LoginSignup
13
18

More than 3 years have passed since last update.

@rururu_kenken(Naoyuki Sano)

Keycloak Admin REST APIを使ってみる (1)

Last updated at Posted at 2019-10-22

前提条件

・dockerインストール済
・jqインストール済
・AWS Workspaces (Amazon Linux2)

今回やること

アクセストークンを取得
ユーザーの情報取得
ユーザー追加

DockerでKeycloakを動かす

# AWS Workspaces環境のみ
# 以下を追加
$ sudo vi /etc/docker/daemon.json
{
    "dns": ["8.8.8.8", "8.8.4.4"]
}

$ sudo service docker restart

$ docker run -d -p 18080:8080 \
             -e KEYCLOAK_USER=admin \
             -e KEYCLOAK_PASSWORD=admin \
             --name keycloak \
             jboss/keycloak:7.0.0

Keycloak Admin REST APIのエンドポイント確認

$ curl http://localhost:18080/auth/realms/master/.well-known/openid-configuration | python -m json.tool

# 実行結果
{
    "authorization_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/auth",
    "check_session_iframe": "http://localhost:18080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
    "claim_types_supported": [
        "normal"
    ],
    "claims_parameter_supported": false,
    "claims_supported": [
        "aud",
        "sub",
        "iss",
        "auth_time",
        "name",
        "given_name",
        "family_name",
        "preferred_username",
        "email"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "end_session_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/logout",
    "grant_types_supported": [
        "authorization_code",
        "implicit",
        "refresh_token",
        "password",
        "client_credentials"
    ],
    "id_token_signing_alg_values_supported": [
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "RS512"
    ],
    "introspection_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/token/introspect",
    "issuer": "http://localhost:18080/auth/realms/master",
    "jwks_uri": "http://localhost:18080/auth/realms/master/protocol/openid-connect/certs",
    "registration_endpoint": "http://localhost:18080/auth/realms/master/clients-registrations/openid-connect",
    "request_object_signing_alg_values_supported": [
        "ES384",
        "RS384",
        "ES256",
        "RS256",
        "ES512",
        "RS512",
        "none"
    ],
    "request_parameter_supported": true,
    "request_uri_parameter_supported": true,
    "response_modes_supported": [
        "query",
        "fragment",
        "form_post"
    ],
    "response_types_supported": [
        "code",
        "none",
        "id_token",
        "token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "scopes_supported": [
        "openid",
        "address",
        "email",
        "offline_access",
        "phone",
        "profile",
        "roles",
        "web-origins"
    ],
    "subject_types_supported": [
        "public",
        "pairwise"
    ],
    "tls_client_certificate_bound_access_tokens": true,
    "token_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/token",
    "token_endpoint_auth_methods_supported": [
        "private_key_jwt",
        "client_secret_basic",
        "client_secret_post",
        "client_secret_jwt"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [
        "RS256"
    ],
    "token_introspection_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/token/introspect",
    "userinfo_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/userinfo",
    "userinfo_signing_alg_values_supported": [
        "ES384",
        "RS384",
        "HS256",
        "HS512",
        "ES256",
        "RS256",
        "HS384",
        "ES512",
        "RS512",
        "none"
    ]
}

管理ユーザーのアクセストークンを取得

curl \
 -d "client_id=admin-cli" \
 -d "username=admin" \
 -d "password=admin" \
 -d "grant_type=password" \
"http://localhost:18080/auth/realms/master/protocol/openid-connect/token" | python -m json.tool

