## User Management (Keycloak)
Interaction with Keycloak using Keycloak's python client and Identity API.

In [1]:
import jwt
import json
from getpass import getpass
from keycloak import KeycloakPostError
from identityutils.keycloak_client import KeycloakClient
import requests
import urllib3

urllib3.disable_warnings()

base_domain = "develop.eoepca.org"
platform_domain = f"identity.keycloak.{base_domain}"
server_url = f"https://{platform_domain}"
realm = "master"
dummy_service_url = f"https://identity.dummy-service.{base_domain}"
identity_api_url = f"https://identity.api.{base_domain}"

## Client
We instantiate an object to interact with the Keycloak.

In [2]:
admin_password = getpass("Admin password: ")
keycloak = KeycloakClient(
    server_url=server_url,
    realm=realm,
    username="admin",
    password=admin_password,
)

## User Authentication
User authenticates and the client receives an ID Token (JWT) that represents the user, and is used to identify the user in UMA authorization flows.

#### Create Users
Create two users, an Eric and Alice both with user role.

In [3]:
eric_id = keycloak.create_user("eric", "eric", ["user"])
print("Created Eric user with id: " + eric_id)
alice_id = keycloak.create_user("alice", "alice", ["user"])
print("Created Alice user with id: " + alice_id)

Created Eric user with id: fc4cae76-b1e1-4f26-b7c4-a13306d9a844
Created Alice user with id: 0db66175-4a94-4d12-a2b3-ffbe74bbbcc3


#### Inspect Eric User Token

In [4]:
token = keycloak.get_user_token("eric", "eric")
print("Eric token:\n" + json.dumps(token, indent = 2))
eric_access_token = token["access_token"]
jwt_header = jwt.get_unverified_header(eric_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(eric_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Eric token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE3MDI5MTI3MDksImlhdCI6MTcwMjkxMjY0OSwianRpIjoiY2I4ODFkY2EtMDkyNS00OWY0LWI5MjItYTlhMzAwOGYwNzcyIiwiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS5rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsInN1YiI6ImZjNGNhZTc2LWIxZTEtNGYyNi1iN2M0LWExMzMwNmQ5YTg0NCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsInNlc3Npb25fc3RhdGUiOiIyN2VlZjU0OC01NDJkLTRkOTctYTRlZC0yNTY3YzZlNjYxMTciLCJhY3IiOiIxIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6IjI3ZWVmNTQ4LTU0MmQtNGQ5Ny1hNGVkLTI1NjdjNmU2NjExNyIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiZXJpYyJ9.j9t5v0XhpON2oOB-hSZX6tE6TKl7rueQdcJ5OEsm0B6tEHUdL5c6dfbernjs5XgBCa6Ou7RZ3RvoDzlsErws3EzrZCumT-gvRzT-Ae-QO-8vCxo9iHwsFeVwObr8uQ1hwfOUTLkU5qleBd5HeYqEEtbNIvzVum2juXpStuBU3Z87ke1hUjY9V6BmLYE6sCumRa1jn5M-hRPe0063ox2woAPfW8mdk-K2OxK-S_BCMF-lQ-r1tnOnOlFR2QNRYDJgmhBRhS7uwInfoSo2phdHfE9FZwYPqVsoGggGNBiEgp

#### Inspect Alice User Token

In [5]:
token = keycloak.get_user_token("alice", "alice")
print("Eric token:\n" + json.dumps(token, indent = 2))
alice_access_token = token["access_token"]
jwt_header = jwt.get_unverified_header(alice_access_token)
print("JWT Header:\n" + json.dumps(jwt_header, indent = 2))
jwt_payload = jwt.decode(alice_access_token, options={"verify_signature": False})
print("JWT Payload:\n" + json.dumps(jwt_payload, indent = 2))

