## User Management (Keycloak)
Interaction with Keycloak using Keycloak's python client and Identity API.

In [1]:
import jwt
import json
from getpass import getpass
from keycloak import KeycloakPostError
from identityutils.keycloak_client import KeycloakClient
import requests
import urllib3

urllib3.disable_warnings()

base_domain = "apx.develop.eoepca.org"
keycloak_url = f"https://iam-auth.{base_domain}"
realm = "eoepca"
dummy_service_url = f"https://iam-test2.{base_domain}"
identity_api_url = f"https://identity-api.{base_domain}"

## Keycloak Client
We instantiate an object to interact with the Keycloak.

In [42]:
admin_password = getpass("Admin password: ")
#api_password = getpass("Identity API password: ")

keycloak = KeycloakClient(
    server_url=keycloak_url,
    realm=realm,
    username="user", # "admin",
    password=admin_password,
)

api_client = None

Admin password:  ········


## Identity API Account

In [43]:
from utils.auth import DeviceAuthAccount

identityApiAuth = DeviceAuthAccount(keycloak_url, "identity-api", "eBlG9c7IEKlCJglwVC7N8EGwZArl141h", message = "---- Login required for Identity API ----")

def get_identity_api_token():
    """ Gets a user token for accessing the identity-api using username/password authentication.
    """
    return identityApiAuth.get_token();
    # Old implementation with password authentication and without token renewal:
    #global api_client
    #if api_client is None:
    #    api_client = get_user_token("identity-api", api_password, "identity-api", "eBlG9c7IEKlCJglwVC7N8EGwZArl141h")["access_token"]
    #return api_client

# Request the identity API token here in order to trigger an initial device authentication flow.
# Unfortunately the authentication URL is currently only displayed in the cell output, but it is
# not opened automatically in the browser. This makes it easy to overlook and leaves room for
# improvement.
get_identity_api_token()

Requesting login...
---- Login required for Identity API ----
Please open this URI to log in: https://iam-auth.develop.eoepca.org/realms/eoepca/device?user_code=KPPA-HHWN


'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHN1FSN01XenhRYXpYSUFKb1kxNENIeTlheTRWMUxsZWJCUjFwTWNGY2k4In0.eyJleHAiOjE3MzA5OTM4NjgsImlhdCI6MTczMDk5MzU2OCwiYXV0aF90aW1lIjoxNzMwOTkyODc4LCJqdGkiOiI4MjQ2OGNmNi05Njc3LTQ5ZGQtOTdmNy1mNTkyZDBmMDMzMTMiLCJpc3MiOiJodHRwczovL2lhbS1hdXRoLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvZW9lcGNhIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjM5OWQ1M2UyLWEyOGItNGE4OS1hMjdmLWVmNDFkOWY5YWM0NyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlkZW50aXR5LWFwaSIsInNlc3Npb25fc3RhdGUiOiJhN2I3ZTUwMy0wNDczLTQ2MGYtYjJhYS00NDk3NzcxMWYwZDAiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiZGVmYXVsdC1yb2xlcy1lb2VwY2EiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImE3YjdlNTAzLTA0NzMtNDYwZi1iMmFhLTQ0OTc3NzExZjBkMCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidy1zY2hvIiwiZW1haWwiOiJ3LXN

## Helper functions
This section contains local helper functions that are meant to simplify authentication.
Most of these should be moved to the Identity Utils or to some successor library.

In [44]:
from keycloak import KeycloakOpenIDConnection, KeycloakAdmin, KeycloakUMA, urls_patterns, ConnectionManager

def get_user_token(username, password, client_id="dummy", client_secret=None):
    """Gets a user token using username/password authentication for a certain client.
    """
    kc_client = keycloak
    scope = "openid profile"
    if client_id:
        openid_connection = KeycloakOpenIDConnection(
            server_url=kc_client.server_url,
            client_id=client_id,
            client_secret_key=client_secret,
            realm_name="eoepca",
            verify=kc_client.server_url.startswith('https'),
            timeout=10)
        client = KeycloakAdmin(connection=openid_connection)
        return client.connection.keycloak_openid.token(username, password, scope=scope)
    else:
        return kc_client.keycloak_admin.connection.keycloak_openid.token(username, password, scope=scope)

### Create Users
Create two users, an Eric and Alice both with user role.

In [45]:
eric_id = keycloak.create_user("eric", "eric", ["user"])
print("Created Eric user with id: " + eric_id)
alice_id = keycloak.create_user("alice", "alice", ["user"])
print("Created Alice user with id: " + alice_id)

Created Eric user with id: 060169bc-6794-46f3-8de9-24b61c2bd3a2
Created Alice user with id: f0c716f3-0274-47b4-a41d-c897b7071504


