## User Management (Keycloak)
Interaction with EOEPCA endpoint using python Demo Client.

In [31]:
import utils.DemoKeycloakClient as Client
import jwt
import json
import requests

base_domain = "develop.eoepca.org"
platform_domain = f"keycloak.{base_domain}"
server_url = f"https://{platform_domain}"
realm = "master"

## Client
We instantiate an object to interact with the platform. The object dynamically registers two Keycloak clients, one with admin privileges, another to act as a resource server to demo resources protection using UMA (User Managed Access).

In [32]:
keycloak = Client.DemoKeycloakClient(server_url, realm, "admin", "admin_Abcd1234#")

Created admin client:
{
  "id": "05b9cc34-5f93-4558-aa04-f73de87d664d",
  "clientId": "admin-demo",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "mTto72YrDYwSDLUBXdFX4spE2e3qN9fR",
  "redirectUris": [],
  "webOrigins": [],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": true,
  "authorizationServicesEnabled": true,
  "publicClient": false,
  "frontchannelLogout": false,
  "protocol": "openid-connect",
  "attributes": {
    "client.secret.creation.time": "1684695784"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "protocolMappers": [
    {
      "id": "9beb8957-a54d-4da6-a032-ea3ff1eac433",
      "name": "Client ID",
      "protocol": "openid-connect",
      "protocolMapper":

## User Authentication
User authenticates and the client receives an ID Token (JWT) that represents the user, and is used to identify the user in UMA authorization flows.

#### Create Users
Create two users, an Eric and Alice both with user role.

In [33]:
keycloak.create_realm_role('user')
eric_id = keycloak.create_user("eric", "eric", ["user"])
alice_id = keycloak.create_user("alice", "alice", ["user"])

Created user: 78519065-1da9-4105-b2d1-4e665079d2bf
Created user: e31e573f-80f6-4032-a08c-971943a60750


#### Authentication

#### Inspect Eric User Token

In [34]:
token = keycloak.get_user_token("eric", "eric", keycloak.keycloak_admin_openid)
print("Eric token:\n" + json.dumps(token, indent = 2))
eric_access_token = token['access_token']
jwt_header = jwt.get_unverified_header(eric_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(eric_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Eric token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE2ODQ3ODI1MjIsImlhdCI6MTY4NDc4MjQ2MiwianRpIjoiMWYzNDBjYmMtMWNlMC00NjE5LTg5MjItYWU4MjQ4ZjIxN2ZhIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI3ODUxOTA2NS0xZGE5LTQxMDUtYjJkMS00ZTY2NTA3OWQyYmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1kZW1vIiwic2Vzc2lvbl9zdGF0ZSI6ImNiNWNlNjZlLWYwNjMtNGZjZS1hNDE2LWVlN2Y4Njg2ZWQ5MCIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlci1wcmVtaXVtIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiJjYjVjZTY2ZS1mMDYzLTRmY2UtYTQxNi1lZTdmODY4NmVkOTAiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImVyaWMifQ.S1WQB8TvjShn

#### Inspect Alice User Token

In [35]:
token = keycloak.get_user_token("alice", "alice", keycloak.keycloak_admin_openid)
print("Eric token:\n" + json.dumps(token, indent = 2))
alice_access_token = token['access_token']
jwt_header = jwt.get_unverified_header(alice_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(alice_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Eric token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE2ODQ3ODI1MjIsImlhdCI6MTY4NDc4MjQ2MiwianRpIjoiODg3MjBkZGItYTFmZi00ZjhjLTlhOGQtZTNjMTAyOTljYzljIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJlMzFlNTczZi04MGY2LTQwMzItYTA4Yy05NzE5NDNhNjA3NTAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1kZW1vIiwic2Vzc2lvbl9zdGF0ZSI6IjJhMzFjZTQ5LWJjMDgtNDczOC1hYWU5LWQxN2I3NjljNjJkMiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiIyYTMxY2U0OS1iYzA4LTQ3MzgtYWFlOS1kMTdiNzY5YzYyZDIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFsaWNlIn0.gwEvT3RvBg8k3wSCEoAF_EBNo3SPcj5

The ID Token (JWT) identifies the user via user_name / sub (Subject) fields, and the client via the aud (Audience) field. The JWT is signed and can be verified, using the kid (Key ID) field, via the JWKS endpoint of the Authorization Server.