Eric token:
{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE3MDI5MTI3MTIsImlhdCI6MTcwMjkxMjY1MiwianRpIjoiZGYyZTExYTItMzhmNi00ODNhLThlNTUtYTcyZDM2OTc1MzBlIiwiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS5rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsInN1YiI6IjBkYjY2MTc1LTRhOTQtNGQxMi1hMmIzLWZmYmU3NGJiYmNjMyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsInNlc3Npb25fc3RhdGUiOiJmNWU5YzM2Mi01YmMzLTRmMDUtYTZiMC0zYTZhZmNkZmE4NTQiLCJhY3IiOiIxIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6ImY1ZTljMzYyLTViYzMtNGYwNS1hNmIwLTNhNmFmY2RmYTg1NCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWxpY2UifQ.VIhbvEL6uwYtkJnrijXMzeTU1ONyG3uUAS5j_oE9Gn-JdRZJYkNztq7HKowshkJmGpQH8JDYUEYI1XWUKKX_XIPGRirmv0eO27QaIzNY3AVjWFAjcdStcTpUwjQNot5MmBwsdRaSzvz0aRhVMI9ofWtMNVeZfHUZ6GBtiCJV191CyGbQ7qt5Z4ve3oUpG32UqfgwOedum2DMgRKlD_-dpJYNQVPTyGUgs2xXKyqpZIAczjSo-ZgI45H9v1u9dl3oE0j_GSxEiSSVDv-AO8c5Rv8hh7xK6nwqi_8XmKUn

The ID Token (JWT) identifies the user via user_name / sub (Subject) fields, and the client via the aud (Audience) field. The JWT is signed and can be verified, using the kid (Key ID) field, via the JWKS endpoint of the Authorization Server.

## Protect resources
Access a protected resources using UMA flow.

#### Assign premium role to Eric
Roles are used to define policies that will protect resources based on roles - Role-based access control (RBAC)

In [6]:
realm_role = keycloak.create_realm_role('user-premium')
print("Created realm role: " + realm_role)
keycloak.assign_realm_roles_to_user(eric_id, realm_role)
print("Assigned " + realm_role + " role to Eric")

Created realm role: user-premium
Assigned user-premium role to Eric


#### Register client
Register demo client

In [7]:
client_id = "demo"
client_secret= "mpmhQOGEG4ocamf49HomRjPxILfpgVs6"
client_payload = {
    "clientId": client_id,
    "secret": client_secret,
    "name": "Demo client",
    "description": "Client used on demo notebook",
    "serviceAccountsEnabled": True,
    "directAccessGrantsEnabled": True,
    "authorizationServicesEnabled": True
}
keycloak.create_client(client_payload, skip_exists=True)
print("Created client: demo")

Created client: demo


## Protect URIs
Right now, resources are protected by a default policy, which grants access to users within the realm.
Let's see how Keycloak protects resources using role based and user based policies.

#### Register resources
Register

In [8]:
resources = [
    {
        "name": "Premium resource",
        "uri": "/protected/premium/*"
    },
    {
        "name": "Eric space",
        "uri": "/eric/*"
    },
    {
        "name": "Alice space",
        "uri": "/alice/*"
    }
]
keycloak.register_resources(client_id, resources, skip_exists=True)

[{'msg': 'Already exists'},
 {'msg': 'Already exists'},
 {'msg': 'Already exists'}]

#### Register policies
Register role based and user based policies

In [9]:
policy = {
    "name": 'Only Premium User Policy',
    "roles": [
        {
            "id": "user-premium"
        }
    ]
}
p = keycloak.register_role_policy(client_id, policy, skip_exists=True)
print("Only Premium User Policy:")
print(p)

policy = {
    "name": 'Only Eric User Policy',
    "users": [eric_id]
}
p = keycloak.register_user_policy(client_id, policy)
print("Only Eric User Policy:")
print(p)

policy = {
    "name": 'Only Alice User Policy',
    "users": [alice_id]
}
p = keycloak.register_user_policy(client_id, policy)
print("Only Alice User Policy:")
print(p)

Only Premium User Policy:
{'error': 'Policy with name [Only Premium User Policy] already exists', 'error_description': 'Conflicting policy'}
Only Eric User Policy:
{'error': 'Policy with name [Only Eric User Policy] already exists', 'error_description': 'Conflicting policy'}
Only Alice User Policy:
{'error': 'Policy with name [Only Alice User Policy] already exists', 'error_description': 'Conflicting policy'}


#### Register resource permissions
Resources permissions are set by assigning policies to resources.

In [10]:
permissions = [
    {
        "name": "Premium permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Premium resource"
        ],
        "policies": [
            "Only Premium User Policy"
        ]
    },
    {
        "name": "Eric space permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Eric space"
        ],
        "policies": [
            "Only Eric User Policy"
        ]
    },
    {
        "name": "Alice space permission",
        "type": "resource",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "resources": [
            "Alice space"
        ],
        "policies": [
            "Only Alice User Policy"
        ]
    }
]
r = keycloak.assign_resources_permissions(client_id, permissions, skip_exists=True)
print(r)

[{'msg': 'Already exists'}, {'msg': 'Already exists'}, {'msg': 'Already exists'}]


#### Get PAT (Protection API token)
PAT (Protection API token) is used to access Keycloak's Protection API, which manages resources and policies.