#### Inspect Eric User Token

In [46]:
token = get_user_token("eric", "eric")
print("Eric token:\n" + json.dumps(token, indent = 2))
eric_access_token = token["access_token"]
jwt_header = jwt.get_unverified_header(eric_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(eric_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Eric token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHN1FSN01XenhRYXpYSUFKb1kxNENIeTlheTRWMUxsZWJCUjFwTWNGY2k4In0.eyJleHAiOjE3MzA5OTM4OTEsImlhdCI6MTczMDk5MzU5MSwianRpIjoiMjgzODEwNDItZmQ2NC00MjQ0LTgxMmQtODgxOTQ3YzIwYTkxIiwiaXNzIjoiaHR0cHM6Ly9pYW0tYXV0aC5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL2VvZXBjYSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwNjAxNjliYy02Nzk0LTQ2ZjMtOGRlOS0yNGI2MWMyYmQzYTIiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkdW1teSIsInNlc3Npb25fc3RhdGUiOiIzNjVjMWE1YS04MDllLTQzMWItYjQ4MS1mZTg1MWFmMjFkNmUiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIi8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtZW9lcGNhIiwidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyLXByZW1pdW0iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6IjM2NWMxYTVhLTgwOWUtNDMxYi1iNDgxLWZlODUxYWYyMWQ2ZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1

#### Inspect Alice User Token

In [47]:
token = get_user_token("alice", "alice")
print("Alice token:\n" + json.dumps(token, indent = 2))
alice_access_token = token["access_token"]
jwt_header = jwt.get_unverified_header(alice_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(alice_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Alice token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHN1FSN01XenhRYXpYSUFKb1kxNENIeTlheTRWMUxsZWJCUjFwTWNGY2k4In0.eyJleHAiOjE3MzA5OTM4OTgsImlhdCI6MTczMDk5MzU5OCwianRpIjoiYmI4NmZhZmEtNDI0OS00MzFjLTk0NjUtNmE3MGJkMzM0MjFlIiwiaXNzIjoiaHR0cHM6Ly9pYW0tYXV0aC5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL2VvZXBjYSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJmMGM3MTZmMy0wMjc0LTQ3YjQtYTQxZC1jODk3YjcwNzE1MDQiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkdW1teSIsInNlc3Npb25fc3RhdGUiOiI1ZDkyMDU1OS1kMTk1LTQ0MTgtODExYi1lZjk4MjM4NzhhOGQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIi8qIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtZW9lcGNhIiwidW1hX2F1dGhvcml6YXRpb24iLCJ1c2VyIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6IjVkOTIwNTU5LWQxOTUtNDQxOC04MTFiLWVmOTgyMzg3OGE4ZCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxpY2UifQ.fjT

The ID Token (JWT) identifies the user via user_name / sub (Subject) fields, and the client via the aud (Audience) field. The JWT is signed and can be verified, using the kid (Key ID) field, via the JWKS endpoint of the Authorization Server.

## Protect resources
Access a protected resources using UMA flow.

#### Assign premium role to Eric
Roles are used to define policies that will protect resources based on roles - Role-based access control (RBAC)

In [8]:
realm_role = keycloak.create_realm_role('user-premium')
print("Created realm role: " + realm_role)
keycloak.assign_realm_roles_to_user(eric_id, realm_role)
print("Assigned " + realm_role + " role to Eric")

Created realm role: user-premium
Assigned user-premium role to Eric


#### Register client
Register demo client

In [9]:
client_id = "demo"
client_secret= "demo"
client_payload = {
    "clientId": client_id,
    "secret": client_secret,
    "name": "Demo client",
    "description": "Client used on demo notebook",
    "serviceAccountsEnabled": True,
    "directAccessGrantsEnabled": True,
    "authorizationServicesEnabled": True
}
keycloak.create_client(client_payload, skip_exists=True)
print("Created client: demo")

Created client: demo


## Protect URIs
Right now, resources are protected by a default policy, which grants access to users within the realm.
Let's see how Keycloak protects resources using role based and user based policies.

