keycloak.keycloak_admin

Module Contents

Classes

KeycloakAdmin

Keycloak Admin client.

class keycloak.keycloak_admin.KeycloakAdmin(server_url, username=None, password=None, totp=None, realm_name='master', client_id='admin-cli', verify=True, client_secret_key=None, custom_headers=None, user_realm_name=None, auto_refresh_token=None)[source]

Keycloak Admin client.

Parameters
  • server_url – Keycloak server url

  • username – admin username

  • password – admin password

  • totp – Time based OTP

  • realm_name – realm name

  • client_id – client id

  • verify – True if want check connection SSL

  • client_secret_key – client secret key (optional, required only for access type confidential)

  • custom_headers – dict of custom header to pass to each HTML request

  • user_realm_name – The realm name of the user, if different from realm_name

  • auto_refresh_token – list of methods that allows automatic token refresh. Ex: [‘get’, ‘put’, ‘post’, ‘delete’]

PAGE_SIZE = 100[source]
_server_url[source]
_username[source]
_password[source]
_totp[source]
_realm_name[source]
_client_id[source]
_verify[source]
_client_secret_key[source]
_auto_refresh_token[source]
_connection[source]
_token[source]
_custom_headers[source]
_user_realm_name[source]
property server_url(self)[source]
property realm_name(self)[source]
property connection(self)[source]
property client_id(self)[source]
property client_secret_key(self)[source]
property verify(self)[source]
property username(self)[source]
property password(self)[source]
property totp(self)[source]
property token(self)[source]
property auto_refresh_token(self)[source]
property user_realm_name(self)[source]
property custom_headers(self)[source]
__fetch_all(self, url, query=None)[source]

Wrapper function to paginate GET requests

Parameters
  • url – The url on which the query is executed

  • query – Existing query parameters (optional)

Returns

Combined results of paginated queries

__fetch_paginated(self, url, query=None)[source]
import_realm(self, payload)[source]

Import a new realm from a RealmRepresentation. Realm name must be unique.

RealmRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation

Parameters

payload – RealmRepresentation

Returns

RealmRepresentation

export_realm(self, export_clients=False, export_groups_and_role=False)[source]

Export the realm configurations in the json format

RealmRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_partialexport

Parameters
  • export-clients – Skip if not want to export realm clients

  • export-groups-and-roles – Skip if not want to export realm groups and roles

Returns

realm configurations JSON

get_realms(self)[source]

Lists all realms in Keycloak deployment

Returns

realms list

get_realm(self, realm_name)[source]

Get a specific realm.

RealmRepresentation: https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_realmrepresentation

Parameters

realm_name – Realm name (not the realm id)

Returns

RealmRepresentation

create_realm(self, payload, skip_exists=False)[source]

Create a realm

RealmRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation

Parameters
  • payload – RealmRepresentation

  • skip_exists – Skip if Realm already exist.

Returns

Keycloak server response (RealmRepresentation)

update_realm(self, realm_name, payload)[source]

Update a realm. This wil only update top level attributes and will ignore any user, role, or client information in the payload.

RealmRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation

Parameters
  • realm_name – Realm name (not the realm id)

  • payload – RealmRepresentation

Returns

Http response

delete_realm(self, realm_name)[source]

Delete a realm

Parameters

realm_name – Realm name (not the realm id)

Returns

Http response

get_users(self, query=None)[source]

Return a list of users, filtered according to query parameters

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Parameters

query – Query parameters (optional)

Returns

users list

create_idp(self, payload)[source]

Create an ID Provider,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityproviderrepresentation

Param

payload: IdentityProviderRepresentation

update_idp(self, idp_alias, payload)[source]

Update an ID Provider

IdentityProviderRepresentation https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_identity_providers_resource

Param

alias: alias for IdP to update

Param

payload: The IdentityProviderRepresentation

add_mapper_to_idp(self, idp_alias, payload)[source]

Create an ID Provider,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityprovidermapperrepresentation

