前提条件
・dockerインストール済
・jqインストール済
・AWS Workspaces (Amazon Linux2)
今回やること
アクセストークンを取得
ユーザーの情報取得
ユーザー追加
DockerでKeycloakを動かす
# AWS Workspaces環境のみ
# 以下を追加
$ sudo vi /etc/docker/daemon.json
{
"dns": ["8.8.8.8", "8.8.4.4"]
}
$ sudo service docker restart
$ docker run -d -p 18080:8080 \
-e KEYCLOAK_USER=admin \
-e KEYCLOAK_PASSWORD=admin \
--name keycloak \
jboss/keycloak:7.0.0
Keycloak Admin REST APIのエンドポイント確認
$ curl http://localhost:18080/auth/realms/master/.well-known/openid-configuration | python -m json.tool
# 実行結果
{
"authorization_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/auth",
"check_session_iframe": "http://localhost:18080/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
"claim_types_supported": [
"normal"
],
"claims_parameter_supported": false,
"claims_supported": [
"aud",
"sub",
"iss",
"auth_time",
"name",
"given_name",
"family_name",
"preferred_username",
"email"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"end_session_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/logout",
"grant_types_supported": [
"authorization_code",
"implicit",
"refresh_token",
"password",
"client_credentials"
],
"id_token_signing_alg_values_supported": [
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"RS512"
],
"introspection_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/token/introspect",
"issuer": "http://localhost:18080/auth/realms/master",
"jwks_uri": "http://localhost:18080/auth/realms/master/protocol/openid-connect/certs",
"registration_endpoint": "http://localhost:18080/auth/realms/master/clients-registrations/openid-connect",
"request_object_signing_alg_values_supported": [
"ES384",
"RS384",
"ES256",
"RS256",
"ES512",
"RS512",
"none"
],
"request_parameter_supported": true,
"request_uri_parameter_supported": true,
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"response_types_supported": [
"code",
"none",
"id_token",
"token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"scopes_supported": [
"openid",
"address",
"email",
"offline_access",
"phone",
"profile",
"roles",
"web-origins"
],
"subject_types_supported": [
"public",
"pairwise"
],
"tls_client_certificate_bound_access_tokens": true,
"token_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/token",
"token_endpoint_auth_methods_supported": [
"private_key_jwt",
"client_secret_basic",
"client_secret_post",
"client_secret_jwt"
],
"token_endpoint_auth_signing_alg_values_supported": [
"RS256"
],
"token_introspection_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/token/introspect",
"userinfo_endpoint": "http://localhost:18080/auth/realms/master/protocol/openid-connect/userinfo",
"userinfo_signing_alg_values_supported": [
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"RS512",
"none"
]
}
管理ユーザーのアクセストークンを取得
curl \
-d "client_id=admin-cli" \
-d "username=admin" \
-d "password=admin" \
-d "grant_type=password" \
"http://localhost:18080/auth/realms/master/protocol/openid-connect/token" | python -m json.tool
# 実行結果
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJXYVZoeTJ5dHhaMHFUdTFSbE1ncXVseTgwdFVycGhxUHMtbnBkWmJ1LTdFIn0.eyJqdGkiOiI3NjUwZGNmNC0zNzI2LTQ0MzEtYTU5OC1hMDgwMDczNTRhYjUiLCJleHAiOjE1NTUyNDg2OTEsIm5iZiI6MCwiaWF0IjoxNTU1MjQ4NjMxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjE4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6ImRhYThhYzI5LWI2YzQtNDkwZC04Mjg5LWM0NTRlZDgzOGM4ZSIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImI1OWQyYzkyLWUyYzktNDVhMi05OWQxLWQ0MTcxN2VkMDg5NSIsImFjciI6IjEiLCJzY29wZSI6ImVtYWlsIHByb2ZpbGUiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIn0.EyhGsYO4NDU10Zim5XDbZ2YqHGyKoX2vMoloNVjoyMCqk1Kx8rIlkT3b4w1XDt-FV3oZid43d6sp5sJQCzlPnj-oL8l-xju7dIPs3SD8ZV-jdTo_nrqtkb_xwrJd_6m-KYjCS0tyjwbkRCetKh5zPrXsXw8wbbJbPUWMEprPJYyT-CsOv__o7lSRQmL4ajhKj4bk1i-pKyYbiGX4EjVCmElCfILGjRlvM_S66eRly5VqNFz62Q7ER9SWkpDb98_L7Fx-3kQBR83y20g-VffXLgVMyKLeuSEnRuTx084accgDBgf5G6ECS8FULAhSIWhxu50PIO0q9z3KJlKAVXMjIA",