In [11]:
pat = keycloak.generate_protection_pat(client_id, client_secret)
print(json.dumps(pat, indent=2))
access_token = pat['access_token']

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE3MDI5MTI3NDMsImlhdCI6MTcwMjkxMjY4MywianRpIjoiYmU3NjdhNDgtMjZiMS00ZTNkLTliMDEtNTgxOTVkMDEzYmY0IiwiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS5rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiJkMTNhNTQ3ZS1lZWU0LTQ4ODUtOTQwZC0yMzhiNWNkNzA3ZTMiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJkZW1vIiwiYWNyIjoiMSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLW1hc3RlciIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJkZW1vIjp7InJvbGVzIjpbInVtYV9wcm90ZWN0aW9uIl19LCJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudEhvc3QiOiIxMC40Mi4yLjAiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzZXJ2aWNlLWFjY291bnQtZGVtbyIsImNsaWVudEFkZHJlc3MiOiIxMC40Mi4yLjAiLCJjbGllbnRfaWQiOiJkZW1vIn0.SM3141uOlwpxJwp5-EAfp8mvFAt

### Get Resource Ids

In [12]:
# it's possible to query resources by many fields, including name and uri
premium_resource_id = keycloak.get_resource_id(client_id, client_secret, name="Premium resource")[0]
print("Premium resource: " + premium_resource_id)
eric_resource_id = keycloak.get_resource_id(client_id, client_secret, uri="/eric/*")[0]
print("Eric resource: " + eric_resource_id)
alice_resource_id = keycloak.get_resource_id(client_id, client_secret, uri="/alice/*")[0]
print("Alice resource: " + alice_resource_id)

Premium resource: 94fbe823-052c-447f-9055-c6d735af5cb7
Eric resource: 0ed7d734-4eca-493d-b9e1-ad42dacaf124
Alice resource: cb659df6-e071-4c80-9b0c-66f2ea274ab4


#### Get UMA access token for eric space resource for both Eric and Alice

In [13]:
uma_ticket = keycloak.create_permission_ticket(client_id, client_secret, resources=[eric_resource_id])['ticket']
print('UMA ticket for resource ' + eric_resource_id + ':\n' + uma_ticket)
eric_access_token = keycloak.get_user_token("eric", "eric", client_id=client_id, client_secret=client_secret)['access_token']
eric_rpt = keycloak.get_rpt(client_id, client_secret, "/eric/*", eric_access_token, uma_ticket)['access_token']
print('Eric RPT:\n' + str(eric_rpt))

UMA ticket for resource 0ed7d734-4eca-493d-b9e1-ad42dacaf124:
eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiM2QxNjAzYy03MDNhLTQxMTktODliNC1jNzRhZDliMjA3ZDMifQ.eyJleHAiOjE3MDI5MTI3NzMsIm5iZiI6MCwiaWF0IjoxNzAyOTEyNzEzLCJwZXJtaXNzaW9ucyI6W3sicnNpZCI6IjBlZDdkNzM0LTRlY2EtNDkzZC1iOWUxLWFkNDJkYWNhZjEyNCJ9XSwianRpIjoiNTgzMzZiZDYtMzJhMS00ZTIzLWFiOGUtN2M1NmU3YWRlY2I0LTE3MDI5MTI3MTM3NTEiLCJhdWQiOiJodHRwczovL2lkZW50aXR5LmtleWNsb2FrLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvbWFzdGVyIiwic3ViIjoiZDEzYTU0N2UtZWVlNC00ODg1LTk0MGQtMjM4YjVjZDcwN2UzIiwiYXpwIjoiZGVtbyJ9.6Agao7lNG8k2RLna72bO4g9XM-OB0rpo6SJdQq8hErk
Eric RPT:
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE3MDI5MTI3NzQsImlhdCI6MTcwMjkxMjcxNCwianRpIjoiNjlmMDE2ZWQtZWFkNi00ZGQ3LTkwYTAtNTI4MmI5MDFmMjNjIiwiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS5rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsImF1ZCI6ImRlbW8iLCJzdWIiOiJmYzRjYWU3Ni1iMWUxLTRmMjYtYjdjNC1hMTMzMDZkOWE4NDQiLCJ0eXAi