Param

idp_alias: alias for Idp to add mapper in

Param

payload: IdentityProviderMapperRepresentation

update_mapper_in_idp(self, idp_alias, mapper_id, payload)[source]

Update an IdP mapper

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_update

Param

idp_alias: alias for Idp to fetch mappers

Param

mapper_id: Mapper Id to update

Param

payload: IdentityProviderMapperRepresentation

Returns

Http response

get_idp_mappers(self, idp_alias)[source]

Returns a list of ID Providers mappers

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getmappers

Param

idp_alias: alias for Idp to fetch mappers

Returns

array IdentityProviderMapperRepresentation

get_idps(self)[source]

Returns a list of ID Providers,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityproviderrepresentation

Returns

array IdentityProviderRepresentation

delete_idp(self, idp_alias)[source]

Deletes ID Provider,

Param

idp_alias: idp alias name

create_user(self, payload, exist_ok=False)[source]

Create a new user. Username must be unique

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Parameters
  • payload – UserRepresentation

  • exist_ok – If False, raise KeycloakGetError if username already exists. Otherwise, return existing user ID.

Returns

UserRepresentation

users_count(self, query=None)[source]

User counter

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_users_resource

Parameters

query – (dict) Query parameters for users count

Returns

counter

get_user_id(self, username)[source]

Get internal keycloak user id from username This is required for further actions against this user.

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Parameters

username – id in UserRepresentation

Returns

user_id

get_user(self, user_id)[source]

Get representation of the user

Parameters

user_id – User id

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Returns

UserRepresentation

get_user_groups(self, user_id)[source]

Returns a list of groups of which the user is a member

Parameters

user_id – User id

Returns

user groups list

update_user(self, user_id, payload)[source]

Update the user

Parameters
  • user_id – User id

  • payload – UserRepresentation

Returns

Http response

delete_user(self, user_id)[source]

Delete the user

Parameters

user_id – User id

Returns

Http response

set_user_password(self, user_id, password, temporary=True)[source]

Set up a password for the user. If temporary is True, the user will have to reset the temporary password next time they log in.

https://www.keycloak.org/docs-api/18.0/rest-api/#_users_resource https://www.keycloak.org/docs-api/18.0/rest-api/#_credentialrepresentation

Parameters
  • user_id – User id

  • password – New password

  • temporary – True if password is temporary

Returns

get_credentials(self, user_id)[source]

Returns a list of credential belonging to the user.

CredentialRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_credentialrepresentation

Param

user_id: user id

Returns

Keycloak server response (CredentialRepresentation)

delete_credential(self, user_id, credential_id)[source]

Delete credential of the user.

CredentialRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_credentialrepresentation

Param

user_id: user id

Param

credential_id: credential id

Returns

Keycloak server response (ClientRepresentation)

user_logout(self, user_id)[source]

Logs out user.

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_logout

Parameters

user_id – User id

Returns

user_consents(self, user_id)[source]

Get consents granted by the user

UserConsentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userconsentrepresentation

Parameters

user_id – User id

Returns

List of UserConsentRepresentations

get_user_social_logins(self, user_id)[source]

Returns a list of federated identities/social logins of which the user has been associated with :param user_id: User id :return: federated identities list

add_user_social_login(self, user_id, provider_id, provider_userid, provider_username)[source]

Add a federated identity / social login provider to the user :param user_id: User id :param provider_id: Social login provider id :param provider_userid: userid specified by the provider :param provider_username: username specified by the provider :return:

delete_user_social_login(self, user_id, provider_id)[source]

Delete a federated identity / social login provider from the user :param user_id: User id :param provider_id: Social login provider id :return:

send_update_account(self, user_id, payload, client_id=None, lifespan=None, redirect_uri=None)[source]

Send an update account email to the user. An email contains a link the user can click to perform a set of required actions.