"expires_in": 60,
"not-before-policy": 0,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxYmVlNTdhNi01ZmNlLTQyOTctYjdiNi0xNDNmMGZkMzE1N2EifQ.eyJqdGkiOiI3NmFhZTA4Zi1mMjhiLTRkMWMtOTkxYS0wMGFjYjUzZTFkOGYiLCJleHAiOjE1NTUyNTA0MzEsIm5iZiI6MCwiaWF0IjoxNTU1MjQ4NjMxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjE4MDgwL2F1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6MTgwODAvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiZGFhOGFjMjktYjZjNC00OTBkLTgyODktYzQ1NGVkODM4YzhlIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImFkbWluLWNsaSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImI1OWQyYzkyLWUyYzktNDVhMi05OWQxLWQ0MTcxN2VkMDg5NSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.gx-wbmlvokZ8lKvrBRcmX1jfmhAl7Wz7rgbupj7ORO0",
"scope": "email profile",
"session_state": "b59d2c92-e2c9-45a2-99d1-d41717ed0895",
"token_type": "bearer"
}
管理者ユーザーの情報取得
# config
KEYCLOAK_URL=http://localhost:18080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT_ID=admin
KEYCLOAK_CLIENT_SECRET=admin
export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${KEYCLOAK_CLIENT_ID}" \
-d "password=${KEYCLOAK_CLIENT_SECRET}" \
-d 'grant_type=password' \
-d 'client_id=admin-cli' | jq -r '.access_token')
# $TKNからusername「admin」のユーザーID取得
export KID=$(curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users" \
-H "Accept: application/json" \
-d "username=${KEYCLOAK_CLIENT_ID}" \
-H "Authorization: Bearer $TKN" | jq '.[].id.value')
# レルム「master」にいるユーザー「admin」の情報取得
curl -X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users/${KID}" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .
# 実行結果
[
{
"id": "22926db7-7978-4bc2-835d-0ead1100d165",
"createdTimestamp": 1571842137188,
"username": "admin",
"enabled": true,
"totp": false,
"emailVerified": false,
"disableableCredentialTypes": [
"password"
],
"requiredActions": [],
"notBefore": 0,
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
}
}
]
ユーザー追加
# config
KEYCLOAK_URL=http://localhost:18080/auth
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT_ID=admin
KEYCLOAK_CLIENT_SECRET=admin
export TKN=$(curl -X POST "${KEYCLOAK_URL}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=${KEYCLOAK_CLIENT_ID}" \
-d "password=${KEYCLOAK_CLIENT_SECRET}" \
-d 'grant_type=password' \
-d 'client_id=admin-cli' | jq -r '.access_token')
curl \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $TKN" \
-d '{ "username" : "user02","enabled": true }' \
"${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users"
curl \
-X GET "${KEYCLOAK_URL}/admin/realms/${KEYCLOAK_REALM}/users?username=user02" \
-H "Accept: application/json" \
-H "Authorization: Bearer $TKN" | jq .
# 実行結果
[
{
"id": "bddbc398-e9f6-41ab-bd71-da1c7467be55",
"createdTimestamp": 1571846272315,
"username": "user02",
"enabled": true,
"totp": false,
"emailVerified": false,
"disableableCredentialTypes": [],
"requiredActions": [],
"notBefore": 0,
"access": {
"manageGroupMembership": true,
"view": true,
"mapRoles": true,
"impersonate": true,
"manage": true
}
}
]