keycloak.keycloak_openid

Module Contents

Classes

KeycloakOpenID

Keycloak OpenID client.

class keycloak.keycloak_openid.KeycloakOpenID(server_url, realm_name, client_id, client_secret_key=None, verify=True, custom_headers=None, proxies=None)[source]

Keycloak OpenID client.

Parameters
  • server_url – Keycloak server url

  • client_id – client id

  • realm_name – realm name

  • client_secret_key – client secret key

  • verify – True if want check connection SSL

  • custom_headers – dict of custom header to pass to each HTML request

  • proxies – dict of proxies to sent the request by.

property client_id(self)[source]
property client_secret_key(self)[source]
property realm_name(self)[source]
property connection(self)[source]
property authorization(self)[source]
_add_secret_key(self, payload)[source]

Add secret key if exist.

Parameters

payload

Returns

_build_name_role(self, role)[source]
Parameters

role

Returns

_token_info(self, token, method_token_info, **kwargs)[source]
Parameters
  • token

  • method_token_info

  • kwargs

Returns

well_known(self)[source]

The most important endpoint to understand is the well-known configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in Keycloak.

:return It lists endpoints and other configuration options relevant.

auth_url(self, redirect_uri)[source]

http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint

Returns

token(self, username='', password='', grant_type=['password'], code='', redirect_uri='', totp=None, **extra)[source]

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters
  • username

  • password

  • grant_type

  • code

  • redirect_uri

  • totp

Returns

refresh_token(self, refresh_token, grant_type=['refresh_token'])[source]

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters
  • refresh_token

  • grant_type

Returns

exchange_token(self, token: str, client_id: str, audience: str, subject: str) dict[source]

Use a token to obtain an entirely different token. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Parameters
  • token

  • client_id

  • audience

  • subject

Returns

userinfo(self, token)[source]

The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.

http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Parameters

token

Returns

logout(self, refresh_token)[source]

The logout endpoint logs out the authenticated user. :param refresh_token: :return:

certs(self)[source]

The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens.

https://tools.ietf.org/html/rfc7517

Returns

public_key(self)[source]

The public key is exposed by the realm page directly.

Returns

entitlement(self, token, resource_server_id)[source]

Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.

Returns

introspect(self, token, rpt=None, token_type_hint=None)[source]

The introspection endpoint is used to retrieve the active state of a token. It is can only be invoked by confidential clients.

https://tools.ietf.org/html/rfc7662

Parameters
  • token

  • rpt

  • token_type_hint

Returns

decode_token(self, token, key, algorithms=['RS256'], **kwargs)[source]

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.

https://tools.ietf.org/html/rfc7517

Parameters
  • token

  • key

  • algorithms

Returns

load_authorization_config(self, path)[source]

Load Keycloak settings (authorization)

Parameters

path – settings file (json)

Returns

get_policies(self, token, method_token_info='introspect', **kwargs)[source]

Get policies by user token

Parameters

token – user token

Returns

policies list

get_permissions(self, token, method_token_info='introspect', **kwargs)[source]

Get permission by user token

Parameters
  • token – user token

  • method_token_info – Decode token method

  • kwargs – parameters for decode

Returns

permissions list

uma_permissions(self, token, permissions='')[source]

Get UMA permissions by user token with requested permissions

The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be invoked by confidential clients.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters
  • token – user token

  • permissions – list of uma permissions list(resource:scope) requested by the user

Returns

permissions list

has_uma_access(self, token, permissions)[source]

Determine whether user has uma permissions with specified user token

Parameters
  • token – user token

  • permissions – list of uma permissions (resource:scope)

Returns

auth status