#### Register resources
Register

In [10]:
resources = [
    {
        "name": "Premium resource",
        "uri": "/protected/premium/*",
        "scopes": ["view"]
    },
    {
        "name": "Eric space",
        "uri": "/eric/*",
        "scopes": ["view"]
    },
    {
        "name": "Alice space",
        "uri": "/alice/*",
        "scopes": ["view"]
    }
]
keycloak.register_resources(client_id, resources, skip_exists=True)

[{'msg': 'Already exists'},
 {'msg': 'Already exists'},
 {'msg': 'Already exists'}]

#### Register policies
Register role based and user based policies

In [11]:
policy = {
    "name": 'Only Premium User Policy',
    "roles": [
        {
            "id": "user-premium"
        }
    ]
}
p = keycloak.register_role_policy(client_id, policy, skip_exists=True)
print("Only Premium User Policy:")
print(p)

policy = {
    "name": 'Only Eric User Policy',
    "users": [eric_id]
}
p = keycloak.register_user_policy(client_id, policy)
print("Only Eric User Policy:")
print(p)

policy = {
    "name": 'Only Alice User Policy',
    "users": [alice_id]
}
p = keycloak.register_user_policy(client_id, policy)
print("Only Alice User Policy:")
print(p)

Only Premium User Policy:
{'error': 'Policy with name [Only Premium User Policy] already exists', 'error_description': 'Conflicting policy'}
Only Eric User Policy:
{'error': 'Policy with name [Only Eric User Policy] already exists', 'error_description': 'Conflicting policy'}
Only Alice User Policy:
{'error': 'Policy with name [Only Alice User Policy] already exists', 'error_description': 'Conflicting policy'}


#### Register resource permissions
Resources permissions are set by assigning policies to resources.

In [12]:
permissions = [
    {
        "name": "Premium permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Premium resource"
        ],
        "policies": [
            "Only Premium User Policy"
        ]
    },
    {
        "name": "Eric space permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Eric space"
        ],
        "policies": [
            "Only Eric User Policy"
        ]
    },
    {
        "name": "Alice space permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Alice space"
        ],
        "policies": [
            "Only Alice User Policy"
        ]
    }
]
r = keycloak.assign_resources_permissions(client_id, permissions, skip_exists=True)
print(r)

[{'msg': 'Already exists'}, {'msg': 'Already exists'}, {'msg': 'Already exists'}]


#### Get PAT (Protection API token)
PAT (Protection API token) is used to access Keycloak's Protection API, which manages resources and policies.

In [13]:
pat = keycloak.generate_protection_pat(client_id, client_secret)
print(json.dumps(pat, indent=2))
access_token = pat['access_token']

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHN1FSN01XenhRYXpYSUFKb1kxNENIeTlheTRWMUxsZWJCUjFwTWNGY2k4In0.eyJleHAiOjE3MzA5OTM2NjMsImlhdCI6MTczMDk5MzM2MywianRpIjoiNGVlYjI0NGQtYzRlZi00ODAzLTlhMDQtODVjYzQxYzEwNjI1IiwiaXNzIjoiaHR0cHM6Ly9pYW0tYXV0aC5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL2VvZXBjYSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIxODBhNzY5Yy1kZjJjLTQ3MmEtYTc3OC0wMDNiMzVmN2Y2MzAiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkZW1vIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsImRlZmF1bHQtcm9sZXMtZW9lcGNhIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJkZW1vIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJjbGllbnRIb3N0IjoiMTAuNDIuMi4wIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtZGVtbyIsImNsaWVudEFkZHJlc3MiOiIxMC40Mi4yLjAiLCJjbGllbnRfaWQiOiJkZW1vIn0.JqqVJKjGcsAOT-l2F4QbjrPipPXhOoWiiUX0xnA

### Get Resource Ids

In [14]:
# it's possible to query resources by many fields, including name and uri
premium_resource_id = keycloak.get_resource_id(client_id=client_id, client_secret=client_secret, name="Premium resource")[0]
print("Premium resource: " + premium_resource_id)
eric_resource_id = keycloak.get_resource_id(client_id=client_id, client_secret=client_secret, uri="/eric/*")[0]
print("Eric resource: " + eric_resource_id)
alice_resource_id = keycloak.get_resource_id(client_id=client_id, client_secret=client_secret, uri="/alice/*")[0]
print("Alice resource: " + alice_resource_id)

Premium resource: 0a73760f-18ea-4965-9d33-2beb34cbf102
Eric resource: d1852385-acd3-45be-a225-535a23380141
Alice resource: 2356569e-4f94-42c9-bb96-7de442c7c6bd


#### Get UMA access token for eric space resource for both Eric and Alice

In [15]:
uma_ticket = keycloak.create_permission_ticket(client_id=client_id, client_secret=client_secret, resources=[eric_resource_id])['ticket']
print('UMA ticket for resource ' + eric_resource_id + ':\n' + uma_ticket)
eric_access_token = get_user_token("eric", "eric", client_id, client_secret)['access_token']
eric_rpt = keycloak.get_rpt(client_id=client_id, client_secret=client_secret, uri="/eric/*", token=eric_access_token, ticket=uma_ticket)['access_token']
print('\nEric RPT:\n' + str(eric_rpt))