Parameters
  • user_id – User id

  • payload – A list of actions for the user to complete

  • client_id – Client id (optional)

  • lifespan – Number of seconds after which the generated token expires (optional)

  • redirect_uri – The redirect uri (optional)

Returns

send_verify_email(self, user_id, client_id=None, redirect_uri=None)[source]

Send a update account email to the user An email contains a link the user can click to perform a set of required actions.

Parameters
  • user_id – User id

  • client_id – Client id (optional)

  • redirect_uri – Redirect uri (optional)

Returns

get_sessions(self, user_id)[source]

Get sessions associated with the user

Parameters

user_id – id of user

UserSessionRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_usersessionrepresentation

Returns

UserSessionRepresentation

get_server_info(self)[source]

Get themes, social providers, auth providers, and event listeners available on this server

ServerInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_serverinforepresentation

Returns

ServerInfoRepresentation

get_groups(self, query=None)[source]

Returns a list of groups belonging to the realm

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Returns

array GroupRepresentation

get_group(self, group_id)[source]

Get group by id. Returns full group details

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Parameters

group_id – The group id

Returns

Keycloak server response (GroupRepresentation)

get_subgroups(self, group, path)[source]

Utility function to iterate through nested group structures

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Parameters
  • name – group (GroupRepresentation)

  • path – group path (string)

Returns

Keycloak server response (GroupRepresentation)

get_group_members(self, group_id, query=None)[source]

Get members by group id. Returns group members

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_userrepresentation

Parameters
Returns

Keycloak server response (UserRepresentation)

get_group_by_path(self, path, search_in_subgroups=False)[source]

Get group id based on name or path. A straight name or path match with a top-level group will return first. Subgroups are traversed, the first to match path (or name with path) is returned.

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Parameters
  • path – group path

  • search_in_subgroups – True if want search in the subgroups

Returns

Keycloak server response (GroupRepresentation)

create_group(self, payload, parent=None, skip_exists=False)[source]

Creates a group in the Realm

Parameters
  • payload – GroupRepresentation

  • parent – parent group’s id. Required to create a sub-group.

  • skip_exists – If true then do not raise an error if it already exists

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Returns

Group id for newly created group or None for an existing group

update_group(self, group_id, payload)[source]

Update group, ignores subgroups.

Parameters
  • group_id – id of group

  • payload – GroupRepresentation with updated information.

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Returns

Http response

group_set_permissions(self, group_id, enabled=True)[source]

Enable/Disable permissions for a group. Cannot delete group if disabled

Parameters
  • group_id – id of group

  • enabled – boolean

Returns

Keycloak server response

group_user_add(self, user_id, group_id)[source]

Add user to group (user_id and group_id)

Parameters
  • user_id – id of user

  • group_id – id of group to add to

Returns

Keycloak server response

group_user_remove(self, user_id, group_id)[source]

Remove user from group (user_id and group_id)

Parameters
  • user_id – id of user

  • group_id – id of group to remove from

Returns

Keycloak server response

delete_group(self, group_id)[source]

Deletes a group in the Realm

Parameters

group_id – id of group to delete

Returns

Keycloak server response

get_clients(self)[source]

Returns a list of clients belonging to the realm

ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response (ClientRepresentation)

get_client(self, client_id)[source]

Get representation of the client

ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Parameters

client_id – id of client (not client-id)

Returns

Keycloak server response (ClientRepresentation)

get_client_id(self, client_name)[source]

Get internal keycloak client id from client-id. This is required for further actions against this client.

Parameters

client_name – name in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

client_id (uuid as string)

get_client_authz_settings(self, client_id)[source]

Get authorization json from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

create_client_authz_resource(self, client_id, payload, skip_exists=False)[source]

Create resources of client.

Parameters
Returns

Keycloak server response

get_client_authz_resources(self, client_id)[source]

Get resources from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

create_client_authz_role_based_policy(self, client_id, payload, skip_exists=False)[source]

Create role-based policy of client.

