keycloak

Subpackages

Submodules

Package Contents

Classes

ConnectionManager

Represents a simple server connection.

KeycloakAdmin

Keycloak Admin client.

KeycloakOpenID

Keycloak OpenID client.

Attributes

__version__

keycloak.__version__ = 0.0.0[source]
class keycloak.ConnectionManager(base_url, headers={}, timeout=60, verify=True, proxies=None)[source]

Bases: object

Represents a simple server connection.

Parameters
  • base_url – (str) The server URL.

  • headers – (dict) The header parameters of the requests to the server.

  • timeout – (int) Timeout to use for requests to the server.

  • verify – (bool) Verify server SSL.

  • proxies – (dict) The proxies servers requests is sent by.

__del__(self)
property base_url(self)

Return base url in use for requests to the server.

property timeout(self)

Return timeout in use for request to the server.

property verify(self)

Return verify in use for request to the server.

property headers(self)

Return header request to the server.

param_headers(self, key)

Return a specific header parameter.

Parameters

key – (str) Header parameters key.

Returns

If the header parameters exist, return its value.

clean_headers(self)

Clear header parameters.

exist_param_headers(self, key)

Check if the parameter exists in the header.

Parameters

key – (str) Header parameters key.

Returns

If the header parameters exist, return True.

add_param_headers(self, key, value)

Add a single parameter inside the header.

Parameters
  • key – (str) Header parameters key.

  • value – (str) Value to be added.

del_param_headers(self, key)

Remove a specific parameter.

Parameters

key – (str) Key of the header parameters.

raw_get(self, path, **kwargs)

Submit get request to the path.

Parameters

path – (str) Path for request.

Returns

Response the request.

Raises

HttpError Can’t connect to server.

raw_post(self, path, data, **kwargs)

Submit post request to the path.

Parameters
  • path – (str) Path for request.

  • data – (dict) Payload for request.

Returns

Response the request.

Raises

HttpError Can’t connect to server.

raw_put(self, path, data, **kwargs)

Submit put request to the path.

Parameters
  • path – (str) Path for request.

  • data – (dict) Payload for request.

Returns

Response the request.

Raises

HttpError Can’t connect to server.

raw_delete(self, path, data={}, **kwargs)

Submit delete request to the path.

Parameters
  • path – (str) Path for request.

  • data – (dict) Payload for request.

Returns

Response the request.

Raises

HttpError Can’t connect to server.

exception keycloak.KeycloakAuthenticationError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakAuthorizationConfigError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakConnectionError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakDeleteError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakDeprecationError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakError(error_message='', response_code=None, response_body=None)[source]

Bases: Exception

Common base class for all non-exit exceptions.

__str__(self)

Return str(self).

exception keycloak.KeycloakGetError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakInvalidTokenError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakOperationError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakPostError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakPutError(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakRPTNotFound(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

exception keycloak.KeycloakSecretNotFound(error_message='', response_code=None, response_body=None)[source]

Bases: KeycloakOperationError

Common base class for all non-exit exceptions.

class keycloak.KeycloakAdmin(server_url, username=None, password=None, totp=None, realm_name='master', client_id='admin-cli', verify=True, client_secret_key=None, custom_headers=None, user_realm_name=None, auto_refresh_token=None, timeout=60)[source]

Keycloak Admin client.

Parameters
  • server_url – Keycloak server url

  • username – admin username

  • password – admin password

  • totp – Time based OTP

  • realm_name – realm name

  • client_id – client id

  • verify – True if want check connection SSL

  • client_secret_key – client secret key (optional, required only for access type confidential)

  • custom_headers – dict of custom header to pass to each HTML request

  • user_realm_name – The realm name of the user, if different from realm_name

  • auto_refresh_token – list of methods that allows automatic token refresh. Ex: [‘get’, ‘put’, ‘post’, ‘delete’]

  • timeout – connection timeout in seconds

PAGE_SIZE = 100
_server_url
_username
_password
_totp
_realm_name
_client_id
_verify
_client_secret_key
_auto_refresh_token
_connection
_token
_custom_headers
_user_realm_name
property server_url(self)
property realm_name(self)
property connection(self)
property client_id(self)
property client_secret_key(self)
property verify(self)
property username(self)
property password(self)
property totp(self)
property token(self)
property auto_refresh_token(self)
property user_realm_name(self)
property custom_headers(self)
__fetch_all(self, url, query=None)

Wrapper function to paginate GET requests

Parameters
  • url – The url on which the query is executed

  • query – Existing query parameters (optional)

Returns

Combined results of paginated queries

__fetch_paginated(self, url, query=None)
import_realm(self, payload)

Import a new realm from a RealmRepresentation. Realm name must be unique.

RealmRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation

Parameters

payload – RealmRepresentation

Returns

RealmRepresentation

export_realm(self, export_clients=False, export_groups_and_role=False)

Export the realm configurations in the json format

RealmRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_partialexport

Parameters
  • export-clients – Skip if not want to export realm clients

  • export-groups-and-roles – Skip if not want to export realm groups and roles

Returns

realm configurations JSON

get_realms(self)

Lists all realms in Keycloak deployment

Returns

realms list

get_realm(self, realm_name)

Get a specific realm.

RealmRepresentation: https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_realmrepresentation

Parameters

realm_name – Realm name (not the realm id)

Returns

RealmRepresentation

create_realm(self, payload, skip_exists=False)

Create a realm

RealmRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation

Parameters
  • payload – RealmRepresentation

  • skip_exists – Skip if Realm already exist.

Returns

Keycloak server response (RealmRepresentation)

update_realm(self, realm_name, payload)

Update a realm. This wil only update top level attributes and will ignore any user, role, or client information in the payload.

RealmRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmrepresentation

Parameters
  • realm_name – Realm name (not the realm id)

  • payload – RealmRepresentation

Returns

Http response

delete_realm(self, realm_name)

Delete a realm

Parameters

realm_name – Realm name (not the realm id)

Returns

Http response

get_users(self, query=None)

Return a list of users, filtered according to query parameters

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Parameters

query – Query parameters (optional)

Returns

users list

create_idp(self, payload)

Create an ID Provider,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityproviderrepresentation

Param

payload: IdentityProviderRepresentation

update_idp(self, idp_alias, payload)

Update an ID Provider

IdentityProviderRepresentation https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_identity_providers_resource

Param

alias: alias for IdP to update

Param

payload: The IdentityProviderRepresentation

add_mapper_to_idp(self, idp_alias, payload)

Create an ID Provider,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityprovidermapperrepresentation

Param

idp_alias: alias for Idp to add mapper in

Param

payload: IdentityProviderMapperRepresentation

update_mapper_in_idp(self, idp_alias, mapper_id, payload)

Update an IdP mapper

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_update

Param

idp_alias: alias for Idp to fetch mappers

Param

mapper_id: Mapper Id to update

Param

payload: IdentityProviderMapperRepresentation

Returns

Http response

get_idp_mappers(self, idp_alias)

Returns a list of ID Providers mappers

IdentityProviderMapperRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getmappers

Param

idp_alias: alias for Idp to fetch mappers

Returns

array IdentityProviderMapperRepresentation

get_idps(self)

Returns a list of ID Providers,

IdentityProviderRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_identityproviderrepresentation

Returns

array IdentityProviderRepresentation

delete_idp(self, idp_alias)

Deletes ID Provider,

Param

idp_alias: idp alias name

create_user(self, payload, exist_ok=False)

Create a new user. Username must be unique

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Parameters
  • payload – UserRepresentation

  • exist_ok – If False, raise KeycloakGetError if username already exists. Otherwise, return existing user ID.

Returns

UserRepresentation

users_count(self, query=None)

User counter

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_users_resource

Parameters

query – (dict) Query parameters for users count

Returns

counter

get_user_id(self, username)

Get internal keycloak user id from username This is required for further actions against this user.

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Parameters

username – id in UserRepresentation

Returns

user_id

get_user(self, user_id)

Get representation of the user

Parameters

user_id – User id

UserRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userrepresentation

Returns

UserRepresentation

get_user_groups(self, user_id)

Returns a list of groups of which the user is a member

Parameters

user_id – User id

Returns

user groups list

update_user(self, user_id, payload)

Update the user

Parameters
  • user_id – User id

  • payload – UserRepresentation

Returns

Http response

delete_user(self, user_id)

Delete the user

Parameters

user_id – User id

Returns

Http response

set_user_password(self, user_id, password, temporary=True)

Set up a password for the user. If temporary is True, the user will have to reset the temporary password next time they log in.

https://www.keycloak.org/docs-api/18.0/rest-api/#_users_resource https://www.keycloak.org/docs-api/18.0/rest-api/#_credentialrepresentation

Parameters
  • user_id – User id

  • password – New password

  • temporary – True if password is temporary

Returns

get_credentials(self, user_id)

Returns a list of credential belonging to the user.

CredentialRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_credentialrepresentation

Param

user_id: user id

Returns

Keycloak server response (CredentialRepresentation)

delete_credential(self, user_id, credential_id)

Delete credential of the user.

CredentialRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_credentialrepresentation

Param

user_id: user id

Param

credential_id: credential id

Returns

Keycloak server response (ClientRepresentation)

user_logout(self, user_id)

Logs out user.