UMA ticket for resource d1852385-acd3-45be-a225-535a23380141:
eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlODc4YzU0Zi1iZDMwLTRlMGQtOWE0NS04ZGNkYmQ3ZWY3MDUifQ.eyJleHAiOjE3MzA5OTM2NjQsIm5iZiI6MCwiaWF0IjoxNzMwOTkzMzY0LCJwZXJtaXNzaW9ucyI6W3sicnNpZCI6ImQxODUyMzg1LWFjZDMtNDViZS1hMjI1LTUzNWEyMzM4MDE0MSJ9XSwianRpIjoiNWFkODNkOWItZjI2NS00M2ZiLTg2YmItMWFmZWI0YTE1YzgzLTE3MzA5OTMzNjQ3MDUiLCJhdWQiOiJodHRwczovL2lhbS1hdXRoLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvZW9lcGNhIiwic3ViIjoiMTgwYTc2OWMtZGYyYy00NzJhLWE3NzgtMDAzYjM1ZjdmNjMwIiwiYXpwIjoiZGVtbyJ9.Ob9PlmPi_ZjI5HkFfk73gjYNnx7JEQ2jZBMiYLVuwAGrabNXnqE21FJhHl4lzATtBZHEllRJpvakcNHCZV4zVg

Eric RPT:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHN1FSN01XenhRYXpYSUFKb1kxNENIeTlheTRWMUxsZWJCUjFwTWNGY2k4In0.eyJleHAiOjE3MzA5OTM2NjUsImlhdCI6MTczMDk5MzM2NSwianRpIjoiMzg2ZjViZjEtZjFmMy00MjE3LWJiMjgtNTExNWU3ZmZjNzQ4IiwiaXNzIjoiaHR0cHM6Ly9pYW0tYXV0aC5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL2VvZXBjYSIsImF1ZCI6ImRlbW8iLCJzdWIiOiIwNjAxNjliYy02Nzk0LTQ2ZjMtOGRlOS0yNGI2

In [16]:
uma_ticket = keycloak.create_permission_ticket(client_id=client_id, client_secret=client_secret,resources=[eric_resource_id])['ticket']
print('UMA ticket for resource ' + eric_resource_id + ':\n' + uma_ticket)
alice_access_token = get_user_token("alice", "alice", client_id, client_secret)['access_token']
try:
    alice_uma_access_token = keycloak.get_rpt(client_id=client_id, client_secret=client_secret, uri="/eric/*", token=alice_access_token, ticket=uma_ticket)['access_token']
except KeycloakPostError as e:
    print(str(e))

UMA ticket for resource d1852385-acd3-45be-a225-535a23380141:
eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJlODc4YzU0Zi1iZDMwLTRlMGQtOWE0NS04ZGNkYmQ3ZWY3MDUifQ.eyJleHAiOjE3MzA5OTM2NjUsIm5iZiI6MCwiaWF0IjoxNzMwOTkzMzY1LCJwZXJtaXNzaW9ucyI6W3sicnNpZCI6ImQxODUyMzg1LWFjZDMtNDViZS1hMjI1LTUzNWEyMzM4MDE0MSJ9XSwianRpIjoiNzUzOThiYjYtOWQ5Zi00MDE5LTk3YTctNDljMjMxYWM3ODljLTE3MzA5OTMzNjU5MTIiLCJhdWQiOiJodHRwczovL2lhbS1hdXRoLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvZW9lcGNhIiwic3ViIjoiMTgwYTc2OWMtZGYyYy00NzJhLWE3NzgtMDAzYjM1ZjdmNjMwIiwiYXpwIjoiZGVtbyJ9.3uLQIZOt05zy-0VsUK-m9PtdBA7rebrLCDgFolT6S33yASOXcPIJGKIfY45_Mg1pjN4YlBDFpAhBzgFG3zsUxg
403: b'{"error":"access_denied","error_description":"request_submitted"}'


Trying to get a UMA token for Alice results in a 403 Forbidden Error. The reason being Alice is not allowed to access the `/eric/*` resource because it's protected for only `eric` user.