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "type": "role",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Policy-1",
    "roles": [
        {
        "id": id
        }
    ]
}
create_client_authz_resource_based_permission(self, client_id, payload, skip_exists=False)[source]

Create resource-based permission of client.

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Permission-Name",
    "resources": [
        resource_id
    ],
    "policies": [
        policy_id
    ]
get_client_authz_scopes(self, client_id)[source]

Get scopes from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

get_client_authz_permissions(self, client_id)[source]

Get permissions from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

get_client_authz_policies(self, client_id)[source]

Get policies from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

get_client_service_account_user(self, client_id)[source]

Get service account user from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

UserRepresentation

create_client(self, payload, skip_exists=False)[source]

Create a client

ClientRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Parameters
  • skip_exists – If true then do not raise an error if client already exists

  • payload – ClientRepresentation

Returns

Client ID

update_client(self, client_id, payload)[source]

Update a client

Parameters
  • client_id – Client id

  • payload – ClientRepresentation

Returns

Http response

delete_client(self, client_id)[source]

Get representation of the client

ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Parameters

client_id – keycloak client id (not oauth client-id)

Returns

Keycloak server response (ClientRepresentation)

get_client_installation_provider(self, client_id, provider_id)[source]

Get content for given installation provider

Related documentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource

Possible provider_id list available in the ServerInfoRepresentation#clientInstallations https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_serverinforepresentation

Parameters
  • client_id – Client id

  • provider_id – provider id to specify response format

get_realm_roles(self)[source]

Get all roles for the realm or client

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

Keycloak server response (RoleRepresentation)

get_realm_role_members(self, role_name, query=None)[source]

Get role members of realm by role name. :param role_name: Name of the role. :param query: Additional Query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_roles_resource) :return: Keycloak Server Response (UserRepresentation)

get_client_roles(self, client_id)[source]

Get all roles for the client

Parameters

client_id – id of client (not client-id)

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

Keycloak server response (RoleRepresentation)

get_client_role(self, client_id, role_name)[source]

Get client role id by name This is required for further actions with this role.

Parameters
  • client_id – id of client (not client-id)

  • role_name – role’s name (not id!)

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

role_id

get_client_role_id(self, client_id, role_name)[source]

Warning: Deprecated

Get client role id by name This is required for further actions with this role.

Parameters
  • client_id – id of client (not client-id)

  • role_name – role’s name (not id!)

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

role_id

create_client_role(self, client_role_id, payload, skip_exists=False)[source]

Create a client role

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Parameters
  • client_role_id – id of client (not client-id)

  • payload – RoleRepresentation

  • skip_exists – If true then do not raise an error if client role already exists

Returns

Client role name

add_composite_client_roles_to_role(self, client_role_id, role_name, roles)[source]

Add composite roles to client role

Parameters
  • client_role_id – id of client (not client-id)

  • role_name – The name of the role

  • roles – roles list or role (use RoleRepresentation) to be updated

Returns

Keycloak server response

update_client_role(self, client_role_id, role_name, payload)[source]

Update a client role

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Parameters
  • client_role_id – id of client (not client-id)

  • role_name – role’s name (not id!)

  • payload – RoleRepresentation

delete_client_role(self, client_role_id, role_name)[source]

Delete a client role

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Parameters
  • client_role_id – id of client (not client-id)

  • role_name – role’s name (not id!)

assign_client_role(self, user_id, client_id, roles)[source]

Assign a client role to a user

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

  • roles – roles list or role (use RoleRepresentation)

Returns

Keycloak server response

get_client_role_members(self, client_id, role_name, **query)[source]

Get members by client role . :param client_id: The client id :param role_name: the name of role to be queried. :param query: Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource) :return: Keycloak server response (UserRepresentation)

get_client_role_groups(self, client_id, role_name, **query)[source]

Get group members by client role . :param client_id: The client id :param role_name: the name of role to be queried. :param query: Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource) :return: Keycloak server response

create_realm_role(self, payload, skip_exists=False)[source]

Create a new role for the realm or client

Parameters
  • payload – The role (use RoleRepresentation)

  • skip_exists – If true then do not raise an error if realm role already exists

Returns

Realm role name

get_realm_role(self, role_name)[source]

Get realm role by role name :param role_name: role’s name, not id!