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_logout

Parameters

user_id – User id

Returns

user_consents(self, user_id)

Get consents granted by the user

UserConsentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_userconsentrepresentation

Parameters

user_id – User id

Returns

List of UserConsentRepresentations

get_user_social_logins(self, user_id)

Returns a list of federated identities/social logins of which the user has been associated with :param user_id: User id :return: federated identities list

add_user_social_login(self, user_id, provider_id, provider_userid, provider_username)

Add a federated identity / social login provider to the user :param user_id: User id :param provider_id: Social login provider id :param provider_userid: userid specified by the provider :param provider_username: username specified by the provider :return:

delete_user_social_login(self, user_id, provider_id)

Delete a federated identity / social login provider from the user :param user_id: User id :param provider_id: Social login provider id :return:

send_update_account(self, user_id, payload, client_id=None, lifespan=None, redirect_uri=None)

Send an update account email to the user. An email contains a link the user can click to perform a set of required actions.

Parameters
  • user_id – User id

  • payload – A list of actions for the user to complete

  • client_id – Client id (optional)

  • lifespan – Number of seconds after which the generated token expires (optional)

  • redirect_uri – The redirect uri (optional)

Returns

send_verify_email(self, user_id, client_id=None, redirect_uri=None)

Send a update account email to the user An email contains a link the user can click to perform a set of required actions.

Parameters
  • user_id – User id

  • client_id – Client id (optional)

  • redirect_uri – Redirect uri (optional)

Returns

get_sessions(self, user_id)

Get sessions associated with the user

Parameters

user_id – id of user

UserSessionRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_usersessionrepresentation

Returns

UserSessionRepresentation

get_server_info(self)

Get themes, social providers, auth providers, and event listeners available on this server

ServerInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_serverinforepresentation

Returns

ServerInfoRepresentation

get_groups(self, query=None)

Returns a list of groups belonging to the realm

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Returns

array GroupRepresentation

get_group(self, group_id)

Get group by id. Returns full group details

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Parameters

group_id – The group id

Returns

Keycloak server response (GroupRepresentation)

get_subgroups(self, group, path)

Utility function to iterate through nested group structures

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Parameters
  • name – group (GroupRepresentation)

  • path – group path (string)

Returns

Keycloak server response (GroupRepresentation)

get_group_members(self, group_id, query=None)

Get members by group id. Returns group members

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_userrepresentation

Parameters
Returns

Keycloak server response (UserRepresentation)

get_group_by_path(self, path, search_in_subgroups=False)

Get group id based on name or path. A straight name or path match with a top-level group will return first. Subgroups are traversed, the first to match path (or name with path) is returned.

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Parameters
  • path – group path

  • search_in_subgroups – True if want search in the subgroups

Returns

Keycloak server response (GroupRepresentation)

create_group(self, payload, parent=None, skip_exists=False)

Creates a group in the Realm

Parameters
  • payload – GroupRepresentation

  • parent – parent group’s id. Required to create a sub-group.

  • skip_exists – If true then do not raise an error if it already exists

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Returns

Group id for newly created group or None for an existing group

update_group(self, group_id, payload)

Update group, ignores subgroups.

Parameters
  • group_id – id of group

  • payload – GroupRepresentation with updated information.

GroupRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/#_grouprepresentation

Returns

Http response

group_set_permissions(self, group_id, enabled=True)

Enable/Disable permissions for a group. Cannot delete group if disabled

Parameters
  • group_id – id of group

  • enabled – boolean

Returns

Keycloak server response

group_user_add(self, user_id, group_id)

Add user to group (user_id and group_id)

Parameters
  • user_id – id of user

  • group_id – id of group to add to

Returns

Keycloak server response

group_user_remove(self, user_id, group_id)

Remove user from group (user_id and group_id)

Parameters
  • user_id – id of user

  • group_id – id of group to remove from

Returns

Keycloak server response

delete_group(self, group_id)

Deletes a group in the Realm

Parameters

group_id – id of group to delete

Returns

Keycloak server response

get_clients(self)

Returns a list of clients belonging to the realm

ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response (ClientRepresentation)

get_client(self, client_id)

Get representation of the client

ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Parameters

client_id – id of client (not client-id)

Returns

Keycloak server response (ClientRepresentation)

get_client_id(self, client_name)

Get internal keycloak client id from client-id. This is required for further actions against this client.

Parameters

client_name – name in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

client_id (uuid as string)

get_client_authz_settings(self, client_id)

Get authorization json from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

create_client_authz_resource(self, client_id, payload, skip_exists=False)

Create resources of client.

Parameters
Returns

Keycloak server response

get_client_authz_resources(self, client_id)

Get resources from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

create_client_authz_role_based_policy(self, client_id, payload, skip_exists=False)

Create role-based policy of client.

