The Keycloak Admin REST API Client, for Python!
Project description
mantelo: A Keycloak Admin REST Api Client for Python
✨✨ MANTELO is a super small yet super powerful tool for interacting with the Keycloak Admin API ✨✨
Mantelo [manˈtelo], from German "Mantel", from Late Latin "mantum" means "cloak" in Esperanto.
It stays always fresh and complete because it does not implement or wrap any endpoint. Instead, it offers an object-oriented interface to the Keycloak ReSTful API. Acting as a wrapper around the well-known requests library and using slumber under the hood, it abstracts all the boring stuff such as authentication (tokens and refresh tokens), URL handling, serialization, and the processing of requests. This magic is made possible by the excellent slumber library.
⮕ Any endpoint your Keycloak supports, mantelo supports!
- 🚀 Why mantelo?
- 🏁 Getting started
- 🔐 Authenticate to Keycloak
- 📡 Making calls
- 💀 Exceptions
- 🔧 Development
🚀 Why mantelo?
You may ask why using mantelo instead of writing your own requests wrapper, or another library such as python-keycloak. Here are some (non-exhaustive) arguments to help you make the right choice:
- mantelo only relies on 3 small packages.
- Contrary to other libraries such as python-keycloak, mantelo is always up-to-date and doesn't lack any endpoints.
- mantelo makes your code look nice and object-oriented, instead of having long hard-coded URL strings everywhere.
- mantelo abstracts away authentication (and refresh tokens), which is always tricky to get right.
- mantelo gives you access to the exact URL that was called, and the
requests.Response
in case of error, so debugging is easy. - mantelo is flexible: you can tweak it easily if you need to.
🏁 Getting started
To get started, install the package:
pip install mantelo
Now, assuming you have a Keycloak Server running, what's left is to:
- authenticate, see 🔐 Authenticate to Keycloak
- make calls, see 📡 Making calls
For a quick test-drive, use the docker-compose.yml included
in this repo and start a Keycloak server locally using docker compose up
.
Open a Python REPL and type:
from mantelo import KeycloakAdmin
c = KeycloakAdmin.from_credentials(
server_url="http://localhost:9090",
realm_name="master",
client_id="admin-cli",
username="admin",
password="admin",
)
# get the list of clients in realm "master"
c.clients.get()
# create a user
c.users.post({
"username": "test",
"enabled": True,
"credentials": [{"type": "password", "value": "test"}],
})
# get the user id
c.users.get(username="test")[0]["id"]
# ...
Here is the simplest example, assuming your Keycloak runs on http://localhost:8080
and you have
setup the admin user with the password admin
.
🔐 Authenticate to Keycloak
To authenticate to Keycloak, you can either use a username+password, or a service account (client ID+client secret).
The library takes care of fetching a token the first time you need it and keeping it fresh. By default, it tries to use the refresh token (if available) and always guarantees the token is valid for the next 30s.
IMPORTANT A client is meant to interact with a single realm, which can be different from the realm used for authentication.
Authenticating with username+password
Ensure your user has the right to interact with the endpoints you are interested in.
In doubt or for testing, you can either use the admin user (not recommended) or create
a user and assign it the realm-management:realm-admin
role (full access).
The default client admin-cli
can always be used for connection.
Here is how to connect to the default realm with the admin user and admin-cli
client:
from mantelo import KeycloakAdmin
client = KeycloakAdmin.from_credentials(
server_url="http://localhost:8080", # base Keycloak URL
realm_name="master",
# ↓↓ Authentication
client_id="admin-cli",
username="admin",
password="CHANGE-ME", # TODO
)
This client will be able to make calls only to the master
realm.
If you want to authenticate to a realm that is different from the one
you want to query, use the argument authentication_realm
:
from mantelo import KeycloakAdmin
client = KeycloakAdmin.from_credentials(
server_url="http://localhost:8080", # base Keycloak URL
realm_name="my-realm", # realm for querying
# ↓↓ Authentication
authentication_realm_name="master", # realm for authentication only
client_id="admin-cli",
username="admin",
password="CHANGE-ME",
)
Authenticating with a service account (client ID + secret)
To authenticate via a client, the latter needs:
- to have "Client authentication" enabled,
- to support the
Service accounts roles
authentication flow, - to have one or more service account roles granting access to Admin endpoints.
Go to your client's "Credentials" tab to find the client secret.
Here is how to connect with a client:
from mantelo import KeycloakAdmin
client = KeycloakAdmin.from_service_account(
server_url="http://localhost:8080", # base Keycloak URL
realm_name="master",
# ↓↓ Authentication
client_id="my-client-name",
client_secret="59c3c211-2e56-4bb8-a07d-2961958f6185",
)
This client will be able to make calls only to the master
realm.
