## User Management (Keycloak)
Interaction with EOEPCA endpoint using python Demo Client.

In [1]:
import utils.DemoKeycloakClient as Client
import jwt
import json
import requests
from keycloak import KeycloakPostError

base_domain = "develop.eoepca.org"
platform_domain = f"keycloak.{base_domain}"
server_url = f"https://{platform_domain}"
realm = "master"

## Client
We instantiate an object to interact with the platform. The object dynamically registers two Keycloak clients, one with admin privileges, another to act as a resource server to demo resources protection using UMA (User Managed Access).

In [2]:
keycloak = Client.DemoKeycloakClient(server_url, realm, "admin", "admin_Abcd1234#")

Created admin client:
{
  "id": "05b9cc34-5f93-4558-aa04-f73de87d664d",
  "clientId": "admin-demo",
  "surrogateAuthRequired": false,
  "enabled": true,
  "alwaysDisplayInConsole": false,
  "clientAuthenticatorType": "client-secret",
  "secret": "mTto72YrDYwSDLUBXdFX4spE2e3qN9fR",
  "redirectUris": [],
  "webOrigins": [],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": true,
  "serviceAccountsEnabled": true,
  "authorizationServicesEnabled": true,
  "publicClient": false,
  "frontchannelLogout": false,
  "protocol": "openid-connect",
  "attributes": {
    "client.secret.creation.time": "1684695784"
  },
  "authenticationFlowBindingOverrides": {},
  "fullScopeAllowed": true,
  "nodeReRegistrationTimeout": -1,
  "protocolMappers": [
    {
      "id": "9beb8957-a54d-4da6-a032-ea3ff1eac433",
      "name": "Client ID",
      "protocol": "openid-connect",
      "protocolMapper":

## User Authentication
User authenticates and the client receives an ID Token (JWT) that represents the user, and is used to identify the user in UMA authorization flows.

#### Create Users
Create two users, an Eric and Alice both with user role.

In [3]:
keycloak.create_realm_role('user')
eric_id = keycloak.create_user("eric", "eric", ["user"])
alice_id = keycloak.create_user("alice", "alice", ["user"])

Created user: 78519065-1da9-4105-b2d1-4e665079d2bf
Created user: e31e573f-80f6-4032-a08c-971943a60750


#### Inspect Eric User Token

In [4]:
token = keycloak.get_user_token("eric", "eric")
print("Eric token:\n" + json.dumps(token, indent = 2))
eric_access_token = token['access_token']
jwt_header = jwt.get_unverified_header(eric_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(eric_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Eric token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE2ODY1MDYzNzIsImlhdCI6MTY4NjUwNjMxMiwianRpIjoiMTdjMTRlN2EtYmMyYS00OTZhLTk0MDYtYjZlZjZiNjViMGFlIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI3ODUxOTA2NS0xZGE5LTQxMDUtYjJkMS00ZTY2NTA3OWQyYmYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1kZW1vIiwic2Vzc2lvbl9zdGF0ZSI6ImZkMTA5YWY0LTliYWItNDI5OS04MjEzLWYyMTI4MDIyMzUwYiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiZGVmYXVsdC1yb2xlcy1tYXN0ZXIiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlci1wcmVtaXVtIiwidXNlciJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUiLCJzaWQiOiJmZDEwOWFmNC05YmFiLTQyOTktODIxMy1mMjEyODAyMjM1MGIiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImVyaWMifQ.mT-hdPQOwK15

#### Inspect Alice User Token

In [5]:
token = keycloak.get_user_token("alice", "alice", keycloak.keycloak_admin_openid)
print("Eric token:\n" + json.dumps(token, indent = 2))
alice_access_token = token['access_token']
jwt_header = jwt.get_unverified_header(alice_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(alice_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

TypeError: DemoKeycloakClient.get_user_token() takes from 1 to 3 positional arguments but 4 were given

The ID Token (JWT) identifies the user via user_name / sub (Subject) fields, and the client via the aud (Audience) field. The JWT is signed and can be verified, using the kid (Key ID) field, via the JWKS endpoint of the Authorization Server.