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "type": "role",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Policy-1",
    "roles": [
        {
        "id": id
        }
    ]
}
create_client_authz_resource_based_permission(self, client_id, payload, skip_exists=False)

Create resource-based permission of client.

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Permission-Name",
    "resources": [
        resource_id
    ],
    "policies": [
        policy_id
    ]
get_client_authz_scopes(self, client_id)

Get scopes from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

get_client_authz_permissions(self, client_id)

Get permissions from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

get_client_authz_policies(self, client_id)

Get policies from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

get_client_service_account_user(self, client_id)

Get service account user from client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

UserRepresentation

create_client(self, payload, skip_exists=False)

Create a client

ClientRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Parameters
  • skip_exists – If true then do not raise an error if client already exists

  • payload – ClientRepresentation

Returns

Client ID

update_client(self, client_id, payload)

Update a client

Parameters
  • client_id – Client id

  • payload – ClientRepresentation

Returns

Http response

delete_client(self, client_id)

Get representation of the client

ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Parameters

client_id – keycloak client id (not oauth client-id)

Returns

Keycloak server response (ClientRepresentation)

get_client_installation_provider(self, client_id, provider_id)

Get content for given installation provider

Related documentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource

Possible provider_id list available in the ServerInfoRepresentation#clientInstallations https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_serverinforepresentation

Parameters
  • client_id – Client id

  • provider_id – provider id to specify response format

get_realm_roles(self)

Get all roles for the realm or client

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

Keycloak server response (RoleRepresentation)

get_realm_role_members(self, role_name, query=None)

Get role members of realm by role name. :param role_name: Name of the role. :param query: Additional Query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_roles_resource) :return: Keycloak Server Response (UserRepresentation)

get_client_roles(self, client_id)

Get all roles for the client

Parameters

client_id – id of client (not client-id)

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

Keycloak server response (RoleRepresentation)

get_client_role(self, client_id, role_name)

Get client role id by name This is required for further actions with this role.

Parameters
  • client_id – id of client (not client-id)

  • role_name – role’s name (not id!)

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

role_id

get_client_role_id(self, client_id, role_name)

Warning: Deprecated

Get client role id by name This is required for further actions with this role.

Parameters
  • client_id – id of client (not client-id)

  • role_name – role’s name (not id!)

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Returns

role_id

create_client_role(self, client_role_id, payload, skip_exists=False)

Create a client role

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Parameters
  • client_role_id – id of client (not client-id)

  • payload – RoleRepresentation

  • skip_exists – If true then do not raise an error if client role already exists

Returns

Client role name

add_composite_client_roles_to_role(self, client_role_id, role_name, roles)

Add composite roles to client role

Parameters
  • client_role_id – id of client (not client-id)

  • role_name – The name of the role

  • roles – roles list or role (use RoleRepresentation) to be updated

Returns

Keycloak server response

update_client_role(self, client_role_id, role_name, payload)

Update a client role

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Parameters
  • client_role_id – id of client (not client-id)

  • role_name – role’s name (not id!)

  • payload – RoleRepresentation

delete_client_role(self, client_role_id, role_name)

Delete a client role

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation

Parameters
  • client_role_id – id of client (not client-id)

  • role_name – role’s name (not id!)

assign_client_role(self, user_id, client_id, roles)

Assign a client role to a user

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

  • roles – roles list or role (use RoleRepresentation)

Returns

Keycloak server response

get_client_role_members(self, client_id, role_name, **query)

Get members by client role . :param client_id: The client id :param role_name: the name of role to be queried. :param query: Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource) :return: Keycloak server response (UserRepresentation)

get_client_role_groups(self, client_id, role_name, **query)

Get group members by client role . :param client_id: The client id :param role_name: the name of role to be queried. :param query: Additional query parameters (see https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clients_resource) :return: Keycloak server response

create_realm_role(self, payload, skip_exists=False)

Create a new role for the realm or client

Parameters
  • payload – The role (use RoleRepresentation)

  • skip_exists – If true then do not raise an error if realm role already exists

Returns

Realm role name

get_realm_role(self, role_name)

Get realm role by role name :param role_name: role’s name, not id!

RoleRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_rolerepresentation :return: role_id

update_realm_role(self, role_name, payload)

Update a role for the realm by name :param role_name: The name of the role to be updated :param payload: The role (use RoleRepresentation) :return Keycloak server response

delete_realm_role(self, role_name)

Delete a role for the realm by name :param payload: The role name {‘role-name’:’name-of-the-role’} :return Keycloak server response

add_composite_realm_roles_to_role(self, role_name, roles)

Add composite roles to the role

Parameters
  • role_name – The name of the role

  • roles – roles list or role (use RoleRepresentation) to be updated

Returns

Keycloak server response

remove_composite_realm_roles_to_role(self, role_name, roles)

Remove composite roles from the role

Parameters
  • role_name – The name of the role

  • roles – roles list or role (use RoleRepresentation) to be removed

Returns

Keycloak server response

get_composite_realm_roles_of_role(self, role_name)

Get composite roles of the role

Parameters

role_name – The name of the role

Returns

Keycloak server response (array RoleRepresentation)

assign_realm_roles(self, user_id, roles)

Assign realm roles to a user

Parameters
  • user_id – id of user

  • roles – roles list or role (use RoleRepresentation)

Returns

Keycloak server response

delete_realm_roles_of_user(self, user_id, roles)

Deletes realm roles of a user

Parameters
  • user_id – id of user

  • roles – roles list or role (use RoleRepresentation)

Returns

Keycloak server response

get_realm_roles_of_user(self, user_id)

Get all realm roles for a user.

Parameters

user_id – id of user

Returns

Keycloak server response (array RoleRepresentation)

get_available_realm_roles_of_user(self, user_id)

Get all available (i.e. unassigned) realm roles for a user. :param user_id: id of user :return: Keycloak server response (array RoleRepresentation)

get_composite_realm_roles_of_user(self, user_id)

Get all composite (i.e. implicit) realm roles for a user. :param user_id: id of user :return: Keycloak server response (array RoleRepresentation)

assign_group_realm_roles(self, group_id, roles)

Assign realm roles to a group

Parameters
  • group_id – id of groupp

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response

delete_group_realm_roles(self, group_id, roles)

Delete realm roles of a group

Parameters
  • group_id – id of group

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response

get_group_realm_roles(self, group_id)

Get all realm roles for a group.

Parameters

user_id – id of the group

Returns

Keycloak server response (array RoleRepresentation)

assign_group_client_roles(self, group_id, client_id, roles)

Assign client roles to a group

Parameters
  • group_id – id of group

  • client_id – id of client (not client-id)

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response

get_group_client_roles(self, group_id, client_id)

Get client roles of a group

Parameters
  • group_id – id of group

  • client_id – id of client (not client-id)

Returns

Keycloak server response

delete_group_client_roles(self, group_id, client_id, roles)

Delete client roles of a group

Parameters
  • group_id – id of group

  • client_id – id of client (not client-id)

  • roles – roles list or role (use GroupRoleRepresentation)

Returns

Keycloak server response (array RoleRepresentation)

get_client_roles_of_user(self, user_id, client_id)

Get all client roles for a user.

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

Returns

Keycloak server response (array RoleRepresentation)

get_available_client_roles_of_user(self, user_id, client_id)

Get available client role-mappings for a user.

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

Returns

Keycloak server response (array RoleRepresentation)

get_composite_client_roles_of_user(self, user_id, client_id)

Get composite client role-mappings for a user.

Parameters
  • user_id – id of user

  • client_id – id of client (not client-id)

Returns

Keycloak server response (array RoleRepresentation)

_get_client_roles_of_user(self, client_level_role_mapping_url, user_id, client_id)
delete_client_roles_of_user(self, user_id, client_id, roles)

Delete client roles from a user.

Parameters
  • user_id – id of user

  • client_id – id of client containing role (not client-id)

  • roles – roles list or role to delete (use RoleRepresentation)

Returns

Keycloak server response

get_authentication_flows(self)

Get authentication flows. Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Returns

Keycloak server response (AuthenticationFlowRepresentation)

get_authentication_flow_for_id(self, flow_id)

Get one authentication flow by it’s id. Returns all flow details

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Parameters

flow_id – the id of a flow NOT it’s alias

Returns

Keycloak server response (AuthenticationFlowRepresentation)

create_authentication_flow(self, payload, skip_exists=False)

Create a new authentication flow

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Parameters
  • payload – AuthenticationFlowRepresentation

  • skip_exists – Do not raise an error if authentication flow already exists

Returns

Keycloak server response (RoleRepresentation)

copy_authentication_flow(self, payload, flow_alias)

Copy existing authentication flow under a new name. The new name is given as ‘newName’ attribute of the passed payload.

Parameters
  • payload – JSON containing ‘newName’ attribute

  • flow_alias – the flow alias

Returns

Keycloak server response (RoleRepresentation)

delete_authentication_flow(self, flow_id)

Delete authentication flow

AuthenticationInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationinforepresentation

Parameters

flow_id – authentication flow id

Returns

Keycloak server response

get_authentication_flow_executions(self, flow_alias)

Get authentication flow executions. Returns all execution steps

Parameters

flow_alias – the flow alias

Returns

Response(json)

update_authentication_flow_executions(self, payload, flow_alias)

Update an authentication flow execution

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters
  • payload – AuthenticationExecutionInfoRepresentation

  • flow_alias – The flow alias

Returns

Keycloak server response

get_authentication_flow_execution(self, execution_id)

Get authentication flow execution.