#### Use Eric UMA access token to access the eric space resource

In [17]:
resources = [
    {
        "name": "Eric space",
        "uri": "/eric/*",
        "scopes": ["view"]
    },
    {
        "name": "Alice space",
        "uri": "/alice/*",
        "scopes": ["view"]
    }
]

dummy_service_client = "demo-app" #"dummy-service"

keycloak.register_resources(dummy_service_client, resources, skip_exists=True)

policy = {
    "name": 'Only Eric User Policy',
    "users": [eric_id]
}
p = keycloak.register_user_policy(dummy_service_client, policy)
print("Only Eric User Policy:")
print(p)

policy = {
    "name": 'Only Alice User Policy',
    "users": [alice_id]
}
p = keycloak.register_user_policy(dummy_service_client, policy)
print("Only Alice User Policy:")
print(p)

permissions = [
    {
        "name": "Eric space permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Eric space"
        ],
        "policies": [
            "Only Eric User Policy"
        ]
    },
    {
        "name": "Alice space permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Alice space"
        ],
        "policies": [
            "Only Alice User Policy"
        ]
    }
]
r = keycloak.assign_resources_permissions(dummy_service_client, permissions, skip_exists=True)
print(r)

headers = {
    "cache-control": "no-cache",
    "Authorization": "Bearer " + eric_rpt
}
url = dummy_service_url + "/eric"
print('GET ' + url)
response = requests.get(url, headers=headers, verify=False)
print(str(response.status_code))

Only Eric User Policy:
{'error': 'Policy with name [Only Eric User Policy] already exists', 'error_description': 'Conflicting policy'}
Only Alice User Policy:
{'error': 'Policy with name [Only Alice User Policy] already exists', 'error_description': 'Conflicting policy'}
[{'msg': 'Already exists'}, {'msg': 'Already exists'}]
GET https://iam-test2.apx.develop.eoepca.org/eric
200


## Identity API

#### Get Resources

In [18]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/resources?client_id=" + client_id + "&client_secret=" + client_secret
print("GET " + url)
response = requests.get(url, headers=headers)
try:
    print(json.dumps(response.json(), indent=2))
except:
    print(response)

GET https://identity-api.apx.develop.eoepca.org/resources?client_id=demo&client_secret=demo
[
  {
    "name": "Alice resource3233",
    "owner": {
      "id": "cc0fbd8b-9c57-461a-8bb8-508b3826b8e0",
      "name": "demo"
    },
    "ownerManagedAccess": false,
    "attributes": {},
    "_id": "2356569e-4f94-42c9-bb96-7de442c7c6bd",
    "uris": [
      "/alice/*"
    ],
    "scopes": [
      {
        "id": "5ac98078-f8d3-4fef-8b95-f661a65e978f",
        "name": "view"
      }
    ]
  },
  {
    "name": "Alice space",
    "owner": {
      "id": "cc0fbd8b-9c57-461a-8bb8-508b3826b8e0",
      "name": "demo"
    },
    "ownerManagedAccess": false,
    "attributes": {},
    "_id": "93ab7012-bbdc-4336-ae48-fd9fb038dd17",
    "uris": [
      "/alice/*"
    ],
    "scopes": [
      {
        "id": "5ac98078-f8d3-4fef-8b95-f661a65e978f",
        "name": "view"
      }
    ]
  },
  {
    "name": "Default Resource",
    "type": "urn:demo:resources:default",
    "owner": {
      "id": "cc0fbd8b-9c57

#### Get resource by id

In [19]:
access_token = get_identity_api_token()
print(access_token)
headers = {
    "Authorization": "Bearer " + access_token
}
resource_id = keycloak.get_resource_id(client_id, client_secret, name="Default Resource")[0]
url = identity_api_url + "/resources/" + resource_id + "?client_id=" + client_id + "&client_secret=" + client_secret
print("GET " + url)
response = requests.get(url, headers=headers)
print(response)
print(response.text)
print(json.dumps(response.json(), indent=2))

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHN1FSN01XenhRYXpYSUFKb1kxNENIeTlheTRWMUxsZWJCUjFwTWNGY2k4In0.eyJleHAiOjE3MzA5OTM2NTksImlhdCI6MTczMDk5MzM1OSwiYXV0aF90aW1lIjoxNzMwOTkyODc4LCJqdGkiOiIwOGU5NDFmZi1lOThhLTRjMGYtYjg0ZC03NTg1YzNmNGJhYTMiLCJpc3MiOiJodHRwczovL2lhbS1hdXRoLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvZW9lcGNhIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjM5OWQ1M2UyLWEyOGItNGE4OS1hMjdmLWVmNDFkOWY5YWM0NyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlkZW50aXR5LWFwaSIsInNlc3Npb25fc3RhdGUiOiJhN2I3ZTUwMy0wNDczLTQ2MGYtYjJhYS00NDk3NzcxMWYwZDAiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiZGVmYXVsdC1yb2xlcy1lb2VwY2EiLCJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6ImE3YjdlNTAzLTA0NzMtNDYwZi1iMmFhLTQ0OTc3NzExZjBkMCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoidy1zY2hvIiwiZW1haWwiOiJ3LXNj