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation :return: role_id

update_realm_role(self, role_name, payload)[source]

Update a role for the realm by name :param role_name: The name of the role to be updated :param payload: The role (use RoleRepresentation) :return Keycloak server response

delete_realm_role(self, role_name)[source]

Delete a role for the realm by name :param payload: The role name {‘role-name’:’name-of-the-role’} :return Keycloak server response

add_composite_realm_roles_to_role(self, role_name, roles)[source]

Add composite roles to the role

Parameters
  • role_name – The name of the role

  • roles – roles list or role (use RoleRepresentation) to be updated

Returns

Keycloak server response

remove_composite_realm_roles_to_role(self, role_name, roles)[source]

Remove composite roles from the role

Parameters
  • role_name – The name of the role

  • roles – roles list or role (use RoleRepresentation) to be removed

Returns

Keycloak server response

get_composite_realm_roles_of_role(self, role_name)[source]

Get composite roles of the role

Parameters

role_name – The name of the role

Returns

Keycloak server response (array RoleRepresentation)

assign_realm_roles(self, user_id, roles)[source]

Assign realm roles to a user

Parameters
  • user_id – id of user

  • roles – roles list or role (use RoleRepresentation)

Returns

Keycloak server response

delete_realm_roles_of_user(self, user_id, roles)[source]

Deletes realm roles of a user

Parameters
  • user_id – id of user

  • roles – roles list or role (use RoleRepresentation)

Returns

Keycloak server response

get_realm_roles_of_user(self, user_id)[source]

Get all realm roles for a user.

Parameters

user_id – id of user

Returns

Keycloak server response (array RoleRepresentation)

get_available_realm_roles_of_user(self, user_id)[source]

Get all available (i.e. unassigned) realm roles for a user. :param user_id: id of user :return: Keycloak server response (array RoleRepresentation)

get_composite_realm_roles_of_user(self, user_id)[source]

Get all composite (i.e. implicit) realm roles for a user. :param user_id: id of user :return: Keycloak server response (array RoleRepresentation)

assign_group_realm_roles(self, group_id, roles)[source]

Assign realm roles to a group

Parameters
  • group_id – id of groupp

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response

delete_group_realm_roles(self, group_id, roles)[source]

Delete realm roles of a group

Parameters
  • group_id – id of group

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response

get_group_realm_roles(self, group_id)[source]

Get all realm roles for a group.

Parameters

user_id – id of the group

Returns

Keycloak server response (array RoleRepresentation)

assign_group_client_roles(self, group_id, client_id, roles)[source]

Assign client roles to a group

Parameters
  • group_id – id of group

  • client_id – id of client (not client-id)

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response

get_group_client_roles(self, group_id, client_id)[source]

Get client roles of a group

Parameters
  • group_id – id of group

  • client_id – id of client (not client-id)

Returns

Keycloak server response

delete_group_client_roles(self, group_id, client_id, roles)[source]

Delete client roles of a group

Parameters
  • group_id – id of group

  • client_id – id of client (not client-id)

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response (array RoleRepresentation)

get_client_roles_of_user(self, user_id, client_id)[source]

Get all client roles for a user.

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

Returns

Keycloak server response (array RoleRepresentation)

get_available_client_roles_of_user(self, user_id, client_id)[source]

Get available client role-mappings for a user.

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

Returns

Keycloak server response (array RoleRepresentation)

get_composite_client_roles_of_user(self, user_id, client_id)[source]

Get composite client role-mappings for a user.

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

Returns

Keycloak server response (array RoleRepresentation)

_get_client_roles_of_user(self, client_level_role_mapping_url, user_id, client_id)[source]
delete_client_roles_of_user(self, user_id, client_id, roles)[source]

Delete client roles from a user.