In [14]:
uma_ticket = keycloak.create_permission_ticket(client_id, client_secret, resources=[eric_resource_id])['ticket']
print('UMA ticket for resource ' + eric_resource_id + ':\n' + uma_ticket)
alice_access_token = keycloak.get_user_token("alice", "alice", client_id=client_id, client_secret=client_secret)['access_token']
try:
    alice_uma_access_token = keycloak.get_rpt(client_id, client_secret, "/eric/*", alice_access_token, uma_ticket)['access_token']
except KeycloakPostError as e:
    print(str(e))

UMA ticket for resource 0ed7d734-4eca-493d-b9e1-ad42dacaf124:
eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJiM2QxNjAzYy03MDNhLTQxMTktODliNC1jNzRhZDliMjA3ZDMifQ.eyJleHAiOjE3MDI5MTI3ODAsIm5iZiI6MCwiaWF0IjoxNzAyOTEyNzIwLCJwZXJtaXNzaW9ucyI6W3sicnNpZCI6IjBlZDdkNzM0LTRlY2EtNDkzZC1iOWUxLWFkNDJkYWNhZjEyNCJ9XSwianRpIjoiNWUwZmRhNmUtZTMxYS00ZjEzLTk1MDQtMWVkMmNiNGNjODZjLTE3MDI5MTI3MjA0OTIiLCJhdWQiOiJodHRwczovL2lkZW50aXR5LmtleWNsb2FrLmRldmVsb3AuZW9lcGNhLm9yZy9yZWFsbXMvbWFzdGVyIiwic3ViIjoiZDEzYTU0N2UtZWVlNC00ODg1LTk0MGQtMjM4YjVjZDcwN2UzIiwiYXpwIjoiZGVtbyJ9.UqeYTNCWvx3oHZ6N96FLNVy7XfxddQ6_0BXWKjbZe2A
403: b'{"error":"access_denied","error_description":"request_submitted"}'


Trying to get a UMA token for Alice results in a 403 Forbidden Error. The reason being Alice is not allowed to access the `/eric/*` resource because it's protected for only `eric` user.

## Identity API

#### Get Resources

In [18]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/resources?client_id=" + client_id + "&client_secret=" + client_secret
print("GET " + url)
response = requests.get(url, headers=headers)
try:
    print(json.dumps(response.json(), indent=2))
except:
    print(response)

GET https://identity.api.develop.eoepca.org/resources?client_id=demo&client_secret=mpmhQOGEG4ocamf49HomRjPxILfpgVs6
[{'name': 'Alice space', 'owner': {'id': '571e3d66-a65e-4b65-a264-f6da6b1b1c32', 'name': 'demo'}, 'ownerManagedAccess': False, 'attributes': {}, '_id': 'cb659df6-e071-4c80-9b0c-66f2ea274ab4', 'uris': ['/alice/*']}, {'name': 'Default Resource', 'type': 'urn:demo:resources:default', 'owner': {'id': '571e3d66-a65e-4b65-a264-f6da6b1b1c32', 'name': 'demo'}, 'ownerManagedAccess': False, 'attributes': {}, '_id': '20f201ae-8b45-437c-9cc2-276e60b4f79e', 'uris': ['/*']}, {'name': 'Eric space', 'owner': {'id': '571e3d66-a65e-4b65-a264-f6da6b1b1c32', 'name': 'demo'}, 'ownerManagedAccess': False, 'attributes': {}, '_id': '0ed7d734-4eca-493d-b9e1-ad42dacaf124', 'uris': ['/eric/*']}, {'name': 'Premium resource', 'owner': {'id': '571e3d66-a65e-4b65-a264-f6da6b1b1c32', 'name': 'demo'}, 'ownerManagedAccess': False, 'attributes': {}, '_id': '94fbe823-052c-447f-9055-c6d735af5cb7', 'uris': ['

#### Get resource by id

In [49]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
resource_id = keycloak.get_resource_id(client_id, client_secret, name="Default Resource")[0]
url = identity_api_url + "/resources/" + resource_id + "?client_id=" + client_id + "&client_secret=" + client_secret
print("GET " + url)
response = requests.get(url, headers=headers)
print(json.dumps(response.json(), indent=2))

GET https://identity.api.develop.eoepca.org/resources/20f201ae-8b45-437c-9cc2-276e60b4f79e?client_id=demo&client_secret=mpmhQOGEG4ocamf49HomRjPxILfpgVs6
{"name":"Default Resource","type":"urn:demo:resources:default","owner":{"id":"571e3d66-a65e-4b65-a264-f6da6b1b1c32"},"ownerManagedAccess":false,"attributes":{},"_id":"20f201ae-8b45-437c-9cc2-276e60b4f79e","uris":["/*"],"resource_scopes":[]}


