120 lines
No EOL
4.1 KiB
Text
Executable file
120 lines
No EOL
4.1 KiB
Text
Executable file
== Authorization Client API
|
|
|
|
If you are using Java you can access all {{book.project.name}} {{book.project.module}} using a client API.
|
|
|
|
=== Maven Dependency
|
|
|
|
```xml
|
|
<dependencies>
|
|
<dependency>
|
|
<groupId>org.keycloak</groupId>
|
|
<artifactId>keycloak-authz-client</artifactId>
|
|
<version>${KEYCLOAK_VERSION}</version>
|
|
</dependency>
|
|
</dependencies>
|
|
```
|
|
|
|
=== Configuration
|
|
|
|
The client configuration is defined in a JSON file as follows:
|
|
|
|
```json
|
|
{
|
|
"realm": "hello-world-authz",
|
|
"auth-server-url" : "http://localhost:8080/auth",
|
|
"resource" : "hello-world-authz-service",
|
|
"credentials": {
|
|
"secret": "secret"
|
|
}
|
|
}
|
|
```
|
|
|
|
* *realm*
|
|
+
|
|
Name of the realm. This is REQUIRED.
|
|
|
|
* *auth-server-url*
|
|
+
|
|
The base URL of the Keycloak server. All other Keycloak pages and REST service endpoints are derived from this. It is usually of the form https://host:port/auth. This is REQUIRED.
|
|
|
|
* *resource*
|
|
+
|
|
The client-id of the application. Each application has a client-id that is used to identify the application. This is REQUIRED.
|
|
|
|
* *credentials*
|
|
Specify the credentials of the application. This is an object notation where the key is the credential type and the value is the value of the credential type. Currently only secret/password is supported. This is REQUIRED.
|
|
|
|
=== Obtaining User Entitlements
|
|
|
|
Here is an example about how to obtain user entitlements:
|
|
|
|
```java
|
|
// create a new instance based on the configuration define at keycloak-authz.json
|
|
AuthzClient authzClient = AuthzClient.create();
|
|
|
|
// obtian a Entitlement API Token in order to get access to the Entitlement API.
|
|
// this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement
|
|
String eat = getEntitlementAPIToken(authzClient);
|
|
|
|
// send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user
|
|
EntitlementResponse response = authzClient.entitlement(eat).getAll("hello-world-authz-service");
|
|
String rpt = response.getRpt();
|
|
|
|
System.out.println("You got a RPT: " + rpt);
|
|
|
|
// now you can use the RPT to access protected resources on the resource server
|
|
```
|
|
|
|
Here is an example about how to obtain user entitlements given a set of one or more resource:
|
|
|
|
```java
|
|
// create a new instance based on the configuration define at keycloak-authz.json
|
|
AuthzClient authzClient = AuthzClient.create();
|
|
|
|
// obtian a Entitlement API Token in order to get access to the Entitlement API.
|
|
// this token is just an access token issued to a client on behalf of an user with a scope kc_entitlement
|
|
String eat = getEntitlementAPIToken(authzClient);
|
|
|
|
// create an entitlement request
|
|
EntitlementRequest request = new EntitlementRequest();
|
|
PermissionRequest permission = new PermissionRequest();
|
|
|
|
permission.setResourceSetName("Hello World Resource");
|
|
|
|
request.addPermission(permission);
|
|
|
|
// send the entitlement request to the server in order to obtain a RPT with all permissions granted to the user
|
|
EntitlementResponse response = authzClient.entitlement(eat).get("hello-world-authz-service", request);
|
|
String rpt = response.getRpt();
|
|
|
|
System.out.println("You got a RPT: " + rpt);
|
|
```
|
|
|
|
=== Creating a Resource Using the Protection API
|
|
|
|
```java
|
|
// create a new instance based on the configuration define at keycloak-authz.json
|
|
AuthzClient authzClient = AuthzClient.create();
|
|
|
|
// create a new resource representation with the information we want
|
|
ResourceRepresentation newResource = new ResourceRepresentation();
|
|
|
|
newResource.setName("New Resource");
|
|
newResource.setType("urn:hello-world-authz:resources:example");
|
|
|
|
newResource.addScope(new ScopeRepresentation("urn:hello-world-authz:scopes:view"));
|
|
|
|
ProtectedResource resourceClient = authzClient.protection().resource();
|
|
Set<String> existingResource = resourceClient.findByFilter("name=" + newResource.getName());
|
|
|
|
if (!existingResource.isEmpty()) {
|
|
resourceClient.delete(existingResource.iterator().next());
|
|
}
|
|
|
|
// create the resource on the server
|
|
RegistrationResponse response = resourceClient.create(newResource);
|
|
String resourceId = response.getId();
|
|
|
|
// query the resource using its newly generated id
|
|
ResourceRepresentation resource = resourceClient.findById(resourceId).getResourceDescription();
|
|
``` |