我有这个工作流程。我从keycloak获得一个带有admin用户名/密码的令牌到这个端点auth/realms/master/protocol/openid-connect/token使用此令牌,我请求连接到另一个领域的特定客户端的client-secret,而不是master。因此,我请求这个端点在报头中提供我的全新令牌作为这个端点auth/admin/realms/realm_name/clients/client_name/client-secret的承载我可以保密有了这个client-secret,我可以获得一个客户端令牌,请求客户端凭据到这个端点auth/realms/realm_name/protocol/openid-connect/token最后,我使用这个客户令牌来存放我的东西。我可以使用python-keycloak来获取管理令牌
keycloak_admin = KeycloakAdmin(server_url=url,
username='user',
password='password',
verify=True)
但是一旦我在这里,我不能有客户端的秘密,因为我的客户端不在管理领域。使用浏览器和我的常规管理员,我可以在领域和访问其他领域客户端之间进行更改。正如我所说,使用一组请求到特定的端点,我可以有我想要的工作,但我不知道如何使用python-keycloak。
非常感谢你的帮助。我想我已经说得够清楚了。对
我已经修复了这个问题。如果有人可能面临类似的问题非常类似的请求策略
关键是关注所需的端点,如果它是admin或openid
serv_url = "https://{keycloak_server}/auth/"
# Getting an admin token with admin user in master realm
keycloak_admin = KeycloakAdmin(server_url=serv_url,
username='user',
password='pass',
verify=True)
# Use that admin token to connect to other realm where client is located
insights_admin = KeycloakAdmin(server_url=serv_url,
realm_name='{realm_name}', client_id='{client_name}', verify=True,
custom_headers={
'Authorization': 'Bearer ' + keycloak_admin.token.get('access_token'),
'Content-Type': 'application/json'
})
# In order to get secret_key of acknowledge client, we neeed to request
# for keycloak id, not string name
client_id = insights_admin.get_client_id("{client_name}")
# With that id, we ca get client secret
secret = insights_admin.get_client_secrets(client_id)
# Finally with that client secret, we create a OpenID object as a regular
# "user" (client_name, secret_key), this is a little misleading, due to
# here we need client_name again, not keycloak id, which is required to get
# secret_key. In both cases, client_id is variable name to both methods
# but refer to different concepts
insights_client = KeycloakOpenID(server_url=serv_url, realm_name='{realm_name}', client_id="{client_name}",
client_secret_key=secret["value"], verify=True)
# And finally we ask for a token to identify that user, considering
# KeycloakOpenID already has client_name, secret_key tuple to identify itself
# we just need to inform that we are going to use "client_credentials" instead
# of default password authentication
return insights_client.token(grant_type="client_credentials")
被总结看起来很简单,但我花了很长时间才推断出来。我希望有人会觉得有趣,我可以节省一些时间给别人。
也许我错了,但我希望下面的方法能起作用:
keycloak_admin = KeycloakAdmin(server_url=serv_url,
username='user',
password='pass',
realm_name='{realm_name}',
user_realm_name='master',
verify=True)
获取客户端
client_id = keycloak_admin.get_client_id("{client_name}")
获取秘密:
secret = keycloak_admin.get_client_secrets(client_id)