#### Register resource

In [62]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = [
    {
        'name': 'A resource',
        'uris': ["/protected/*"],
        "permissions": {
            "authenticated": True
        },
    }
]
url = f"{identity_api_url}/{client_id}/resources"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

409
{'error': 'Policy with name [A resource Permission] already exists', 'error_description': 'Conflicting policy'}


#### Update resource

In [77]:
resource_id = keycloak.get_resource_id(client_id, client_secret, name="A resource")[0]
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "name": "A resource",
    "uris": ["/protect/*"],
    "attributes": "attribute",
    "scopes": ["view"],
    "ownerManagedAccess": True,
    "displayName": "Display name"
}
url = f"{identity_api_url}/{client_id}/resources/{resource_id}?client_id={client_id}&client_secret={client_secret}"
response = requests.put(url + "/" + resource_id, json=data, headers=headers)
print("PUT " + url)
print(str(response.status_code))
print(str(response.json()))

https://identity.api.develop.eoepca.org/demo/resources/75fe05f9-b0ca-42c2-96ef-e3ec37e979ea?client_id=demo&client_secret=mpmhQOGEG4ocamf49HomRjPxILfpgVs6
200
{}


#### Delete resource

In [78]:
resource_id = keycloak.get_resource_id(client_id, client_secret, name="A resource")[0]
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = f"{identity_api_url}/{client_id}/resources/{resource_id}?client_id={client_id}&client_secret={client_secret}"
response = requests.delete(url, headers=headers)
print("DELETE " + url)
print(str(response.status_code))
print(str(response.json()))

200
{}


#### Get client Policies

In [38]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/policies"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
[{'id': '06be4668-462e-4309-90e9-cb6bbd8878b8', 'name': 'Default Policy', 'description': 'A policy that grants access only for users within this realm', 'type': 'js', 'logic': 'POSITIVE', 'decisionStrategy': 'AFFIRMATIVE', 'config': {'code': '// by default, grants any permission associated with this policy\n$evaluation.grant();\n'}}, {'id': '127ccbab-ec76-418c-9563-09ca7d7cdd1c', 'name': 'Only Alice User Policy', 'type': 'user', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'config': {'users': '["0db66175-4a94-4d12-a2b3-ffbe74bbbcc3"]'}}, {'id': '9cf2c1dc-f418-4bfe-be1b-cf3c0fbab909', 'name': 'Only Eric User Policy', 'type': 'user', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'config': {'users': '["fc4cae76-b1e1-4f26-b7c4-a13306d9a844"]'}}, {'id': 'dd46fcf2-69e3-4736-8581-b3b0f774010e', 'name': 'Only Premium User Policy', 'type': 'role', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'config': {'roles': '[{"id":"7631b350-fa69-488f-9b2a-91bdaabf96b0","requir

#### create client Policy

In [79]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "My Policy",
    "clients": [
        client_id
    ],
    "description": "Client policy"
}
url = identity_api_url + "/" + client_id + "/policies/client"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': '193453f1-ff9b-4990-b8bf-9cc3a2d0ecc6', 'name': 'My Policy', 'description': 'Client policy', 'type': 'client', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'clients': ['demo']}


#### Create Aggregated policy

In [81]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Aggregated policy",
    "policies": ["My Policy"],
    "description": "Policy description"
}
url = identity_api_url + "/" + client_id + "/policies/aggregated"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': '2c4cdea0-6db1-4465-be36-6d410c66e9cb', 'name': 'Aggregated policy', 'description': 'Policy description', 'type': 'aggregate', 'policies': ['193453f1-ff9b-4990-b8bf-9cc3a2d0ecc6'], 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}


#### Create scope policy

In [103]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Scope Policy",
    "scopes": [
        "view"
    ],
    "description": "Policy description"
}
url = identity_api_url + "/" + client_id + "/policies/scope"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': '19adec74-c640-4737-960a-cbc193e45824', 'name': 'Scope Policy', 'description': 'Policy description', 'type': 'client-scope', 'scopes': ['45f057e7-51c7-4132-a701-88c25e2c61c5'], 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'owner': 'demo'}