## Protect resource
Access a protected resource using UMA flow

#### Assign premium role to Eric
Roles are used to define policies that will protect resources based on roles - Role-based access control (RBAC)

In [36]:
keycloak.create_realm_role('user-premium')
keycloak.assign_realm_role_to_user(eric_id, 'user-premium')


Assigning role to user 78519065-1da9-4105-b2d1-4e665079d2bf:
{
  "id": "e3b328e8-7b42-40e0-b896-bf85b2221ade",
  "name": "user-premium",
  "composite": false,
  "clientRole": false,
  "containerId": "5b74dc7f-58f4-4273-8258-778ef3f9c6d5",
  "attributes": {}
}


#### Register resources
Register public and protected resources

In [37]:
keycloak.register_resources()

Created resource:
{
  "name": "Protected Resource",
  "icon_uri": "/protected/*"
}
Response: {'msg': 'Already exists'}
Created resource:
{
  "name": "Premium Resource",
  "uri": "/protected/premium/*"
}
Response: {'msg': 'Already exists'}
Created resource:
{
  "name": "Default Resource",
  "uri": "/*"
}
Response: {'msg': 'Already exists'}
Created resource:
{
  "name": "User Resource",
  "type": "user-resource"
}
Response: {'msg': 'Already exists'}


Right now, resources are protected by a default policy, which grants access to users within the realm.
Let's see how Keycloak protects resources using role based policies.

#### Register policies
Register role based policies

In [38]:
keycloak.register_policies()

Creating policy:
{
  "name": "Default Policy",
  "description": "A policy that grants access only for users within this realm",
  "type": "role",
  "logic": "POSITIVE",
  "decisionStrategy": "AFFIRMATIVE",
  "roles": [
    {
      "id": "user",
      "required": false
    }
  ]
}
Response: {'msg': 'Already exists'}
Creating policy:
{
  "name": "Only Premium User Policy",
  "type": "role",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "roles": [
    {
      "id": "user-premium",
      "required": false
    }
  ]
}
Response: {'msg': 'Already exists'}
Creating policy:
{
  "name": "Only User Policy",
  "type": "role",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "roles": [
    {
      "id": "user",
      "required": false
    }
  ]
}
Response: {'msg': 'Already exists'}


#### Register resource permissions
Resources permissions are set by assigning policies to resources.

In [39]:
keycloak.assign_resources_permissions()


 Creating resource permission: {
  "name": "Default Resource Permission",
  "type": "resource",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "resources": [
    "Default Resource"
  ],
  "policies": [
    "Default Policy"
  ]
}

Response: {'msg': 'Already exists'}

 Creating resource permission: {
  "name": "Premium Resource Permission",
  "type": "resource",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "resources": [
    "Premium Resource"
  ],
  "policies": [
    "Only Premium User Policy"
  ]
}

Response: {'msg': 'Already exists'}

 Creating resource permission: {
  "name": "Protected Resource Permission",
  "type": "resource",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "resources": [
    "Protected Resource"
  ],
  "policies": [
    "Only User Policy"
  ]
}

Response: {'msg': 'Already exists'}


#### Get PAT (Protection API token)
PAT (Protection API token) is used to access Keycloak's Protection API, which manages resources and policies.

In [40]:
pat = keycloak.generate_protection_pat()
print(json.dumps(pat, indent=2))
access_token = pat['access_token']

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE2ODQ3ODI1MjQsImlhdCI6MTY4NDc4MjQ2NCwianRpIjoiNDViM2FiNTktZGFmZS00ZGY4LTgwMTAtZTMxMGU2YWQyM2YyIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI4ZDcxMzhkMC01YTdjLTRkZWItOGU3Ni1iMjc5MDgxODM4ZDAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJyZXNvdXJjZXMtZGVtbyIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLW1hc3RlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJyZXNvdXJjZXMtZGVtbyI6eyJyb2xlcyI6WyJ1bWFfcHJvdGVjdGlvbiJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwiY2xpZW50SG9zdCI6IjEwLjQyLjUuMCIsImNsaWVudElkIjoicmVzb3VyY2VzLWRlbW8iLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2U

### Get Resource Id
Get Premium Resource id

In [41]:
# it's possible to query resources by many fields, including name and uri
protected_resource_id = keycloak.get_resource_id_from_name("Premium Resource")[0]
print(protected_resource_id)
protected_resource_id = keycloak.get_resource_id_from_uri("/protected/premium/*")[0]
print(protected_resource_id)

b37822bc-5d2b-4a6e-8472-5e0a01e21c34
b37822bc-5d2b-4a6e-8472-5e0a01e21c34


#### Get UMA access token for premium resource for both Eric and Alice

In [42]:
uma_ticket = keycloak.create_permission_ticket(resources=[protected_resource_id])['ticket']
print('UMA ticket for resource ' + protected_resource_id + ':\n' + uma_ticket)
eric_access_token = keycloak.get_user_token("eric", "eric", keycloak.keycloak_uma_openid)['access_token']
eric_uma_access_token = keycloak.get_uma_token(eric_access_token, uma_ticket)
print('Eric UMA access token:\n' + str(eric_uma_access_token))

