keycloak.keycloak_uma

Keycloak UMA module.

The module contains a UMA compatible client for keycloak: https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-federated-authz-2.0.html

Classes

KeycloakUMA

Keycloak UMA client.

Module Contents

class keycloak.keycloak_uma.KeycloakUMA(connection: keycloak.openid_connection.KeycloakOpenIDConnection)[source]

Keycloak UMA client.

Parameters:

connection – OpenID connection manager

connection[source]
_well_known = None[source]
_fetch_well_known()[source]
static format_url(url, **kwargs)[source]

Substitute url path parameters.

Given a parameterized url string, returns the string after url encoding and substituting the given params. For example, format_url(“https://myserver/{my_resource}/{id}”, my_resource=”hello world”, id=”myid”) would produce https://myserver/hello+world/myid.

Parameters:
  • url (str) – url string to format

  • kwargs (dict) – dict containing kwargs to substitute

Returns:

formatted string

Return type:

str

static a_format_url(url, **kwargs)[source]
Async:

Substitute url path parameters.

Given a parameterized url string, returns the string after url encoding and substituting the given params. For example, format_url(“https://myserver/{my_resource}/{id}”, my_resource=”hello world”, id=”myid”) would produce https://myserver/hello+world/myid.

Parameters:
  • url (str) – url string to format

  • kwargs (dict) – dict containing kwargs to substitute

Returns:

formatted string

Return type:

str

property uma_well_known[source]

Get the well_known UMA2 config.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

async a_uma_well_known()[source]

Get the well_known UMA2 config async.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

resource_set_create(payload)[source]

Create a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

payload (dict) – ResourceRepresentation

Returns:

ResourceRepresentation with the _id property assigned

Return type:

dict

resource_set_update(resource_id, payload)[source]

Update a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:
  • resource_id (str) – id of the resource

  • payload (dict) – ResourceRepresentation

Returns:

Response dict (empty)

Return type:

dict

resource_set_read(resource_id)[source]

Read a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

resource_id (str) – id of the resource

Returns:

ResourceRepresentation

Return type:

dict

resource_set_delete(resource_id)[source]

Delete a resource set.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set

Parameters:

resource_id (str) – id of the resource

Returns:

Response dict (empty)

Return type:

dict

resource_set_list_ids(name: str = '', exact_name: bool = False, uri: str = '', owner: str = '', resource_type: str = '', scope: str = '', matchingUri: bool = False, first: int = 0, maximum: int = -1)[source]

Query for list of resource set ids.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

Parameters:
  • name (str) – query resource name

  • exact_name (bool) – query exact match for resource name

  • uri (str) – query resource uri

  • owner (str) – query resource owner

  • resource_type (str) – query resource type

  • scope (str) – query resource scope

  • matchingUri (bool) – enable URI matching

  • first (int) – index of first matching resource to return

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Return type:

List[str]

resource_set_list()[source]

List all resource sets.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Yields:

Iterator over a list of ResourceRepresentations

Return type:

Iterator[dict]

permission_ticket_create(permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Create a permission ticket.

Parameters:

permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

Raises:

KeycloakPostError – In case permission resource not found

permissions_check(token, permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Check UMA permissions by user token with requested permissions.

The token endpoint is used to check UMA permissions from Keycloak. It can only be invoked by confidential clients.

https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api

Parameters:
  • token (str) – user token

  • permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

policy_resource_create(resource_id, payload)[source]

Create permission policy for resource.

Supports name, description, scopes, roles, groups, clients

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource

Parameters:
  • resource_id (str) – _id of resource

  • payload (dict) – permission configuration

Returns:

PermissionRepresentation

Return type:

dict

policy_update(policy_id, payload)[source]

Update permission policy.

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:
  • policy_id (str) – id of policy permission

  • payload (dict) – policy permission configuration

Returns:

PermissionRepresentation

Return type:

dict

policy_delete(policy_id)[source]

Delete permission policy.

https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:

policy_id (str) – id of permission policy

Returns:

PermissionRepresentation

Return type:

dict

policy_query(resource: str = '', name: str = '', scope: str = '', first: int = 0, maximum: int = -1)[source]

Query permission policies.

https://www.keycloak.org/docs/latest/authorization_services/#querying-permission

Parameters:
  • resource (str) – query resource id

  • name (str) – query resource name

  • scope (str) – query resource scope

  • first (int) – index of first matching resource to return

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Returns:

List of ids

Return type:

List[str]

async a__fetch_well_known()[source]

Get the well_known UMA2 config async.