#### Register resource

In [20]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = [
    {
        'name': 'A resource',
        'uris': ["/protected/*"],
        "permissions": {
            "authenticated": True
        },
    }
]
url = f"{identity_api_url}/{client_id}/resources"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/resources
200
[
  {
    "name": "A resource",
    "owner": {
      "id": "cc0fbd8b-9c57-461a-8bb8-508b3826b8e0",
      "name": "demo"
    },
    "ownerManagedAccess": false,
    "attributes": {},
    "_id": "b042c6ea-147d-4597-9477-b3d1cea082e0",
    "uris": [
      "/protected/*"
    ],
    "scopes": [
      {
        "id": "5ac98078-f8d3-4fef-8b95-f661a65e978f",
        "name": "view"
      }
    ]
  }
]


#### Update resource

In [21]:
resource_id = keycloak.get_resource_id(client_id, client_secret, name="A resource")[0]
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "name": "A resource",
    "uris": ["/protect/*"],
    "attributes": "attribute",
    "scopes": ["view"],
    "ownerManagedAccess": True,
    "displayName": "Display name"
}
url = f"{identity_api_url}/{client_id}/resources/{resource_id}?client_id={client_id}&client_secret={client_secret}"
response = requests.put(url + "/" + resource_id, json=data, headers=headers)
print("PUT " + url)
print(str(response.status_code))
print(str(response.json()))

PUT https://identity-api.apx.develop.eoepca.org/demo/resources/b042c6ea-147d-4597-9477-b3d1cea082e0?client_id=demo&client_secret=demo
200
{}


#### Delete resource

In [22]:
resource_id = keycloak.get_resource_id(client_id, client_secret, name="A resource")[0]
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = f"{identity_api_url}/{client_id}/resources/{resource_id}?client_id={client_id}&client_secret={client_secret}"
response = requests.delete(url, headers=headers)
print("DELETE " + url)
print(str(response.status_code))
print(str(response.json()))

DELETE https://identity-api.apx.develop.eoepca.org/demo/resources/b042c6ea-147d-4597-9477-b3d1cea082e0?client_id=demo&client_secret=demo
200
{}


#### Get client Policies

In [23]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/policies"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

GET https://identity-api.apx.develop.eoepca.org/demo/policies
200
[
  {
    "id": "2fe31cc5-f1bf-4a84-ba49-6c30a512c4fd",
    "name": "Aggregated policy",
    "description": "Policy description",
    "type": "aggregate",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {}
  },
  {
    "id": "515d9af3-9679-44c2-8776-3cbee8fd9945",
    "name": "Alice resource3233 User Policy",
    "type": "user",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "config": {
      "users": "[\"f0c716f3-0274-47b4-a41d-c897b7071504\"]"
    }
  },
  {
    "id": "7a3a3df8-40bc-470d-90c4-f45cd1b44531",
    "name": "Default Policy",
    "description": "A policy that grants access only for users within this realm",
    "type": "js",
    "logic": "POSITIVE",
    "decisionStrategy": "AFFIRMATIVE",
    "config": {
      "code": "// by default, grants any permission associated with this policy\n$evaluation.grant();\n"
    }
  },
  {
    "id": "069f8717-2659-4e76-8e20-2d0d3b

#### create client Policy

In [24]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "My Policy",
    "clients": [
        client_id
    ],
    "description": "Client policy"
}
url = identity_api_url + "/" + client_id + "/policies/client"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/policies/client
200
{
  "error": "Policy with name [My Policy] already exists",
  "error_description": "Conflicting policy"
}


#### Create Aggregated policy

In [25]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Aggregated policy",
    "policies": ["My Policy"],
    "description": "Policy description"
}
url = identity_api_url + "/" + client_id + "/policies/aggregated"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/policies/aggregated
200
{
  "error": "Policy with name [Aggregated policy] already exists",
  "error_description": "Conflicting policy"
}


#### Create scope policy

In [26]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Scope Policy",
    "scopes": [
        "view"
    ],
    "description": "Policy description"
}
url = identity_api_url + "/" + client_id + "/policies/scope"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/policies/scope
200
{
  "error": "Policy with name [Scope Policy] already exists",
  "error_description": "Conflicting policy"
}


#### Create group policy

TODO - group ID is hardcoded - should create a group and get the id

In [27]:
# # access_token = get_identity_api_token()
# access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
# headers = {
#     "Authorization": "Bearer " + access_token
# }
# # TODO should create a group and get the id
# data = {
#     "logic": "POSITIVE",
#     "decisionStrategy": "UNANIMOUS",
#     "name": "Group policy",
#     "groups": ["6d3614b0-b54b-4d42-811d-625425aa9e1a"],
#     "groupsClaim": "Groups claim",
#     "description": "description"
# }
# url = identity_api_url + "/" + client_id + "/policies/group"
# response = requests.post(url, json=data, headers=headers)
# print("POST " + url)
# print(str(response.status_code))
# print(json.dumps(response.json(), indent=2))