Parameters
  • user_id – id of user

  • client_id – id of client containing role (not client-id)

  • roles – roles list or role to delete (use RoleRepresentation)

Returns

Keycloak server response

get_authentication_flows(self)[source]

Get authentication flows. Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Returns

Keycloak server response (AuthenticationFlowRepresentation)

get_authentication_flow_for_id(self, flow_id)[source]

Get one authentication flow by it’s id. Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Parameters

flow_id – the id of a flow NOT it’s alias

Returns

Keycloak server response (AuthenticationFlowRepresentation)

create_authentication_flow(self, payload, skip_exists=False)[source]

Create a new authentication flow

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Parameters
  • payload – AuthenticationFlowRepresentation

  • skip_exists – Do not raise an error if authentication flow already exists

Returns

Keycloak server response (RoleRepresentation)

copy_authentication_flow(self, payload, flow_alias)[source]

Copy existing authentication flow under a new name. The new name is given as ‘newName’ attribute of the passed payload.

Parameters
  • payload – JSON containing ‘newName’ attribute

  • flow_alias – the flow alias

Returns

Keycloak server response (RoleRepresentation)

delete_authentication_flow(self, flow_id)[source]

Delete authentication flow

AuthenticationInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationinforepresentation

Parameters

flow_id – authentication flow id

Returns

Keycloak server response

get_authentication_flow_executions(self, flow_alias)[source]

Get authentication flow executions. Returns all execution steps

Parameters

flow_alias – the flow alias

Returns

Response(json)

update_authentication_flow_executions(self, payload, flow_alias)[source]

Update an authentication flow execution

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters
  • payload – AuthenticationExecutionInfoRepresentation

  • flow_alias – The flow alias

Returns

Keycloak server response

get_authentication_flow_execution(self, execution_id)[source]

Get authentication flow execution.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters

execution_id – the execution ID

Returns

Response(json)

create_authentication_flow_execution(self, payload, flow_alias)[source]

Create an authentication flow execution

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters
  • payload – AuthenticationExecutionInfoRepresentation

  • flow_alias – The flow alias

Returns

Keycloak server response

delete_authentication_flow_execution(self, execution_id)[source]

Delete authentication flow execution

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters

execution_id – keycloak client id (not oauth client-id)

Returns

Keycloak server response (json)

create_authentication_flow_subflow(self, payload, flow_alias, skip_exists=False)[source]

Create a new sub authentication flow for a given authentication flow

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Parameters
  • payload – AuthenticationFlowRepresentation

  • flow_alias – The flow alias

  • skip_exists – Do not raise an error if authentication flow already exists

Returns

Keycloak server response (RoleRepresentation)

get_authenticator_providers(self)[source]

Get authenticator providers list.

Returns

Response(json)

get_authenticator_provider_config_description(self, provider_id)[source]

Get authenticator’s provider configuration description.

AuthenticatorConfigInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticatorconfiginforepresentation

Parameters

provider_id – Provider Id

Returns

AuthenticatorConfigInfoRepresentation

get_authenticator_config(self, config_id)[source]

Get authenticator configuration. Returns all configuration details.

Parameters

config_id – Authenticator config id

Returns

Response(json)

update_authenticator_config(self, payload, config_id)[source]

Update an authenticator configuration.

AuthenticatorConfigRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticatorconfigrepresentation

Parameters
  • payload – AuthenticatorConfigRepresentation

  • config_id – Authenticator config id

Returns

Response(json)

delete_authenticator_config(self, config_id)[source]

Delete a authenticator configuration. https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authentication_management_resource

Parameters

config_id – Authenticator config id

Returns

Keycloak server Response

sync_users(self, storage_id, action)[source]

Function to trigger user sync from provider

Parameters
  • storage_id – The id of the user storage provider

  • action – Action can be “triggerFullSync” or “triggerChangedUsersSync”

Returns

get_client_scopes(self)[source]

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes

Returns

Keycloak server response Array of (ClientScopeRepresentation)

get_client_scope(self, client_scope_id)[source]

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes

Parameters

client_scope_id – The id of the client scope

Returns

Keycloak server response (ClientScopeRepresentation)

get_client_scope_by_name(self, client_scope_name)[source]

Get representation of the client scope identified by the client scope name.

