python-keycloak icon indicating copy to clipboard operation
python-keycloak copied to clipboard

Published 20 hours ago verified publisher icon marcospereirampj

Parametrize functions like get_clients() - feature request

Open JohannesRuc opened this issue 4 years ago • 5 comments
trafficstars

Hello everybody,

when using keycloak_admin.py, I (presumably) encountered some limitations.

Is there any way to query all clients or users when logged in to the master realm?

After the login is performed, the realm seems to be hard-coded, that is a new login has to be performed if for instance get_clients() is supposed to retrieve the clients from a different realm. In addition, the user has to exist in the queried realm, i.e. an admin user must be present in all realms in which clients are to be retrieved. A single administrator in the master realm is apparently not sufficient.

Looking at keycloak_admin.py, the method outlined below depicts the issue:

def get_clients(self):
        """
        Returns a list of clients belonging to the realm

        ClientRepresentation
        https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_clientrepresentation

        :return: Keycloak server response (ClientRepresentation)
        """

        params_path = {"realm-name": self.realm_name}
        data_raw = self.raw_get(URL_ADMIN_CLIENTS.format(**params_path))
        return raise_error_from_response(data_raw, KeycloakGetError)

In my opinion, it would be great if this method would be overloaded and an additional parameter "realm_name" would be introduced:

def get_clients(self, realm_name):
        """
        Returns a list of clients belonging to the realm

        ClientRepresentation
        https://www.keycloak.org/docs-api/8.0/rest-api/index.html#_clientrepresentation

        :return: Keycloak server response (ClientRepresentation)
        """

        params_path = {"realm-name": realm_name}
        data_raw = self.raw_get(URL_ADMIN_CLIENTS.format(**params_path))
        return raise_error_from_response(data_raw, KeycloakGetError)

Then it would be possible to query clients / users etc from different realms with no need to perform additional logins or provision additional accounts. I tested the code above for get_clients() and get_users() and it works fine.

Am I missing something important in the documentation or is this really a lack of functionality?

Thank you very much and best regards Johannes

JohannesRuc avatar Jun 07 '21 12:06 JohannesRuc

Only Marcos might comment on that; I assume that it is just a missing shortcut. On the other hand it will fail if the user does not have permissions for the realm thus a login to the realm would show that. Using default argument realm_name=self.real_name might avoid duplicate code.

double-a avatar Jun 07 '21 21:06 double-a

Hello @double-a, thanks for the reply.

On the other hand it will fail if the user does not have permissions for the realm thus a login to the realm would show that.

I think it would be better to take care of this via error handling instead of not offering such a function at all.

I assume that it is just a missing shortcut.

That would be my assumption as well.

Using default argument realm_name=self.real_name might avoid duplicate code.

If this can be solved via default arguments without the need to introduce new methods, that's even better!

Maybe @marcospereirampj can comment on the issue?

Thanks and best regards Johannes

JohannesRuc avatar Jun 10 '21 09:06 JohannesRuc

Any update on this feature request? we would love to use this library, but without this feature, we cannot use it. Can we support you by providing a pull request?

iischwuerfl avatar Aug 12 '22 09:08 iischwuerfl

Hello :)

The admin client is realm-based, we've had quite a few issues reported about similar problems, in all sorts of formats/sauces, but the crux of these issues is, how can I change/select a realm in the keycloak admin object.

The issue can be resolved just by better documentation, as the solution is actually quite easy. What you're suggesting here is that the keycloak admin object is not realm-based, and I don't think I'm behind this solution.

That's mainly because the Keycloak application itself is realm-based, i.e. each realm essentially behaves as a standalone keycloak application, thus having a "KeycloakAdmin" object to serve all realms doesn't quite correspond to the Keycloak admin interface. What you can however do in the Keycloak admin interface, is to change the realm to another one. And that's what I think this python Keycloak client should provide as well.

It's possible already, but not obvious how to do it. Setting the realm name upon initialization is well documented and part of the many examples in the README.md, but changing the realm has been only recently added to the README. Would adding a specific method to set the realm name resolve your issue or is the issue something else?

ryshoooo avatar Aug 13 '22 00:08 ryshoooo

Hi @ryshoooo

thank you for the hint to set the realm_name like shown in the readme:

keycloak_admin.realm_name = "demo" # Change realm to 'demo' That worked for our case!

Keep up the good work 🌟

iischwuerfl avatar Aug 24 '22 04:08 iischwuerfl