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters

execution_id – the execution ID

Returns

Response(json)

create_authentication_flow_execution(self, payload, flow_alias)

Create an authentication flow execution

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters
  • payload – AuthenticationExecutionInfoRepresentation

  • flow_alias – The flow alias

Returns

Keycloak server response

delete_authentication_flow_execution(self, execution_id)

Delete authentication flow execution

AuthenticationExecutionInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationexecutioninforepresentation

Parameters

execution_id – keycloak client id (not oauth client-id)

Returns

Keycloak server response (json)

create_authentication_flow_subflow(self, payload, flow_alias, skip_exists=False)

Create a new sub authentication flow for a given authentication flow

AuthenticationFlowRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticationflowrepresentation

Parameters
  • payload – AuthenticationFlowRepresentation

  • flow_alias – The flow alias

  • skip_exists – Do not raise an error if authentication flow already exists

Returns

Keycloak server response (RoleRepresentation)

get_authenticator_providers(self)

Get authenticator providers list.

Returns

Response(json)

get_authenticator_provider_config_description(self, provider_id)

Get authenticator’s provider configuration description.

AuthenticatorConfigInfoRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticatorconfiginforepresentation

Parameters

provider_id – Provider Id

Returns

AuthenticatorConfigInfoRepresentation

get_authenticator_config(self, config_id)

Get authenticator configuration. Returns all configuration details.

Parameters

config_id – Authenticator config id

Returns

Response(json)

update_authenticator_config(self, payload, config_id)

Update an authenticator configuration.

AuthenticatorConfigRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authenticatorconfigrepresentation

Parameters
  • payload – AuthenticatorConfigRepresentation

  • config_id – Authenticator config id

Returns

Response(json)

delete_authenticator_config(self, config_id)

Delete a authenticator configuration. https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_authentication_management_resource

Parameters

config_id – Authenticator config id

Returns

Keycloak server Response

sync_users(self, storage_id, action)

Function to trigger user sync from provider

Parameters
  • storage_id – The id of the user storage provider

  • action – Action can be “triggerFullSync” or “triggerChangedUsersSync”

Returns

get_client_scopes(self)

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes

Returns

Keycloak server response Array of (ClientScopeRepresentation)

get_client_scope(self, client_scope_id)

Get representation of the client scopes for the realm where we are connected to https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes

Parameters

client_scope_id – The id of the client scope

Returns

Keycloak server response (ClientScopeRepresentation)

get_client_scope_by_name(self, client_scope_name)

Get representation of the client scope identified by the client scope name.

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes :param client_scope_name: (str) Name of the client scope :returns: ClientScopeRepresentation or None

create_client_scope(self, payload, skip_exists=False)

Create a client scope

ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientscopes

Parameters
  • payload – ClientScopeRepresentation

  • skip_exists – If true then do not raise an error if client scope already exists

Returns

Client scope id

update_client_scope(self, client_scope_id, payload)

Update a client scope

ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_client_scopes_resource

Parameters
  • client_scope_id – The id of the client scope

  • payload – ClientScopeRepresentation

Returns

Keycloak server response (ClientScopeRepresentation)

delete_client_scope(self, client_scope_id)

Delete existing client scope.

ClientScopeRepresentation: https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_client_scopes_resource

Parameters

client_scope_id – The id of the client scope

Returns

Keycloak server response

get_mappers_from_client_scope(self, client_scope_id)

Get a list of all mappers connected to the client scope

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocol_mappers_resource :param client_scope_id: Client scope id :returns: Keycloak server response (ProtocolMapperRepresentation)

add_mapper_to_client_scope(self, client_scope_id, payload)

Add a mapper to a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_create_mapper

Parameters
  • client_scope_id – The id of the client scope

  • payload – ProtocolMapperRepresentation

Returns

Keycloak server Response

delete_mapper_from_client_scope(self, client_scope_id, protocol_mapper_id)

Delete a mapper from a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_delete_mapper

Parameters
  • client_scope_id – The id of the client scope

  • protocol_mapper_id – Protocol mapper id

Returns

Keycloak server Response

update_mapper_in_client_scope(self, client_scope_id, protocol_mapper_id, payload)

Update an existing protocol mapper in a client scope https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocol_mappers_resource

Parameters
  • client_scope_id – The id of the client scope

  • protocol_mapper_id – The id of the protocol mapper which exists in the client scope and should to be updated