#### - Create regex Policy

In [28]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Regex policy",
    "pattern": ".*",
    "targetClaim": "preferred_username",
    "description": "Match all usernames"
}
url = identity_api_url + "/" + client_id + "/policies/regex"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/policies/regex
200
{
  "error": "Policy with name [Regex policy] already exists",
  "error_description": "Conflicting policy"
}


#### Create role policy

In [29]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Role policy",
    "roles": [
        {
            "id": "user-premium",
            "required": False
        }
    ],
    "description": "Role policy"
}
url = identity_api_url + "/" + client_id + "/policies/role"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(response.text)
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/policies/role
200
{"error":"Policy with name [Role policy] already exists","error_description":"Conflicting policy"}
{
  "error": "Policy with name [Role policy] already exists",
  "error_description": "Conflicting policy"
}


#### create time policy

In [30]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Time policy",
    "description": "description",
    "year": 2023,
    "yearEnd": 2024
}
url = identity_api_url + "/" + client_id + "/policies/time"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/policies/time
200
{
  "error": "Policy with name [Time policy] already exists",
  "error_description": "Conflicting policy"
}


#### Create user policy

In [31]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "User policy",
    "users": [
        "eric"
    ],
    "description": "test"
}
url = identity_api_url + "/" + client_id + "/policies/user"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))
policy_id = response.json()['id']

POST https://identity-api.apx.develop.eoepca.org/demo/policies/user
200
{
  "id": "5c58fca6-3af3-4542-9bef-bbe643796588",
  "name": "User policy",
  "description": "test",
  "type": "user",
  "logic": "POSITIVE",
  "decisionStrategy": "UNANIMOUS",
  "users": [
    "eric"
  ]
}


#### Update policies
Change previous added user policy from users "eric" to "alice"

In [32]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "User policy",
    "description": "description",
    "users": [
        "alice"
    ],
}
url = identity_api_url + "/" + client_id + "/policies/user/" + policy_id
response = requests.put(url, json=data, headers=headers)
print("PUT " + url)
print(str(response.status_code))

PUT https://identity-api.apx.develop.eoepca.org/demo/policies/user/5c58fca6-3af3-4542-9bef-bbe643796588
200


#### Delete policies

In [33]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/policies/" + policy_id
response = requests.delete(url, headers=headers)
print("DELETE " + url)
print(str(response.status_code))

DELETE https://identity-api.apx.develop.eoepca.org/demo/policies/5c58fca6-3af3-4542-9bef-bbe643796588
200


#### Get client permissions

In [34]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/permissions"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(response.text)
print(json.dumps(response.json(), indent=2))

GET https://identity-api.apx.develop.eoepca.org/demo/permissions
200
[{"id":"181e3047-06ff-49c2-86ff-ae09f760d117","name":"Alice resource3233 Permission","type":"resource","logic":"POSITIVE","decisionStrategy":"UNANIMOUS"},{"id":"400b255e-b0b5-45c0-81f7-ab64e804d533","name":"Alice space permission","type":"resource","logic":"POSITIVE","decisionStrategy":"UNANIMOUS"},{"id":"9f2384c8-6927-4ff4-b9cf-3e7f77beb40e","name":"Default Permission","description":"A permission that applies to the default resource type","type":"resource","logic":"POSITIVE","decisionStrategy":"UNANIMOUS","resourceType":"urn:demo:resources:default"},{"id":"9d147e1e-28cd-42dd-81a2-6db065fe78f5","name":"Eric resource23233 Permission","type":"resource","logic":"POSITIVE","decisionStrategy":"UNANIMOUS"},{"id":"e42598d3-a714-4e09-8901-732bbef18141","name":"Eric space permission","type":"resource","logic":"POSITIVE","decisionStrategy":"UNANIMOUS"},{"id":"70546fae-b20d-49ef-8105-fbed468b37a9","name":"Premium permission","ty

#### Get client management permissions

In [35]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/permissions/management"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(response.text)
print(json.dumps(response.json(), indent=2))


GET https://identity-api.apx.develop.eoepca.org/demo/permissions/management
200
{"enabled":false}
{
  "enabled": false
}


#### Get client resources permissions

In [36]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/permissions/resources"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

