str) – id of the resource

Returns:

Response dict (empty)

Return type:

dict

async a_resource_set_list_ids(name: str = '', exact_name: bool = False, uri: str = '', owner: str = '', resource_type: str = '', scope: str = '', matchingUri: bool = False, first: int = 0, maximum: int = -1)[source]

Query for list of resource set ids asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

Parameters:
  • name (str) – query resource name

  • exact_name (bool) – query exact match for resource name

  • uri (str) – query resource uri

  • owner (str) – query resource owner

  • resource_type (str) – query resource type

  • scope (str) – query resource scope

  • first (int) – index of first matching resource to return

  • matchingUri (bool) – enable URI matching

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Return type:

List[str]

async a_resource_set_list()[source]

List all resource sets asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Yields:

Iterator over a list of ResourceRepresentations

Return type:

Iterator[dict]

async a_permission_ticket_create(permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Create a permission ticket asynchronously.

Parameters:

permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

Raises:

KeycloakPostError – In case permission resource not found

async a_permissions_check(token, permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Check UMA permissions by user token with requested permissions asynchronously.

The token endpoint is used to check UMA permissions from Keycloak. It can only be invoked by confidential clients.

https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api

Parameters:
  • token (str) – user token

  • permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

async a_policy_resource_create(resource_id, payload)[source]

Create permission policy for resource asynchronously.

Supports name, description, scopes, roles, groups, clients

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource

Parameters:
  • resource_id (str) – _id of resource

  • payload (dict) – permission configuration

Returns:

PermissionRepresentation

Return type:

dict

async a_policy_update(policy_id, payload)[source]

Update permission policy asynchronously.

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:
  • policy_id (str) – id of policy permission

  • payload (dict) – policy permission configuration

Returns:

PermissionRepresentation

Return type:

dict

async a_policy_delete(policy_id)[source]

Delete permission policy asynchronously.

https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:

policy_id (str) – id of permission policy

Returns:

PermissionRepresentation

Return type:

dict

async a_policy_query(resource: str = '', name: str = '', scope: str = '', first: int = 0, maximum: int = -1)[source]

Query permission policies asynchronously.

https://www.keycloak.org/docs/latest/authorization_services/#querying-permission

Parameters:
  • resource (str) – query resource id

  • name (str) – query resource name

  • scope (str) – query resource scope

  • first (int) – index of first matching resource to return

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Returns:

List of ids

Return type:

List[str]

class keycloak.KeycloakOpenIDConnection(server_url, grant_type=None, username=None, password=None, token=None, totp=None, realm_name='master', client_id='admin-cli', verify=True, client_secret_key=None, custom_headers=None, user_realm_name=None, timeout=60, cert=None, max_retries=1)[source]

Bases: keycloak.connection.ConnectionManager

A class to help with OpenID connections which can auto refresh tokens.

Parameters:

object (_type_) – _description_

_server_url = None
_grant_type = None
_username = None
_password = None
_totp = None
_realm_name = None
_client_id = None
_verify = None
_client_secret_key = None
_connection = None
_custom_headers = None
_user_realm_name = None
_expires_at = None
_keycloak_openid = None
token_lifetime_fraction = 0.9
headers

Return header request to the server.

Returns:

Request headers

Return type:

dict

property server_url
Get server url.
Returns:

Keycloak server url

Return type:

str

property grant_type
Get grant type.
Returns:

Grant type

Return type:

str

property username
Get username.
Returns:

Admin username

Return type:

str

property password
Get password.
Returns:

Admin password

Return type:

str

property token
Get token.
Returns:

Access and refresh token

Return type:

dict

property totp
Get totp.
Returns:

TOTP

Return type:

str

property realm_name
Get realm name.
Returns:

Realm name

Return type:

str

property client_id
Get client id.
Returns:

Client id

Return type:

str

verify

Return verify in use for request to the server.

Returns:

Verify indicator

Return type:

bool

property client_secret_key
Get client secret key.
Returns:

Client secret key

Return type:

str

property user_realm_name
Get user realm name.
Returns:

User realm name

Return type:

str

timeout

Return timeout in use for request to the server.

Returns:

Timeout

Return type:

int

property custom_headers
Get custom headers.
Returns:

Custom headers

Return type:

dict

cert

Return client certificates in use for request to the server.

Returns:

Client certificate

Return type:

Union[str,Tuple[str,str]]

property expires_at
Get token expiry time.
Returns:

Datetime at which the current token will expire

Return type:

datetime

property keycloak_openid: keycloak.keycloak_openid.KeycloakOpenID

Get the KeycloakOpenID object.

The KeycloakOpenID is used to refresh tokens

Returns:

KeycloakOpenID

Return type:

KeycloakOpenID

get_token()[source]

Get admin token.

The admin token is then set in the token attribute.

refresh_token()[source]

Refresh the token.

Raises:

KeycloakPostError – In case the refresh token request failed.

_refresh_if_required()[source]
raw_get(*args, **kwargs)[source]

Call connection.raw_get.

If auto_refresh is set for get and access_token is expired, it will refresh the token and try get once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

raw_post(*args, **kwargs)[source]

Call connection.raw_post.

If auto_refresh is set for post and access_token is expired, it will refresh the token and try post once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

raw_put(*args, **kwargs)[source]

Call connection.raw_put.

If auto_refresh is set for put and access_token is expired, it will refresh the token and try put once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

raw_delete(*args, **kwargs)[source]

Call connection.raw_delete.

If auto_refresh is set for delete and access_token is expired, it will refresh the token and try delete once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

async a_get_token()[source]

Get admin token.

The admin token is then set in the token attribute.

async a_refresh_token()[source]

Refresh the token.

Raises:

KeycloakPostError – In case the refresh token request failed.

async a__refresh_if_required()[source]

Refresh the token if it is expired.

async a_raw_get(*args, **kwargs)[source]

Call connection.raw_get.

If auto_refresh is set for get and access_token is expired, it will refresh the token and try get once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

async a_raw_post(*args, **kwargs)[source]

Call connection.raw_post.

If auto_refresh is set for post and access_token is expired, it will refresh the token and try post once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

async a_raw_put(*args, **kwargs)[source]

Call connection.raw_put.

If auto_refresh is set for put and access_token is expired, it will refresh the token and try put once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response

async a_raw_delete(*args, **kwargs)[source]

Call connection.raw_delete.

If auto_refresh is set for delete and access_token is expired, it will refresh the token and try delete once more.

Parameters:
  • args (tuple) – Additional arguments

  • kwargs (dict) – Additional keyword arguments

Returns:

Response

Return type:

Response