  • payload – ProtocolMapperRepresentation

Returns

Keycloak server Response

get_default_default_client_scopes(self)

Return list of default default client scopes

Returns

Keycloak server response

delete_default_default_client_scope(self, scope_id)

Delete default default client scope

Parameters

scope_id – default default client scope id

Returns

Keycloak server response

add_default_default_client_scope(self, scope_id)

Add default default client scope

Parameters

scope_id – default default client scope id

Returns

Keycloak server response

get_default_optional_client_scopes(self)

Return list of default optional client scopes

Returns

Keycloak server response

delete_default_optional_client_scope(self, scope_id)

Delete default optional client scope

Parameters

scope_id – default optional client scope id

Returns

Keycloak server response

add_default_optional_client_scope(self, scope_id)

Add default optional client scope

Parameters

scope_id – default optional client scope id

Returns

Keycloak server response

get_mappers_from_client(self, client_id)

List of all client mappers.

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_protocolmapperrepresentation

Parameters

client_id – Client id

Returns

KeycloakServerResponse (list of ProtocolMapperRepresentation)

add_mapper_to_client(self, client_id, payload)

Add a mapper to a client https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_create_mapper

Parameters
  • client_id – The id of the client

  • payload – ProtocolMapperRepresentation

Returns

Keycloak server Response

update_client_mapper(self, client_id, mapper_id, payload)

Update client mapper :param client_id: The id of the client :param client_mapper_id: The id of the mapper to be deleted :param payload: ProtocolMapperRepresentation :return: Keycloak server response

remove_client_mapper(self, client_id, client_mapper_id)

Removes a mapper from the client https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_protocol_mappers_resource :param client_id: The id of the client :param client_mapper_id: The id of the mapper to be deleted :return: Keycloak server response

generate_client_secrets(self, client_id)

Generate a new secret for the client https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_regeneratesecret

Parameters

client_id – id of client (not client-id)

Returns

Keycloak server response (ClientRepresentation)

get_client_secrets(self, client_id)

Get representation of the client secrets https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientsecret

Parameters

client_id – id of client (not client-id)

Returns

Keycloak server response (ClientRepresentation)

get_components(self, query=None)

Return a list of components, filtered according to query parameters

ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation

Parameters

query – Query parameters (optional)

Returns

components list

create_component(self, payload)

Create a new component.

ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation

Parameters

payload – ComponentRepresentation

Returns

Component id

get_component(self, component_id)

Get representation of the component

Parameters

component_id – Component id

ComponentRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_componentrepresentation

Returns

ComponentRepresentation

update_component(self, component_id, payload)

Update the component

Parameters
Returns

Http response

delete_component(self, component_id)

Delete the component

Parameters

component_id – Component id

Returns

Http response

get_keys(self)

Return a list of keys, filtered according to query parameters

KeysMetadataRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_key_resource

Returns

keys list

get_events(self, query=None)

Return a list of events, filtered according to query parameters

EventRepresentation array https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_eventrepresentation

Returns

events list

set_events(self, payload)

Set realm events configuration

RealmEventsConfigRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_realmeventsconfigrepresentation

Returns

Http response

raw_get(self, *args, **kwargs)

Calls connection.raw_get.

If auto_refresh is set for get and access_token is expired, it will refresh the token and try get once more.

raw_post(self, *args, **kwargs)

Calls connection.raw_post.

If auto_refresh is set for post and access_token is expired, it will refresh the token and try post once more.

raw_put(self, *args, **kwargs)

Calls connection.raw_put.

If auto_refresh is set for put and access_token is expired, it will refresh the token and try put once more.

raw_delete(self, *args, **kwargs)

Calls connection.raw_delete.

If auto_refresh is set for delete and access_token is expired, it will refresh the token and try delete once more.

get_token(self)
refresh_token(self)
get_client_all_sessions(self, client_id)

Get sessions associated with the client

Parameters

client_id – id of client

UserSessionRepresentation http://www.keycloak.org/docs-api/18.0/rest-api/index.html#_usersessionrepresentation

Returns

UserSessionRepresentation

get_client_sessions_stats(self)

Get current session count for all clients with active sessions

https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_getclientsessionstats

Returns

Dict of clients and session count

get_client_management_permissions(self, client_id)

Get management permissions for a client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response

update_client_management_permissions(self, payload, client_id)

Update management permissions for a client.

ManagementPermissionReference https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_managementpermissionreference

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "enabled": true
}
get_client_authz_policy_scopes(self, client_id, policy_id)

Get scopes for a given policy.

Parameters
Returns

Keycloak server response

get_client_authz_policy_resources(self, client_id, policy_id)

Get resources for a given policy.