Returns:

It lists endpoints and other configuration options relevant

Return type:

dict

async a_resource_set_create(payload)[source]

Create a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

payload (dict) – ResourceRepresentation

Returns:

ResourceRepresentation with the _id property assigned

Return type:

dict

async a_resource_set_update(resource_id, payload)[source]

Update a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:
  • resource_id (str) – id of the resource

  • payload (dict) – ResourceRepresentation

Returns:

Response dict (empty)

Return type:

dict

async a_resource_set_read(resource_id)[source]

Read a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Parameters:

resource_id (str) – id of the resource

Returns:

ResourceRepresentation

Return type:

dict

async a_resource_set_delete(resource_id)[source]

Delete a resource set asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set

Parameters:

resource_id (str) – id of the resource

Returns:

Response dict (empty)

Return type:

dict

async a_resource_set_list_ids(name: str = '', exact_name: bool = False, uri: str = '', owner: str = '', resource_type: str = '', scope: str = '', matchingUri: bool = False, first: int = 0, maximum: int = -1)[source]

Query for list of resource set ids asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

Parameters:
  • name (str) – query resource name

  • exact_name (bool) – query exact match for resource name

  • uri (str) – query resource uri

  • owner (str) – query resource owner

  • resource_type (str) – query resource type

  • scope (str) – query resource scope

  • first (int) – index of first matching resource to return

  • matchingUri (bool) – enable URI matching

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Return type:

List[str]

async a_resource_set_list()[source]

List all resource sets asynchronously.

Spec https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

ResourceRepresentation https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_resourcerepresentation

Yields:

Iterator over a list of ResourceRepresentations

Return type:

Iterator[dict]

async a_permission_ticket_create(permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Create a permission ticket asynchronously.

Parameters:

permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

Raises:

KeycloakPostError – In case permission resource not found

async a_permissions_check(token, permissions: Iterable[keycloak.uma_permissions.UMAPermission])[source]

Check UMA permissions by user token with requested permissions asynchronously.

The token endpoint is used to check UMA permissions from Keycloak. It can only be invoked by confidential clients.

https://www.keycloak.org/docs/latest/authorization_services/#_service_authorization_api

Parameters:
  • token (str) – user token

  • permissions (Iterable[UMAPermission]) – Iterable of uma permissions to validate the token against

Returns:

Keycloak decision

Return type:

boolean

async a_policy_resource_create(resource_id, payload)[source]

Create permission policy for resource asynchronously.

Supports name, description, scopes, roles, groups, clients

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource

Parameters:
  • resource_id (str) – _id of resource

  • payload (dict) – permission configuration

Returns:

PermissionRepresentation

Return type:

dict

async a_policy_update(policy_id, payload)[source]

Update permission policy asynchronously.

https://www.keycloak.org/docs/latest/authorization_services/#associating-a-permission-with-a-resource https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:
  • policy_id (str) – id of policy permission

  • payload (dict) – policy permission configuration

Returns:

PermissionRepresentation

Return type:

dict

async a_policy_delete(policy_id)[source]

Delete permission policy asynchronously.

https://www.keycloak.org/docs/latest/authorization_services/#removing-a-permission https://www.keycloak.org/docs-api/24.0.2/rest-api/index.html#_policyrepresentation

Parameters:

policy_id (str) – id of permission policy

Returns:

PermissionRepresentation

Return type:

dict

async a_policy_query(resource: str = '', name: str = '', scope: str = '', first: int = 0, maximum: int = -1)[source]

Query permission policies asynchronously.

https://www.keycloak.org/docs/latest/authorization_services/#querying-permission

Parameters:
  • resource (str) – query resource id

  • name (str) – query resource name

  • scope (str) – query resource scope

  • first (int) – index of first matching resource to return

  • maximum (int) – maximum number of resources to return (-1 for all)

Returns:

List of ids

Returns:

List of ids

Return type:

List[str]