keycloak.keycloak_openid
¶
Keycloak OpenID module.
The module contains mainly the implementation of KeycloakOpenID class, the main class to handle authentication and token manipulation.
Module Contents¶
Classes¶
Keycloak OpenID client. |
- class keycloak.keycloak_openid.KeycloakOpenID(server_url, realm_name, client_id, client_secret_key=None, verify=True, custom_headers=None, proxies=None, timeout=60)[source]¶
Keycloak OpenID client.
- Parameters
server_url – Keycloak server url
client_id – client id
realm_name – realm name
client_secret_key – client secret key
verify – True if want check connection SSL
custom_headers – dict of custom header to pass to each HTML request
proxies – dict of proxies to sent the request by.
timeout – connection timeout in seconds
- _token_info(self, token, method_token_info, **kwargs)[source]¶
Getter for the token data.
- Parameters
token –
method_token_info –
kwargs –
- Returns
- well_known(self)[source]¶
Get the well_known object.
The most important endpoint to understand is the well-known configuration endpoint. It lists endpoints and other configuration options relevant to the OpenID Connect implementation in Keycloak.
:return It lists endpoints and other configuration options relevant.
- auth_url(self, redirect_uri, scope='email', state='')[source]¶
Get authorization URL endpoint.
- Parameters
redirect_uri (str) – Redirect url to receive oauth code
scope – Scope of authorization request, split with the blank space
state – State will be returned to the redirect_uri
- Type
scope: str
- Type
str
- Returns
Authorization URL Full Build
- Return type
str
- token(self, username='', password='', grant_type=['password'], code='', redirect_uri='', totp=None, **extra)[source]¶
Retrieve user token.
The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.
http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- Parameters
username –
password –
grant_type –
code –
redirect_uri –
totp –
- Returns
- refresh_token(self, refresh_token, grant_type=['refresh_token'])[source]¶
Refresh the user token.
The token endpoint is used to obtain tokens. Tokens can either be obtained by exchanging an authorization code or by supplying credentials directly depending on what flow is used. The token endpoint is also used to obtain new access tokens when they expire.
http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- Parameters
refresh_token –
grant_type –
- Returns
- exchange_token(self, token: str, client_id: str, audience: str, subject: str) dict [source]¶
Exchange user token.
Use a token to obtain an entirely different token. See https://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange
- Parameters
token –
client_id –
audience –
subject –
- Returns
- userinfo(self, token)[source]¶
Get the user info object.
The userinfo endpoint returns standard claims about the authenticated user, and is protected by a bearer token.
http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
- Parameters
token –
- Returns
- logout(self, refresh_token)[source]¶
Log out the authenticated user.
- Parameters
refresh_token –
- Returns
- certs(self)[source]¶
Get certificates.
The certificate endpoint returns the public keys enabled by the realm, encoded as a JSON Web Key (JWK). Depending on the realm settings there can be one or more keys enabled for verifying tokens.
https://tools.ietf.org/html/rfc7517
- Returns
- public_key(self)[source]¶
Retrieve the public key.
The public key is exposed by the realm page directly.
- Returns
- entitlement(self, token, resource_server_id)[source]¶
Get entitlements from the token.
Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.
- Returns
- introspect(self, token, rpt=None, token_type_hint=None)[source]¶
Introspect the user token.
The introspection endpoint is used to retrieve the active state of a token. It is can only be invoked by confidential clients.
https://tools.ietf.org/html/rfc7662
- Parameters
token –
rpt –
token_type_hint –
- Returns
- decode_token(self, token, key, algorithms=['RS256'], **kwargs)[source]¶
Decode user token.
A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. This specification also defines a JWK Set JSON data structure that represents a set of JWKs. Cryptographic algorithms and identifiers for use with this specification are described in the separate JSON Web Algorithms (JWA) specification and IANA registries established by that specification.
https://tools.ietf.org/html/rfc7517
- Parameters
token –
key –
algorithms –
- Returns
- load_authorization_config(self, path)[source]¶
Load Keycloak settings (authorization).
- Parameters
path – settings file (json)
- Returns
- get_policies(self, token, method_token_info='introspect', **kwargs)[source]¶
Get policies by user token.
- Parameters
token – user token
- Returns
policies list
- get_permissions(self, token, method_token_info='introspect', **kwargs)[source]¶
Get permission by user token.
- Parameters
token – user token
method_token_info – Decode token method
kwargs – parameters for decode
- Returns
permissions list
- uma_permissions(self, token, permissions='')[source]¶
Get UMA permissions by user token with requested permissions.
The token endpoint is used to retrieve UMA permissions from Keycloak. It can only be invoked by confidential clients.
http://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint
- Parameters
token – user token
permissions – list of uma permissions list(resource:scope) requested by the user
- Returns
permissions list