Welcome to Python Keycloak Client’s documentation!

The Python Keycloak Client is a set of API clients written in Python to communicate with the different API’s which are exposed by Keycloak.

Installation

$ pip install python-keycloak-client

Async

$ pip install python-keycloak-client[aio]

Preparation

Make sure you have created a REALM and Client in Keycloak.

Usage

Everything starts with an instance of keycloak.realm.KeycloakRealm

from keycloak.realm import KeycloakRealm


realm = KeycloakRealm(server_url='https://example.com', realm_name='my_realm')
from keycloak.aio.realm import KeycloakRealm


async def main(loop=None):
    realm_params = dict(
        server_url='https://example.com',
        realm_name='my_realm',
        loop=loop
    )
    async with KeycloakRealm(**realm_params) as realm:
        # do something
        print(realm.realm_name)

if __name__ == '__main__':
    import asyncio

    loop = asyncio.get_event_loop()
    loop.run_until_complete(main(loop))

OpenID Connect

The OpenID Connect entry point can be retrieved from the realm object.

from keycloak.realm import KeycloakRealm


realm = KeycloakRealm(server_url='https://example.com', realm_name='my_realm')

oidc_client = realm.open_id_connect(client_id='my-client',
                                    client_secret='very-secret-client-secret')

Async

from keycloak.aio.realm import KeycloakRealm


async def main(loop=None):
    realm_params = dict(
        server_url='https://example.com',
        realm_name='my_realm',
        loop=loop
    )
    async with KeycloakRealm(**realm_params) as realm:
        oidc_client = await realm.open_id_connect(
            client_id='my-client',
            client_secret='very-secret-client-secret'
        )
        # do something


if __name__ == '__main__':
    import asyncio

    loop = asyncio.get_event_loop()
    loop.run_until_complete(main(loop))

Authz (Authorization services)

The Authz client can be retrieved from the realm object.

from keycloak.realm import KeycloakRealm


realm = KeycloakRealm(server_url='https://example.com', realm_name='my_realm')

authz_client = realm.authz(client_id='my-client')

Async

from keycloak.aio.realm import KeycloakRealm


async def main(loop=None):
    realm_params = dict(
        server_url='https://example.com',
        realm_name='my_realm',
        loop=loop
    )
    async with KeycloakRealm(**realm_params) as realm:
        authz_client = await realm.authz(client_id='my-client')
        # do something


if __name__ == '__main__':
    import asyncio

    loop = asyncio.get_event_loop()
    loop.run_until_complete(main(loop))
KeycloakAuthz.entitlement(token)

Client applications can use a specific endpoint to obtain a special security token called a requesting party token (RPT). This token consists of all the entitlements (or permissions) for a user as a result of the evaluation of the permissions and authorization policies associated with the resources being requested. With an RPT, client applications can gain access to protected resources at the resource server.

http://www.keycloak.org/docs/latest/authorization_services/index .html#_service_entitlement_api

Return type:dict

Admin API

Manage Realms, Clients, Roles, Users etc.

http://www.keycloak.org/docs-api/3.4/rest-api/index.html

The admin API client get be retrieved from the realm object.

from keycloak.realm import KeycloakRealm


realm = KeycloakRealm(server_url='https://example.com', realm_name='my_realm')

admin_client = realm.admin

Async

from keycloak.aio.realm import KeycloakRealm


async def main(loop=None):
    realm_params = dict(
        server_url='https://example.com',
        realm_name='my_realm',
        loop=loop
    )
    async with KeycloakRealm(**realm_params) as realm:
        admin_client = realm.admin
        # do something


if __name__ == '__main__':
    import asyncio

    loop = asyncio.get_event_loop()
    loop.run_until_complete(main(loop))

Realms

Currently there is no actual functionality available for Realm management. However this endpoint is the entrypoint for all other clients.

realm = realm.admin.realms.by_name('realm-name')

Clients

Manage clients

clients = realm.admin.realms.by_name('realm-name').clients

The following methods can be accessed:

Clients.all()

Roles

Manage client roles

roles = realm.admin.realms.by_name('realm-name').clients.by_id('#client id').roles

The following methods are available:

Actions on a specific role

role = realm.admin.realms.by_name('realm-name').clients.by_id('#client id').roles.by_name('role-name')

The following methods are available:

Users

Manage users in a REALM

users = realm.admin.realms.by_name('realm-name').users

The following methods are available:

Users.create(username, **kwargs)

Create a user in Keycloak

http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource

Parameters:
  • username (str) –
  • credentials (object) – (optional)
  • first_name (str) – (optional)
  • last_name (str) – (optional)
  • email (str) – (optional)
  • enabled (boolean) – (optional)

UMA (User-Managed Access)

The UMA client can be retrieved from the realm object.

http://www.keycloak.org/docs/latest/authorization_services/index.html#_service_overview

from keycloak.realm import KeycloakRealm


realm = KeycloakRealm(server_url='https://example.com', realm_name='my_realm')

uma_client = realm.uma()

Async

from keycloak.aio.realm import KeycloakRealm


async def main(loop=None):
    realm_params = dict(
        server_url='https://example.com',
        realm_name='my_realm',
        loop=loop
    )
    async with KeycloakRealm(**realm_params) as realm:
        uma_client = realm.uma()
        # do something


if __name__ == '__main__':
    import asyncio

    loop = asyncio.get_event_loop()
    loop.run_until_complete(main(loop))

Resource Set management

KeycloakUMA.resource_set_create(token, name, **kwargs)

Create a resource set.

https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#rfc.section.2.2.1

Parameters:
  • token (str) – client access token
  • id (str) – Identifier of the resource set
  • name (str) –
  • uri (str) – (optional)
  • type (str) – (optional)
  • scopes (list) – (optional)
  • icon_url (str) – (optional)
  • DisplayName (str) – (optional)
  • ownerManagedAccess (boolean) – (optional)
  • owner (str) – (optional)
Return type:

str

KeycloakUMA.resource_set_update(token, id, name, **kwargs)

Update a resource set.

https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#update-resource-set

Parameters:
  • token (str) – client access token
  • id (str) – Identifier of the resource set
  • name (str) –
  • uri (str) – (optional)
  • type (str) – (optional)
  • scopes (list) – (optional)
  • icon_url (str) – (optional)
Return type:

str

KeycloakUMA.resource_set_read(token, id)

Read a resource set.

https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#read-resource-set

Parameters:
  • token (str) – client access token
  • id (str) – Identifier of the resource set
Return type:

dict

KeycloakUMA.resource_set_delete(token, id)

Delete a resource set.

https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#delete-resource-set

Parameters:
  • token (str) – client access token
  • id (str) – Identifier of the resource set
KeycloakUMA.resource_set_list(token, **kwargs)

List a resource set.

https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html#list-resource-sets

Parameters:
  • token (str) – client access token
  • name (str) – (optional)
  • uri (str) – (optional)
  • owner (str) – (optional)
  • type (str) – (optional)
  • scope (str) – (optional)
Return type:

list

Indices and tables