If you want to authenticate to a realm that is different from the one
you want to query, use the argument authentication_realm
:
from mantelo import KeycloakAdmin
client = KeycloakAdmin.from_service_account(
server_url="http://localhost:8080", # base Keycloak URL
realm_name="my-realm", # realm for querying
# ↓↓ Authentication
authentication_realm_name="master", # realm for authentication only
client_id="my-client-name",
client_secret="59c3c211-2e56-4bb8-a07d-2961958f6185",
)
Other ways of authenticating
The supported authentication methods should be enough. If you need more, a pull request or an issue is welcome! But just in case, here are some ways to make it more complicated 😉.
To create a KeycloakAdmin
, you only need a method that returns a token. For example, you can use
an existing token directly (not recommended, as tokens are short-lived):
from mantelo.client import BearerAuth, KeycloakAdmin
KeycloakAdmin(
server_url="http://localhost:8080"
realm_name="master",
auth=BearerAuth(lambda: "my-token"),
)
If you want to go further, you can create your own Connection
class (or extend the
OpenidConnection
), and pass its .token
method to the BearerAuth
:
from mantelo.client import BearerAuth, KeycloakAdmin
connection = Connection(...)
KeycloakAdmin(
server_url="http://localhost:8080"
realm_name="master",
auth=BearerAuth(connection.token),
)
📡 Making calls
Once you have configured how to authenticate to Keycloak, the rest is easy-peasy.
mantelo starts with the URL <server-url>/admin/realms/<realm-name>
and constructs
the URL from there, depending on how you call the client.
The return value is the HTTP response content, parsed from JSON. In case of error, an
HttpException
with access to the raw response is available (see 💀 Exceptions).
Query parameters can be passed as kwargs
to .get
, .post
, etc.
.post
and .put
take the payload as first argument, or as the named argument data
.
Here are some examples of URL mapping (c
is the KeycloakAdmin
object):
call | URL |
---|---|
c.users.get() |
GET /admin/realms/{realm}/users |
c.users.get(search="foo bar") |
GET /admin/realms/{realm}/users?search=foo+bar |
c.users.count.get() |
GET /admin/realms/{realm}/users/count |
c.users("725209cd-9076-417b-a404-149a3fb8e35b").get() |
GET /admin/realms/{realm}/users/725209cd-9076-417b-a404-149a3fb8e35b |
c.users.post({"username": ...}) |
POST /admin/realms/{realm}/users/725209cd-9076-417b-a404-149a3fb8e35b |
c.users.post(foo=1, data={"username": ...}) |
POST /admin/realms/{realm}/users/725209cd-9076-417b-a404-149a3fb8e35b?foo=1 |
Here are some examples:
>> client.users.get()
[{'id': '8d83ecda-766d-4382-8f3a-4c5ac1962961',
'username': 'constant',
'firstName': 'Jasper',
'lastName': 'Fforde',
'email': 'j@f.uk',
'emailVerified': True,
'createdTimestamp': 1710273159287,
'enabled': True,
'totp': False,
'disableableCredentialTypes': [],
'requiredActions': [],
'notBefore': 0,
'access': {'manageGroupMembership': True,
'view': True,
'mapRoles': True,
'impersonate': False,
'manage': True}}]
>> client.users.count.get()
2
>> c.clients.get()
...
HttpException: (403, {'error': 'unknown_error', 'error_description': 'For more on this error consult the server log at the debug level.'}, 'http://localhost:9090/admin/realms/orwell/clients', <Response [403]>)
💀 Exceptions
If an error occurs during authentication, mantelo will raise an AuthenticationException
with the
error
and errorDescription
from Keycloak. All other exceptions are instances of HttpException
.
Here are some examples:
# Using an inexistant client
AuthenticationException(
error='invalid_client',
error_description='Invalid client or Invalid client credentials'
)
# Trying to access an endpoint without the proper permissions
HttpException(
status_code=403,
json={'error': 'unknown_error', 'error_description': 'For more on this error consult the server log at the debug level.'},
url='http://localhost:9090/admin/realms/orwell/clients',
response='<requests.Response>',
)
🔧 Development
Prerequisites:
- Python
- Docker
To work on this library locally, install the library in edit mode along with the dev dependencies:
# Use .[dev,test] to also install pytest and related libraries
pip install -e '.[dev]'
A Makefile is available for all the usual development tasks. Use help to list the available commands:
make help
Build
build Build the wheels and sdist.
Development
lint Run ruff to format and lint (inside docker).
test Run tests with tox (inside docker).
mypy Run mypy locally to check types.
export-realms Export test realms after changes in Keycloak Test Server.
Note that make test
automatically starts a Keycloak container if it isn't already running. You may
have to stop it manually. The test server is configured using the resources in tests/realms
and is
available at http://localhost:9090
. To start the Keycloak server yourself:
docker compose up --wait
You can run the tests directly using pytest
for faster development, just ensure you installed the
test dependencies (pip install -e '.[dev,test]'
) and Keycloak is running.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.