#### Create group policy

In [110]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Group policy",
    "groups": ["0b86ce51-7027-4958-bac2-2d6af9ac3fbf"],
    "groupsClaim": "Groups claim",
    "description": "description"
}
url = identity_api_url + "/" + client_id + "/policies/group"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': 'd0ed6ce5-26b7-4ec6-9c35-5efd81804c2c', 'name': 'Group policy', 'description': 'description', 'type': 'group', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'groupsClaim': 'Groups claim', 'groups': [{'id': '0b86ce51-7027-4958-bac2-2d6af9ac3fbf', 'extendChildren': False}]}


#### - Create regex Policy

In [112]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Regex policy",
    "pattern": ".*",
    "targetClaim": "preferred_username",
    "description": "Match all usernames"
}
url = identity_api_url + "/" + client_id + "/policies/regex"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': 'a338c653-2872-49ca-a7ff-4cbce564a2f9', 'name': 'Regex policy', 'description': 'Match all usernames', 'type': 'regex', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'targetClaim': 'preferred_username', 'pattern': '.*'}


#### Create role policy

In [126]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Role policy",
    "roles": [
        {
            "id": "user-premium",
            "required": False
        }
    ],
    "description": "Role policy"
}
url = identity_api_url + "/" + client_id + "/policies/role"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': '907fdcbf-6661-4bf4-9256-9457cec4a817', 'name': 'Role policy', 'description': 'Role policy', 'type': 'role', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'roles': [{'id': '4de9c4f4-f490-45be-b7d1-c10089c422fa', 'required': True}]}


#### create time policy

In [128]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Time policy",
    "description": "description",
    "year": 2023,
    "yearEnd": 2024
}
url = identity_api_url + "/" + client_id + "/policies/time"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'id': '4db84b00-bf16-4b49-b75a-99b098203224', 'name': 'Time policy', 'description': 'description', 'type': 'time', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'year': '2023', 'yearEnd': '2024'}


#### Create user policy

In [163]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "User policy",
    "users": [
        "eric"
    ],
    "description": "test"
}
url = identity_api_url + "/" + client_id + "/policies/user"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))
policy_id = response.json()['id']

200
{'id': '170ae0e0-c6c8-4eed-9bc5-2d5dd08c67f7', 'name': 'User policy2', 'type': 'user', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'users': ['eric']}


#### Update policies
Change previous added user policy from users "eric" to "alice"

In [159]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "User policy",
    "description": "description",
    "users": [
        "alice"
    ],
}
url = identity_api_url + "/" + client_id + "/policies/user/" + policy_id
response = requests.put(url, json=data, headers=headers)
print("PUT " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200


#### Delete policies

In [166]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/policies/" + policy_id
response = requests.delete(url, headers=headers)
print("DELETE " + url)
print(str(response.status_code))

https://identity.api.develop.eoepca.org/demo/policies/170ae0e0-c6c8-4eed-9bc5-2d5dd08c67f7
200


#### Get client permissions

In [168]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/permissions"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

https://identity.api.develop.eoepca.org/demo/permissions
200
[{'id': '9e458c5b-0605-4120-be1f-115545b68640', 'name': 'Alice space permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '78ecc1ca-8071-4223-865e-ab9f8e8d5202', 'name': 'A resource Permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '3a8ae4e3-4f8f-4aec-a14d-112bf974e81d', 'name': 'Default Permission', 'description': 'A permission that applies to the default resource type', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'resourceType': 'urn:demo:resources:default'}, {'id': '5dd3d48d-8140-4945-994d-60f8812b8c07', 'name': 'Eric space permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '9b57e5a4-654c-4dd7-8d32-4c3af2fd06ad', 'name': 'Premium permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}]


#### Get client management permissions

In [170]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/permissions/management"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))


https://identity.api.develop.eoepca.org/demo/permissions/management
200
{'enabled': False}


#### Get client resources permissions

In [172]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
url = identity_api_url + "/" + client_id + "/permissions/resources"
response = requests.get(url, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

https://identity.api.develop.eoepca.org/demo/permissions/resources
200
[{'id': '9e458c5b-0605-4120-be1f-115545b68640', 'name': 'Alice space permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '78ecc1ca-8071-4223-865e-ab9f8e8d5202', 'name': 'A resource Permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '3a8ae4e3-4f8f-4aec-a14d-112bf974e81d', 'name': 'Default Permission', 'description': 'A permission that applies to the default resource type', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'resourceType': 'urn:demo:resources:default'}, {'id': '5dd3d48d-8140-4945-994d-60f8812b8c07', 'name': 'Eric space permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '9b57e5a4-654c-4dd7-8d32-4c3af2fd06ad', 'name': 'Premium permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}]