Parameters
Returns

Keycloak server response

get_client_authz_scope_permission(self, client_id, scope_id)

Get permissions for a given scope.

Parameters
Returns

Keycloak server response

update_client_authz_scope_permission(self, payload, client_id, scope_id)

Update permissions for a given scope.

Parameters
Returns

Keycloak server response

Payload example:

payload={
    "id": scope_id,
    "name": "My Permission Name",
    "type": "scope",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resources": [some_resource_id],
    "scopes": [some_scope_id],
    "policies": [some_policy_id],
}
get_client_authz_client_policies(self, client_id)

Get policies for a given client.

Parameters

client_id – id in ClientRepresentation https://www.keycloak.org/docs-api/18.0/rest-api/index.html#_clientrepresentation

Returns

Keycloak server response (RoleRepresentation)

create_client_authz_client_policy(self, payload, client_id)

Create a new policy for a given client.

Parameters
Returns

Keycloak server response (RoleRepresentation)

Payload example:

payload={
    "type": "client",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "My Policy",
    "clients": [other_client_id],
}
class keycloak.KeycloakOpenID(server_url, realm_name, client_id, client_secret_key=None, verify=True, custom_headers=None, proxies=None, timeout=60)[source]

Keycloak OpenID client.

Parameters
  • server_url – Keycloak server url

  • client_id – client id

  • realm_name – realm name

  • client_secret_key – client secret key

  • verify – True if want check connection SSL

  • custom_headers – dict of custom header to pass to each HTML request

  • proxies – dict of proxies to sent the request by.

  • timeout – connection timeout in seconds

property client_id(self)
property client_secret_key(self)
property realm_name(self)
property connection(self)
property authorization(self)
_add_secret_key(self, payload)

Add secret key if exist.

Parameters

payload

Returns

_build_name_role(self, role)
Parameters

role

Returns

_token_info(self, token, method_token_info, **kwargs)
Parameters
  • token

  • method_token_info

  • kwargs

Returns

well_known(self)

The most important endpoint to understand is the well-known configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in Keycloak.

:return It lists endpoints and other configuration options relevant.

auth_url(self, redirect_uri, scope='email', state='')

Get authorization URL endpoint.

Parameters
  • redirect_uri (str) – Redirect url to receive oauth code

  • scope – Scope of authorization request, split with the blank space

  • state – State will be returned to the redirect_uri

Type

scope: str

Type

str

Returns

Authorization URL Full Build

Return type

str

token(self, username='', password='', grant_type=['password'], code='', redirect_uri='', totp=None, **extra)

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters
  • username

  • password

  • grant_type

  • code

  • redirect_uri

  • totp

Returns

refresh_token(self, refresh_token, grant_type=['refresh_token'])

The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters
  • refresh_token

  • grant_type

Returns

exchange_token(self, token: str, client_id: str, audience: str, subject: str) dict

Use a token to obtain an entirely different token. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange

Parameters
  • token

  • client_id

  • audience

  • subject

Returns

userinfo(self, token)

The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.

http://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Parameters

token

Returns

logout(self, refresh_token)

The logout endpoint logs out the authenticated user. :param refresh_token: :return:

certs(self)

The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens.

https://tools.ietf.org/html/rfc7517

Returns

public_key(self)

The public key is exposed by the realm page directly.

Returns

entitlement(self, token, resource_server_id)

Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.

Returns

introspect(self, token, rpt=None, token_type_hint=None)

The introspection endpoint is used to retrieve the active state of a token. It is can only be invoked by confidential clients.

https://tools.ietf.org/html/rfc7662

Parameters
  • token

  • rpt

  • token_type_hint

Returns

decode_token(self, token, key, algorithms=['RS256'], **kwargs)

A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.

https://tools.ietf.org/html/rfc7517

Parameters
  • token

  • key

  • algorithms

Returns

load_authorization_config(self, path)

Load Keycloak settings (authorization)

Parameters

path – settings file (json)

Returns

get_policies(self, token, method_token_info='introspect', **kwargs)

Get policies by user token

Parameters

token – user token

Returns

policies list

get_permissions(self, token, method_token_info='introspect', **kwargs)

Get permission by user token

Parameters
  • token – user token

  • method_token_info – Decode token method

  • kwargs – parameters for decode

Returns

permissions list

uma_permissions(self, token, permissions='')

Get UMA permissions by user token with requested permissions

The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be invoked by confidential clients.

http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

Parameters
  • token – user token

  • permissions – list of uma permissions list(resource:scope) requested by the user

Returns

permissions list

has_uma_access(self, token, permissions)

Determine whether user has uma permissions with specified user token

Parameters
  • token – user token

  • permissions – list of uma permissions (resource:scope)

Returns

auth status