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes :param client_scope_name: (str) Name of the client scope :returns: ClientScopeRepresentation or None

create_client_scope(self, payload, skip_exists=False)[source]

Create a client scope

ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes

Parameters
  • payload – ClientScopeRepresentation

  • skip_exists – If true then do not raise an error if client scope already exists

Returns

Client scope id

update_client_scope(self, client_scope_id, payload)[source]

Update a client scope

ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_client_scopes_resource

Parameters
  • client_scope_id – The id of the client scope

  • payload – ClientScopeRepresentation

Returns

Keycloak server response (ClientScopeRepresentation)

delete_client_scope(self, client_scope_id)[source]

Delete existing client scope.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_client_scopes_resource

Parameters

client_scope_id – The id of the client scope

Returns

Keycloak server response

get_mappers_from_client_scope(self, client_scope_id)[source]

Get a list of all mappers connected to the client scope

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocol_mappers_resource :param client_scope_id: Client scope id :returns: Keycloak server response (ProtocolMapperRepresentation)

add_mapper_to_client_scope(self, client_scope_id, payload)[source]

Add a mapper to a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_create_mapper

Parameters
  • client_scope_id – The id of the client scope

  • payload – ProtocolMapperRepresentation

Returns

Keycloak server Response

delete_mapper_from_client_scope(self, client_scope_id, protocol_mapper_id)[source]

Delete a mapper from a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_delete_mapper

Parameters
  • client_scope_id – The id of the client scope

  • protocol_mapper_id – Protocol mapper id

Returns

Keycloak server Response

update_mapper_in_client_scope(self, client_scope_id, protocol_mapper_id, payload)[source]

Update an existing protocol mapper in a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocol_mappers_resource

Parameters
  • client_scope_id – The id of the client scope

  • protocol_mapper_id – The id of the protocol mapper which exists in the client scope and should to be updated

  • payload – ProtocolMapperRepresentation

Returns

Keycloak server Response

get_default_default_client_scopes(self)[source]

Return list of default default client scopes

Returns

Keycloak server response

delete_default_default_client_scope(self, scope_id)[source]

Delete default default client scope

Parameters

scope_id – default default client scope id

Returns

Keycloak server response

add_default_default_client_scope(self, scope_id)[source]

Add default default client scope

Parameters

scope_id – default default client scope id

Returns

Keycloak server response

get_default_optional_client_scopes(self)[source]

Return list of default optional client scopes

Returns

Keycloak server response

delete_default_optional_client_scope(self, scope_id)[source]

Delete default optional client scope

Parameters

scope_id – default optional client scope id

Returns

Keycloak server response

add_default_optional_client_scope(self, scope_id)[source]

Add default optional client scope

Parameters

scope_id – default optional client scope id

Returns

Keycloak server response

get_mappers_from_client(self, client_id)[source]

List of all client mappers.

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocolmapperrepresentation

Parameters

client_id – Client id

Returns

KeycloakServerResponse (list of ProtocolMapperRepresentation)

add_mapper_to_client(self, client_id, payload)[source]

Add a mapper to a client https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_create_mapper

Parameters
  • client_id – The id of the client

  • payload – ProtocolMapperRepresentation

Returns

Keycloak server Response

update_client_mapper(self, client_id, mapper_id, payload)[source]

Update client mapper :param client_id: The id of the client :param client_mapper_id: The id of the mapper to be deleted :param payload: ProtocolMapperRepresentation :return: Keycloak server response

remove_client_mapper(self, client_id, client_mapper_id)[source]

