2016-11-29 15:30:53 +00:00
[[_service_client_api]]
2016-12-02 15:25:43 +00:00
=== Authorization Client Java API
2016-06-05 22:17:31 +00:00
2017-04-25 22:52:57 +00:00
Depending on your requirements, a resource server should be able to manage resources remotely or even check for permissions programmatically.
If you are using Java, you can access the {{book.project.name}} Authorization Services using the Authorization Client API.
It is targeted for resource servers that want to access the different APIs provided by the server such as the Protection, Authorization and Entitlement APIs.
2016-06-05 22:17:31 +00:00
2016-12-01 14:32:11 +00:00
==== Maven Dependency
2016-06-05 22:17:31 +00:00
```xml
<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${KEYCLOAK_VERSION}</version>
</dependency>
</dependencies>
```
2016-12-01 14:32:11 +00:00
==== Configuration
2016-06-05 22:17:31 +00:00
2017-04-25 22:52:57 +00:00
The client configuration is defined in a ``keycloak.json`` file as follows:
2016-06-05 22:17:31 +00:00
```json
{
2016-06-14 23:50:50 +00:00
"realm": "hello-world-authz",
"auth-server-url" : "http://localhost:8080/auth",
"resource" : "hello-world-authz-service",
"credentials": {
"secret": "secret"
2016-06-05 22:17:31 +00:00
}
}
```
2016-11-15 21:34:20 +00:00
* *realm* (required)
2016-06-05 22:17:31 +00:00
+
2016-11-15 21:34:20 +00:00
The name of the realm.
2016-06-14 23:50:50 +00:00
2016-11-15 21:34:20 +00:00
* *auth-server-url* (required)
2016-06-05 22:17:31 +00:00
+
2016-11-29 15:30:53 +00:00
The base URL of the {{book.project.name}} server. All other {{book.project.name}} pages and REST service endpoints are derived from this. It is usually in the form https://host:port/auth.
2016-06-14 23:50:50 +00:00
2016-11-15 21:34:20 +00:00
* *resource* (required)
2016-06-05 22:17:31 +00:00
+
2016-11-15 21:34:20 +00:00
The client-id of the application. Each application has a client-id that is used to identify the application.
2016-06-14 23:50:50 +00:00
2016-11-15 21:34:20 +00:00
* *credentials* (required)
2017-04-25 22:52:57 +00:00
Specifies the credentials of the application. This is an object notation where the key is the credential type and the value is the value of the credential type.
The configuration file is usually located in your application's classpath, the default location from where the client is going to try to find a ```keycloak.json``` file.
==== Creating the Authorization Client
Considering you have a ```keycloak.json``` file in your classpath, you can create a new ```AuthzClient``` instance as follows:
```java
// create a new instance based on the configuration defined in a keycloak.json located in your classpath
AuthzClient authzClient = AuthzClient.create();
```
2016-06-05 22:17:31 +00:00
2016-12-01 14:32:11 +00:00
==== Obtaining User Entitlements
2016-06-05 22:17:31 +00:00
2016-09-09 03:53:39 +00:00
Here is an example illustrating how to obtain user entitlements:
2016-06-05 22:17:31 +00:00
```java
2016-09-09 03:53:39 +00:00
// create a new instance based on the configuration defined in keycloak-authz.json
2016-06-05 22:17:31 +00:00
AuthzClient authzClient = AuthzClient.create();
2016-11-15 21:34:20 +00:00
// obtain an Entitlement API Token to get access to the Entitlement API.
// this token is an access token issued to a client on behalf of an user
2017-04-25 22:52:57 +00:00
// with a uma_authorization scope
2016-06-05 22:17:31 +00:00
String eat = getEntitlementAPIToken(authzClient);
2016-11-15 21:34:20 +00:00
// send the entitlement request to the server to
2016-09-09 03:53:39 +00:00
// obtain an RPT with all permissions granted to the user
2017-04-25 22:52:57 +00:00
EntitlementResponse response = authzClient.entitlement(eat).getAll("hello-world-authz-service");
2016-06-05 22:17:31 +00:00
String rpt = response.getRpt();
// now you can use the RPT to access protected resources on the resource server
```
2016-09-09 03:53:39 +00:00
Here is an example illustrating how to obtain user entitlements for a set of one or more resources:
2016-06-05 22:17:31 +00:00
```java
2016-09-09 03:53:39 +00:00
// create a new instance based on the configuration defined in keycloak-authz.json
2016-06-05 22:17:31 +00:00
AuthzClient authzClient = AuthzClient.create();
2016-11-15 21:34:20 +00:00
// obtain an Entitlement API Token to get access to the Entitlement API.
// this token is an access token issued to a client on behalf of an user
2017-04-25 22:52:57 +00:00
// with a uma_authorization scope
2016-06-05 22:17:31 +00:00
String eat = getEntitlementAPIToken(authzClient);
2016-06-14 23:50:50 +00:00
// create an entitlement request
EntitlementRequest request = new EntitlementRequest();
PermissionRequest permission = new PermissionRequest();
permission.setResourceSetName("Hello World Resource");
request.addPermission(permission);
2016-11-15 21:34:20 +00:00
// send the entitlement request to the server to obtain an RPT
2016-09-09 03:53:39 +00:00
// with all permissions granted to the user
2017-04-25 22:52:57 +00:00
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
2016-06-05 22:17:31 +00:00
String rpt = response.getRpt();
2017-04-25 22:52:57 +00:00
// now you can use the RPT to access protected resources on the resource server
2016-06-05 22:17:31 +00:00
```
2016-12-01 14:32:11 +00:00
==== Creating a Resource Using the Protection API
2016-06-05 22:17:31 +00:00
```java
2016-09-09 03:53:39 +00:00
// create a new instance based on the configuration defined in keycloak-authz.json
2016-06-05 22:17:31 +00:00
AuthzClient authzClient = AuthzClient.create();
// create a new resource representation with the information we want
ResourceRepresentation newResource = new ResourceRepresentation();
newResource.setName("New Resource");
newResource.setType("urn:hello-world-authz:resources:example");
newResource.addScope(new ScopeRepresentation("urn:hello-world-authz:scopes:view"));
ProtectedResource resourceClient = authzClient.protection().resource();
2017-04-25 22:52:57 +00:00
Set<String> existingResource = resourceClient.findByFilter("name=" + newResource.getName());
2016-06-14 23:50:50 +00:00
if (!existingResource.isEmpty()) {
resourceClient.delete(existingResource.iterator().next());
}
2016-06-05 22:17:31 +00:00
// create the resource on the server
RegistrationResponse response = resourceClient.create(newResource);
String resourceId = response.getId();
// query the resource using its newly generated id
ResourceRepresentation resource = resourceClient.findById(resourceId).getResourceDescription();
2017-04-25 22:52:57 +00:00
```
==== Introspecting a RPT
```java
AuthzClient authzClient = AuthzClient.create();
String rpt = getRequestingPartyToken(authzClient);
TokenIntrospectionResponse requestingPartyToken = authzClient.protection().introspectRequestingPartyToken(rpt);
if (requestingPartyToken.getActive()) {
for (Permission granted : requestingPartyToken.getPermissions()) {
// iterate over the granted permissions
}
}
2016-06-14 23:50:50 +00:00
```