# 実行結果
{
    "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXYVZoeTJ5dHhaMHFUdTFSbE1ncXVseTgwdFVycGhxUHMtbnBkWmJ1LTdFIn0.eyJqdGkiOiI3NjUwZGNmNC0zNzI2LTQ0MzEtYTU5OC1hMDgwMDczNTRhYjUiLCJleHAiOjE1NTUyNDg2OTEsIm5iZiI6MCwiaWF0IjoxNTU1MjQ4NjMxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjE4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6ImRhYThhYzI5LWI2YzQtNDkwZC04Mjg5LWM0NTRlZDgzOGM4ZSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImI1OWQyYzkyLWUyYzktNDVhMi05OWQxLWQ0MTcxN2VkMDg5NSIsImFjciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.EyhGsYO4NDU10Zim5XDbZ2YqHGyKoX2vMoloNVjoyMCqk1Kx8rIlkT3b4w1XDt-FV3oZid43d6sp5sJQCzlPnj-oL8l-xju7dIPs3SD8ZV-jdTo_nrqtkb_xwrJd_6m-KYjCS0tyjwbkRCetKh5zPrXsXw8wbbJbPUWMEprPJYyT-CsOv__o7lSRQmL4ajhKj4bk1i-pKyYbiGX4EjVCmElCfILGjRlvM_S66eRly5VqNFz62Q7ER9SWkpDb98_L7Fx-3kQBR83y20g-VffXLgVMyKLeuSEnRuTx084accgDBgf5G6ECS8FULAhSIWhxu50PIO0q9z3KJlKAVXMjIA",
    "expires_in": 60,
    "not-before-policy": 0,
    "refresh_expires_in": 1800,
    "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxYmVlNTdhNi01ZmNlLTQyOTctYjdiNi0xNDNmMGZkMzE1N2EifQ.eyJqdGkiOiI3NmFhZTA4Zi1mMjhiLTRkMWMtOTkxYS0wMGFjYjUzZTFkOGYiLCJleHAiOjE1NTUyNTA0MzEsIm5iZiI6MCwiaWF0IjoxNTU1MjQ4NjMxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjE4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiZGFhOGFjMjktYjZjNC00OTBkLTgyODktYzQ1NGVkODM4YzhlIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImI1OWQyYzkyLWUyYzktNDVhMi05OWQxLWQ0MTcxN2VkMDg5NSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.gx-wbmlvokZ8lKvrBRcmX1jfmhAl7Wz7rgbupj7ORO0",
    "scope": "email profile",
    "session_state": "b59d2c92-e2c9-45a2-99d1-d41717ed0895",
    "token_type": "bearer"
}

管理者ユーザーの情報取得

# config
KEYCLOAK_URL=http://localhost:18080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT_ID=admin
KEYCLOAK_CLIENT_SECRET=admin

export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=${KEYCLOAK_CLIENT_ID}" \
 -d "password=${KEYCLOAK_CLIENT_SECRET}" \
 -d 'grant_type=password' \
 -d 'client_id=admin-cli' | jq -r '.access_token')

# $TKNからusername「admin」のユーザーID取得
export KID=$(curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users" \
-H "Accept: application/json" \
-d "username=${KEYCLOAK_CLIENT_ID}" \
-H "Authorization: Bearer $TKN" | jq '.[].id.value')

# レルム「master」にいるユーザー「admin」の情報取得
curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${KID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .

# 実行結果
[
  {
    "id": "22926db7-7978-4bc2-835d-0ead1100d165",
    "createdTimestamp": 1571842137188,
    "username": "admin",
    "enabled": true,
    "totp": false,
    "emailVerified": false,
    "disableableCredentialTypes": [
      "password"
    ],
    "requiredActions": [],
    "notBefore": 0,
    "access": {
      "manageGroupMembership": true,
      "view": true,
      "mapRoles": true,
      "impersonate": true,
      "manage": true
    }
  }
]

ユーザー追加

# config
KEYCLOAK_URL=http://localhost:18080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT_ID=admin
KEYCLOAK_CLIENT_SECRET=admin

export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
 -H "Content-Type: application/x-www-form-urlencoded" \
 -d "username=${KEYCLOAK_CLIENT_ID}" \
 -d "password=${KEYCLOAK_CLIENT_SECRET}" \
 -d 'grant_type=password' \
 -d 'client_id=admin-cli' | jq -r '.access_token')

curl \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $TKN" \
  -d '{ "username" : "user02","enabled": true }' \
  "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users"

curl \
  -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users?username=user02" \
  -H "Accept: application/json" \
  -H "Authorization: Bearer $TKN" | jq .


# 実行結果
[
  {
    "id": "bddbc398-e9f6-41ab-bd71-da1c7467be55",
    "createdTimestamp": 1571846272315,
    "username": "user02",
    "enabled": true,
    "totp": false,
    "emailVerified": false,
    "disableableCredentialTypes": [],
    "requiredActions": [],
    "notBefore": 0,
    "access": {
      "manageGroupMembership": true,
      "view": true,
      "mapRoles": true,
      "impersonate": true,
      "manage": true
    }
  }
]

参考URL

Keycloak Admin REST API

13
18
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
13
18