UMA ticket for resource b37822bc-5d2b-4a6e-8472-5e0a01e21c34:
eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiM2QxNjAzYy03MDNhLTQxMTktODliNC1jNzRhZDliMjA3ZDMifQ.eyJleHAiOjE2ODQ3ODI1MjEsIm5iZiI6MCwiaWF0IjoxNjg0NzgyNDYxLCJwZXJtaXNzaW9ucyI6W3sicnNpZCI6ImIzNzgyMmJjLTVkMmItNGE2ZS04NDcyLTVlMGEwMWUyMWMzNCJ9XSwianRpIjoiNjQ2OTJmNTctZjkwYi00M2Q2LTg1NzUtNDc0NzMxYmE2NTBmLTE2ODQ3ODI0NjQ4MDEiLCJhdWQiOiJodHRwczovL2tleWNsb2FrLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvbWFzdGVyIiwic3ViIjoiOGQ3MTM4ZDAtNWE3Yy00ZGViLThlNzYtYjI3OTA4MTgzOGQwIiwiYXpwIjoicmVzb3VyY2VzLWRlbW8ifQ.9sb00kSYE9LAr9HQ6ZTFLnMmCunz-j1FPDt5TZ1gvzk
{
  "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
  "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  "claim_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE2ODQ3ODI1MjUsImlhdCI6MTY4NDc4MjQ2NSwianRpIjoiNmY2YjBiNGEtMjQ4Mi00OTg2LWJmNjMtYjc0MmJjZjg0OWQ3IiwiaXNzIjoia

In [43]:
uma_ticket = keycloak.create_permission_ticket(resources=[protected_resource_id])['ticket']
print('UMA ticket for resource ' + protected_resource_id + '\n: ' + uma_ticket)
alice_access_token = keycloak.get_user_token("alice", "alice", keycloak.keycloak_uma_openid)['access_token']
alice_uma_access_token = keycloak.get_uma_token(alice_access_token, uma_ticket)
print('Alice UMA access token:\n' + str(alice_uma_access_token))

UMA ticket for resource b37822bc-5d2b-4a6e-8472-5e0a01e21c34
: eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiM2QxNjAzYy03MDNhLTQxMTktODliNC1jNzRhZDliMjA3ZDMifQ.eyJleHAiOjE2ODQ3ODI1MjEsIm5iZiI6MCwiaWF0IjoxNjg0NzgyNDYxLCJwZXJtaXNzaW9ucyI6W3sicnNpZCI6ImIzNzgyMmJjLTVkMmItNGE2ZS04NDcyLTVlMGEwMWUyMWMzNCJ9XSwianRpIjoiNjg0YzMzYTctODM4Ny00YjI3LThhODEtNTNjMDllN2VjNDY0LTE2ODQ3ODI0NjU0NDUiLCJhdWQiOiJodHRwczovL2tleWNsb2FrLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvbWFzdGVyIiwic3ViIjoiOGQ3MTM4ZDAtNWE3Yy00ZGViLThlNzYtYjI3OTA4MTgzOGQwIiwiYXpwIjoicmVzb3VyY2VzLWRlbW8ifQ.IYGpGUsMe_vyXrMcyhXr1RBl7IHjDVBsVeblhiyeuy4
{
  "claim_token_format": "http://openid.net/specs/openid-connect-core-1_0.html#IDToken",
  "grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
  "claim_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE2ODQ3ODI1MjUsImlhdCI6MTY4NDc4MjQ2NSwianRpIjoiYTVkMWRhZDUtY2UzOC00ZjVhLTk3MTYtNTc0MjBmNjcwNmFiIiwiaXNzIjoi

KeycloakPostError: 403: b'{"error":"access_denied","error_description":"request_submitted"}'

#### Use Eric UMA access token to access the premium resource
The expected result is 200, meaning a successfuly access.

#### Use Alice UMA access token to access the premium resource
The expected result is 403, meaning Alice is not allowed to access the protected resource. Remember that the protected/premium/* resource is protected by a permission defined by a "premium-user" role based policy.

In [None]:
headers = {
    "cache-control": "no-cache",
    "Authorization": "Bearer " + alice_uma_access_token
}
res = requests.get('http://localhost:8080/protected/premium', headers=headers, verify=False)
print(str(res))