#### Create client resources permissions

In [174]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "type": "resource",
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "name": "Permission-Name 2",
    "resources": [
        "5bd655ec-2575-406e-aa08-28b1bd25f476"
    ],
    "policies": [
        "57d4a363-6b40-4dec-93e9-a46a1a8e492f"
    ]
}
url = identity_api_url + "/" + client_id + "/permissions/resources"
response = requests.get(url, json=data, headers=headers)
print("GET " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
[{'id': '9e458c5b-0605-4120-be1f-115545b68640', 'name': 'Alice space permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '78ecc1ca-8071-4223-865e-ab9f8e8d5202', 'name': 'A resource Permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '3a8ae4e3-4f8f-4aec-a14d-112bf974e81d', 'name': 'Default Permission', 'description': 'A permission that applies to the default resource type', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS', 'resourceType': 'urn:demo:resources:default'}, {'id': '5dd3d48d-8140-4945-994d-60f8812b8c07', 'name': 'Eric space permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}, {'id': '9b57e5a4-654c-4dd7-8d32-4c3af2fd06ad', 'name': 'Premium permission', 'type': 'resource', 'logic': 'POSITIVE', 'decisionStrategy': 'UNANIMOUS'}]


#### Update client management permissions

In [179]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = {
    "enabled": True
}
url = identity_api_url + "/" + client_id + "/permissions/management"
response = requests.put(url, json=data, headers=headers)
print("PUT " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

200
{'enabled': False}


#### Register and Protect a Resource

In [187]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
data = [
    {
        "name": "Eric resource23233",
        "uris": ["/eric/*"],
        "permissions": {
            "user": ["eric"]
        }
    },
    {
        "name": "Alice resource3233",
        "uris": ["/alice/*"],
        "permissions": {
            "user": ["alice"]
        }
    }
]
url = identity_api_url + "/" + client_id + "/resources"
response = requests.post(url, json=data, headers=headers)
print("POST " + url)
print(str(response.status_code))
print(json.dumps(response.json(), indent=2))

https://identity.api.develop.eoepca.org/demo/resources
200
[
  {
    "name": "Eric resource23233",
    "owner": {
      "id": "571e3d66-a65e-4b65-a264-f6da6b1b1c32",
      "name": "demo"
    },
    "ownerManagedAccess": false,
    "attributes": {},
    "_id": "40763086-c344-4d9a-af77-e48da07bc927",
    "uris": [
      "/eric/*"
    ],
    "scopes": [
      {
        "id": "45f057e7-51c7-4132-a701-88c25e2c61c5",
        "name": "view"
      }
    ]
  },
  {
    "name": "Alice resource3233",
    "owner": {
      "id": "571e3d66-a65e-4b65-a264-f6da6b1b1c32",
      "name": "demo"
    },
    "ownerManagedAccess": false,
    "attributes": {},
    "_id": "e8e45fb7-2a5c-44a7-8880-f14f43b39b3e",
    "uris": [
      "/alice/*"
    ],
    "scopes": [
      {
        "id": "45f057e7-51c7-4132-a701-88c25e2c61c5",
        "name": "view"
      }
    ]
  }
]


#### Delete Resource and its policies and permissions

In [203]:
from urllib.parse import quote
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
resource_name = "Eric resource"
url = identity_api_url + "/" + client_id + "/resources/" + quote(resource_name) + "/all"
response = requests.delete(url, headers=headers)
print('DELETE ' + url)
print(response.status_code)
resource_name = "Alice resource"
url = identity_api_url + "/" + client_id + "/resources/" + quote(resource_name) + "/all"
response = requests.delete(url, headers=headers)
print('DELETE ' + url)
print(response.status_code)

DELETE https://identity.api.develop.eoepca.org/demo/resources/Eric%20resource/all
200
DELETE https://identity.api.develop.eoepca.org/demo/resources/Alice%20resource/all
200


#### Create client, create and protect resources in one endpoint

In [204]:
access_token = keycloak.get_user_token("admin", admin_password)["access_token"]
headers = {
    "Authorization": "Bearer " + access_token
}
payload = {
    "clientId": "dummy-service",
    "name": "Dummy Service",
    "description": "Client used for Dummy service",
    "resources": [
        {
            "name": "Eric space",
            "uris": ["/eric/*"],
            "permissions": {
                "user": ["eric"]
            }
        },
        {
            "name": "Alice space",
            "uris": ["/alice/*"],
            "permissions": {
                "user": ["alice"]
            }
        }
    ]
}
url = identity_api_url + '/clients'
response = requests.post(url, json=payload, headers=headers)
print("POST " + url)
print(response.status_code)
print(response.text)