## Protect resources
Access a protected resources using UMA flow

#### Assign premium role to Eric
Roles are used to define policies that will protect resources based on roles - Role-based access control (RBAC)

In [None]:
keycloak.create_realm_role('user-premium')
keycloak.assign_realm_role_to_user(eric_id, 'user-premium')

#### Register resources
Register protected resources

In [None]:
resources = [
    {
        "name": "Default Resource",
        "uri": "/*"
    },
    {
        'name': 'Protected Resource',
        'icon_uri': '/protected/*',
    },
    {
        "name": "Premium Resource",
        "uri": "/protected/premium/*"
    }
]
keycloak.register_resources(resources)

Right now, resources are protected by a default policy, which grants access to users within the realm.
Let's see how Keycloak protects resources using role based and user based policies.

#### Register policies
Register role based and user based policies

In [None]:
keycloak.register_role_policy("Only Premium User Policy", "user-premium")
keycloak.register_user_policy("Only Eric User Policy", [eric_id])

#### Register resource permissions
Resources permissions are set by assigning policies to resources.

In [None]:
permissions = [
    {
        "name": "Default Resource Permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Default Resource"
        ],
        "policies": [
            "Default Policy"
        ]
    },
    {
        "name": "Premium Resource Permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Premium Resource"
        ],
        "policies": [
            "Only Premium User Policy"
        ]
    },
    {
        "name": "Protected Resource Permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Protected Resource"
        ],
        "policies": [
            "Only User Policy"
        ]

    }
]
keycloak.assign_resources_permissions(permissions)

#### Get PAT (Protection API token)
PAT (Protection API token) is used to access Keycloak's Protection API, which manages resources and policies.

In [None]:
pat = keycloak.generate_protection_pat()
print(json.dumps(pat, indent=2))
access_token = pat['access_token']

### Get Resource Id
Get Premium Resource id

In [None]:
# it's possible to query resources by many fields, including name and uri
protected_resource_id = keycloak.get_resource_id(name="Premium Resource")[0]
print(protected_resource_id)
protected_resource_id = keycloak.get_resource_id(uri="/protected/premium/*")[0]
print(protected_resource_id)

#### Get UMA access token for premium resource for both Eric and Alice

In [None]:
uma_ticket = keycloak.create_permission_ticket(resources=[protected_resource_id])['ticket']
print('UMA ticket for resource ' + protected_resource_id + ':\n' + uma_ticket)
eric_access_token = keycloak.get_token("eric", "eric", keycloak.keycloak_uma_openid)['access_token']
eric_rpt = keycloak.get_rpt(eric_access_token, uma_ticket)['access_token']
print('Eric RPT:\n' + str(eric_rpt))

In [None]:
uma_ticket = keycloak.create_permission_ticket(resources=[protected_resource_id])['ticket']
print('UMA ticket for resource ' + protected_resource_id + ':\n' + uma_ticket)
alice_access_token = keycloak.get_user_token("alice", "alice", keycloak.keycloak_uma_openid)['access_token']
try:
    alice_uma_access_token = keycloak.get_uma_token(alice_access_token, uma_ticket)['access_token']
except KeycloakPostError as e:
    print(str(e))

Trying to get a UMA token for Alice results in a 403 Forbidden Error. The reason being Alice is not allowed to access the `/protected/premium/*` resource because it's protected by a `user-premium` role which Alice does not have.

#### Use Eric UMA access token to access the premium resource

In [None]:
headers = {
    "cache-control": "no-cache",
    "Authorization": "Bearer " + eric_rpt
}
premium_resource_url = "http://localhost:8080/protected/premium"
print('GET ' + premium_resource_url)
response = requests.get(premium_resource_url, headers=headers, verify=False)
print(str(response.status_code))

The expected result is 200, meaning a successfuly access to the protected resource by Eric.

In [None]:
token = keycloak.get_token("eric", "eric", keycloak.keycloak_uma_openid)['access_token']