Removes a mapper from the client https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_protocol_mappers_resource :param client_id: The id of the client :param client_mapper_id: The id of the mapper to be deleted :return: Keycloak server response

generate_client_secrets(self, client_id)[source]

Generate a new secret for the client https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_regeneratesecret

Parameters

client_id – id of client (not client-id)

Returns

Keycloak server response (ClientRepresentation)

get_client_secrets(self, client_id)[source]

Get representation of the client secrets https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientsecret

Parameters

client_id – id of client (not client-id)

Returns

Keycloak server response (ClientRepresentation)

get_components(self, query=None)[source]

Return a list of components, filtered according to query parameters

ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation

Parameters

query – Query parameters (optional)

Returns

components list

create_component(self, payload)[source]

Create a new component.

ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation

Parameters

payload – ComponentRepresentation

Returns

Component id

get_component(self, component_id)[source]

Get representation of the component

Parameters

component_id – Component id

ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation

Returns

ComponentRepresentation

update_component(self, component_id, payload)[source]

Update the component

Parameters
Returns

Http response

delete_component(self, component_id)[source]

Delete the component

Parameters

component_id – Component id

Returns

Http response

get_keys(self)[source]

Return a list of keys, filtered according to query parameters

KeysMetadataRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_key_resource

Returns

keys list

get_events(self, query=None)[source]

Return a list of events, filtered according to query parameters

EventRepresentation array https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_eventrepresentation

Returns

events list

set_events(self, payload)[source]

Set realm events configuration

RealmEventsConfigRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmeventsconfigrepresentation

Returns

Http response

raw_get(self, *args, **kwargs)[source]

Calls connection.raw_get.

If auto_refresh is set for get and access_token is expired, it will refresh the token and try get once more.

raw_post(self, *args, **kwargs)[source]

Calls connection.raw_post.

If auto_refresh is set for post and access_token is expired, it will refresh the token and try post once more.

raw_put(self, *args, **kwargs)[source]

Calls connection.raw_put.

If auto_refresh is set for put and access_token is expired, it will refresh the token and try put once more.

raw_delete(self, *args, **kwargs)[source]

Calls connection.raw_delete.

If auto_refresh is set for delete and access_token is expired, it will refresh the token and try delete once more.

get_token(self)[source]
refresh_token(self)[source]
get_client_all_sessions(self, client_id)[source]

Get sessions associated with the client

Parameters

client_id – id of client

UserSessionRepresentation http://www.keycloak.org/docs-api/18.0/rest-api/index.html#_usersessionrepresentation

Returns

UserSessionRepresentation

get_client_sessions_stats(self)[source]

Get current session count for all clients with active sessions

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientsessionstats

Returns

Dict of clients and session count

get_client_management_permissions(self, client_id)[source]

Get management permissions for a client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

update_client_management_permissions(self, payload, client_id)[source]

Update management permissions for a client.

ManagementPermissionReference https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_managementpermissionreference

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "enabled": true
}
get_client_authz_policy_scopes(self, client_id, policy_id)[source]

Get scopes for a given policy.

Parameters
Returns

Keycloak server response

get_client_authz_policy_resources(self, client_id, policy_id)[source]

Get resources for a given policy.

Parameters
Returns

Keycloak server response

get_client_authz_scope_permission(self, client_id, scope_id)[source]

Get permissions for a given scope.

Parameters
Returns

Keycloak server response

update_client_authz_scope_permission(self, payload, client_id, scope_id)[source]

Update permissions for a given scope.

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "id": scope_id,
    "name": "My Permission Name",
    "type": "scope",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [some_scope_id],
    "policies": [some_policy_id],
}
get_client_authz_client_policies(self, client_id)[source]

Get policies for a given client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response (RoleRepresentation)

create_client_authz_client_policy(self, payload, client_id)[source]

Create a new policy for a given client.

Parameters
Returns

Keycloak server response (RoleRepresentation)

Payload example:

payload={
    "type": "client",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "My Policy",
    "clients": [other_client_id],
}