POST https://identity.api.develop.eoepca.org/clients
200
{"client":"337ea293-e5ea-4d67-bb70-1f89fd774c39","resources":[{"name":"Eric space","owner":{"id":"337ea293-e5ea-4d67-bb70-1f89fd774c39","name":"dummy-service"},"ownerManagedAccess":false,"attributes":{},"_id":"cb7107a7-76ee-4559-943c-518ce9aed8d0","uris":["/eric/*"],"scopes":[{"id":"767cff43-ffb1-4fd7-a361-c2409565657f","name":"view","iconUri":""}]},{"name":"Alice space","owner":{"id":"337ea293-e5ea-4d67-bb70-1f89fd774c39","name":"dummy-service"},"ownerManagedAccess":false,"attributes":{},"_id":"89dcac93-335a-43be-8426-9389eb7dd892","uris":["/alice/*"],"scopes":[{"id":"767cff43-ffb1-4fd7-a361-c2409565657f","name":"view","iconUri":""}]}]}


## Bash Script
Execute script to create a client with protected resources

In [257]:
import subprocess
import urllib.request

with urllib.request.urlopen(
        "https://raw.githubusercontent.com/EOEPCA/um-identity-service/master/scripts/create-client.sh") as f:
    script = f.read().decode('utf-8')
    out = open("create-client.sh", "w")
    out.write(script)
    out.flush()

access_token = keycloak.get_user_token("admin", admin_password)["access_token"]

client_id = input("Client id: ")
client_name = "Test client"
client_description = "Test client from demo notebook"

script_args = ["create-client.sh",
                       "-e develop",
                       "-t " + access_token,
                       "--id=" + "\"" + client_id + "\"",
                       "--name=" + "\"" + client_name + "\"" ,
                       "--description=" + "\"" + client_description + "\"" ,
                       "--resource=\"Eric space\"", "--uris=/ericspace/*", "--users=eric",
                       "--resource=\"Alice space\"", "--uris=/alicespace/*", "--users=alice"
]
print("Executing script:\n" + ' '.join(script_args) + '\n')

#r = subprocess.run(script_args, shell=True, text=True, capture_output=True)
#print(r)

Executing script:
create-client.sh -e develop -t eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXZWFIY2pscThPc1RUYjdlV0s5SjJTTDFBUDIyazZpajdlMGFlVHRNU2xRIn0.eyJleHAiOjE3MDI5NDQwMDMsImlhdCI6MTcwMjk0Mzk0MywianRpIjoiYzIwZmRiZGUtYWUwNy00NzIzLWE3Y2YtN2RmZmY0MjllMmMzIiwiaXNzIjoiaHR0cHM6Ly9pZGVudGl0eS5rZXljbG9hay5kZXZlbG9wLmVvZXBjYS5vcmcvcmVhbG1zL21hc3RlciIsInN1YiI6ImUzZGUzMjRlLTBmNDUtNDFlMC05NmE3LTUzNWM5MTEwNTU1MiIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsInNlc3Npb25fc3RhdGUiOiIyOGM5NjE0NC1kZjJjLTRhNDEtYjg2MC1lYjhkNGE3ZDQ3YjQiLCJhY3IiOiIxIiwic2NvcGUiOiJvcGVuaWQgZW1haWwgcHJvZmlsZSIsInNpZCI6IjI4Yzk2MTQ0LWRmMmMtNGE0MS1iODYwLWViOGQ0YTdkNDdiNCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.MYTW1XhMNpLmP7pnd9xRcoYnRxHz3YbTaPqIenLUqJcgNzj_cS-CdqxypvMzdGMGgP4k2DYYFmUbYRNj--6yEpj8nBlnPkq0dAQQO8IWTv7fFvI2q1z5k-QFvAFZIYWL3tiNEoxlf07lwlQc3WH4vNaKJGE2I6EbHxVCA09PS7MCtm2anaArMeCa9_rbeOwm9p1mnro-jc4WpRNf4YsJajrMU_P7pW07Cj7AjCpxVqViJX6ECSnNa3AZIjCBCQF-rYHqDv6-BlY5sHWknNDRxgxd