GET https://identity-api.apx.develop.eoepca.org/demo/permissions/resources
200
[
  {
    "id": "181e3047-06ff-49c2-86ff-ae09f760d117",
    "name": "Alice resource3233 Permission",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS"
  },
  {
    "id": "400b255e-b0b5-45c0-81f7-ab64e804d533",
    "name": "Alice space permission",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS"
  },
  {
    "id": "9f2384c8-6927-4ff4-b9cf-3e7f77beb40e",
    "name": "Default Permission",
    "description": "A permission that applies to the default resource type",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resourceType": "urn:demo:resources:default"
  },
  {
    "id": "9d147e1e-28cd-42dd-81a2-6db065fe78f5",
    "name": "Eric resource23233 Permission",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS"
  },
  {
    "id": "e42598d3-a714-4e09-8901-732bbef18141",


#### Create client resources permissions

In [37]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Permission-Name 2",
    "resources": [
        "5bd655ec-2575-406e-aa08-28b1bd25f476"
    ],
    "policies": [
        "57d4a363-6b40-4dec-93e9-a46a1a8e492f"
    ]
}
url = identity_api_url + "/" + client_id + "/permissions/resources"
response = requests.get(url, json=data, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

GET https://identity-api.apx.develop.eoepca.org/demo/permissions/resources
200
[
  {
    "id": "181e3047-06ff-49c2-86ff-ae09f760d117",
    "name": "Alice resource3233 Permission",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS"
  },
  {
    "id": "400b255e-b0b5-45c0-81f7-ab64e804d533",
    "name": "Alice space permission",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS"
  },
  {
    "id": "9f2384c8-6927-4ff4-b9cf-3e7f77beb40e",
    "name": "Default Permission",
    "description": "A permission that applies to the default resource type",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "resourceType": "urn:demo:resources:default"
  },
  {
    "id": "9d147e1e-28cd-42dd-81a2-6db065fe78f5",
    "name": "Eric resource23233 Permission",
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS"
  },
  {
    "id": "e42598d3-a714-4e09-8901-732bbef18141",


#### Update client management permissions

In [38]:
## Note: This cell currently leads to an Internal Server Error. (caused by NullPointerException in Keycloak)
#access_token = get_identity_api_token()
#headers = {
#    "Authorization": "Bearer " + access_token
#}
#data = {
#    "enabled": True
#}
#url = identity_api_url + "/" + client_id + "/permissions/management"
#response = requests.put(url, json=data, headers=headers)
#print("PUT " + url)
#print(str(response.status_code))
#print(json.dumps(response.json(), indent=2))

#### Register and Protect a Resource

In [39]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
data = [
    {
        "name": "Eric resource23233",
        "uris": ["/eric/*"],
        "permissions": {
            "user": ["eric"]
        }
    },
    {
        "name": "Alice resource3233",
        "uris": ["/alice/*"],
        "permissions": {
            "user": ["alice"]
        }
    }
]
url = identity_api_url + "/" + client_id + "/resources"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/demo/resources
409
{
  "error": "invalid_request",
  "error_description": "Resource with name [Eric resource23233] already exists."
}


#### Delete Resource and its policies and permissions

In [40]:
from urllib.parse import quote
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
resource_name = "Eric resource"
url = identity_api_url + "/" + client_id + "/resources/" + quote(resource_name) + "/all"
response = requests.delete(url, headers=headers)
print('DELETE ' + url)
print(response.status_code)
resource_name = "Alice resource"
url = identity_api_url + "/" + client_id + "/resources/" + quote(resource_name) + "/all"
response = requests.delete(url, headers=headers)
print('DELETE ' + url)
print(response.status_code)

DELETE https://identity-api.apx.develop.eoepca.org/demo/resources/Eric%20resource/all
200
DELETE https://identity-api.apx.develop.eoepca.org/demo/resources/Alice%20resource/all
200


#### Create client, create and protect resources in one endpoint

In [41]:
access_token = get_identity_api_token()
headers = {
    "Authorization": "Bearer " + access_token
}
payload = {
    "clientId": "dummy-service",
    "name": "Dummy Service",
    "description": "Client used for Dummy service",
    "resources": [
        {
            "name": "Eric space2",
            "uris": ["/eric/*"],
            "permissions": {
                "user": ["eric"]
            }
        },
        {
            "name": "Alice space2",
            "uris": ["/alice/*"],
            "permissions": {
                "user": ["alice"]
            }
        }
    ]
}
url = identity_api_url + '/clients'
response = requests.post(url, json=payload, headers=headers)
print("POST " + url)
print(response.status_code)
print(json.dumps(response.json(), indent=2))

POST https://identity-api.apx.develop.eoepca.org/clients
409
{
  "error": "invalid_request",
  "error_description": "Resource with name [Eric space2] already exists."
}
