You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since version 0.30, if your Keycloak base URL starts with auth/, add it to baseUri (e.g. http://127.0.0.1:8180/auth). Base URL for Keycloak versions 7 to 16 have systematically auth/. On Keycloak 17+ it depends on your settings.
By default, the token is saved at runtime. This means that the previous token is not used when creating a new client.
You can customize how the token is stored in the client configuration by implementing your own TokenStorage,
an interface which describes how the token is stored and retrieved.
class CustomTokenStorage implements TokenStorage
{
publicfunctiongetToken()
{
// TODO
}
publicfunctionsaveToken(array$token)
{
// TODO
}
}
$client = Keycloak\Admin\KeycloakClient::factory([
...
'token_storage' => newCustomTokenStorage(),
]);
Custom Keycloak endpoints
It is possible to inject Guzzle Service Operations
in the keycloak client configuration using the custom_operations keyword. This way you can extend the built-in supported endpoints with custom.
Get a keystore file for the client, containing private key and public certificate (note: write response content to a file)
getClientKeyStore
✔️
Generate a new certificate with new key pair
generateClientCertificate
✔️
Generate a new keypair and certificate, and get the private key file Generates a keypair and certificate and serves the private key in a specified keystore format.
Create a new client Client’s client_id must be unique!
createClient
✔️
Get clients belonging to the realm Returns a list of clients belonging to the realm
getClients
✔️
Get representation of the client
getClient
✔️
Update the client
updateClient
✔️
Delete the client
deleteClient
✔️
Generate a new secret for the client
generateClientSecret
✔️
Get the client secret
getClientSecret
✔️
Get default client scopes.
getClientDefaultScopes
✔️
Set client scope as default scope
setClientScopeAsDefault
✔️
Remove client scope from default scopes
removeClientScopeAsDefault
✔️
Create JSON with payload of example access token
getClientExampleAccessToken
✔️
Return list of all protocol mappers, which will be used when generating tokens issued for particular client.
getClientProtocolMappers
✔️
Get effective scope mapping of all roles of particular role container, which this client is defacto allowed to have in the accessToken issued for him.
getClientAllowedRoleMappingsInContainer
✔️
Get roles, which this client doesn’t have scope for and can’t have them in the accessToken issued for him.
getClientNotAllowedRoleMappingsInContainer
✔️
Generate client adapter configuration takes one of these (keycloak-oidc-keycloak-json, keycloak-oidc-jboss-subsystem-cli, keycloak-oidc-jboss-subsystem, keycloak-saml, keycloak-saml-subsystem-cli, keycloak-saml-subsystem)
getClientInstallationConfiguration
✔️
Return object stating whether client Authorization permissions have been initialized or not and a reference
getClientAuthorizationPermissionsStatus
✔️
Update client Authorization permissions initialization and a reference
updateClientAuthorizationPermissionsStatus
✔️
Register a cluster node with the client Manually register cluster node to this client - usually it’s not needed to call this directly as adapter should handle by sending registration request to Keycloak
registerClientClusterNode
✔️
Unregister a cluster node from the client
unregisterClientClusterNode
✔️
Get application offline session count Returns a number of offline user sessions associated with this client { "count": number }
getClientOfflineSessionsCount
✔️
Get offline sessions for client Returns a list of offline user sessions associated with this client
getClientOfflineSessions
✔️
Get optional client scopes.
getClientOptionalScopes
✔️
Assign client optional scope
assignClientOptionalScope
✔️
remove client optional scope assignment
unassignClientOptionalScope
✔️
Push the client’s revocation policy to its admin URL If the client has an admin URL, push revocation policy to it.
pushClientRevocationPolicy
✔️
Generate a new registration access token for the client
generateClientRegistrationToken
✔️
Get a user dedicated to the service account
getServiceAccountDedicatedUser
✔️
Get application session count Returns a number of user sessions associated with this client { "count": number }
getClientSessionsCount
✔️
Test if registered cluster nodes are available Tests availability by sending 'ping' request to all cluster nodes.
testClientNodesAvailability
✔️
Get user sessions for client Returns a list of user sessions associated with this client
Get the roles associated with a client’s scope Returns roles for the client.
❌
Remove client-level roles from the client’s scope.
❌
The available client-level roles Returns the roles for the client that can be associated with the client’s scope
❌
Get effective client roles Returns the roles for the client that are associated with the client’s scope.
❌
Add a set of realm-level roles to the client’s scope
❌
Get realm-level roles associated with the client’s scope
❌
Remove a set of realm-level roles from the client’s scope
❌
Get realm-level roles that are available to attach to this client’s scope
❌
Get effective realm-level roles associated with the client’s scope What this does is recurse any composite roles associated with the client’s scope and adds the roles to this lists.
❌
Get all scope mappings for the client
❌
Add client-level roles to the client’s scope
❌
Get the roles associated with a client’s scope Returns roles for the client.
❌
Remove client-level roles from the client’s scope.
❌
The available client-level roles Returns the roles for the client that can be associated with the client’s scope
❌
Get effective client roles Returns the roles for the client that are associated with the client’s scope.
❌
Add a set of realm-level roles to the client’s scope
❌
Get realm-level roles associated with the client’s scope
❌
Remove a set of realm-level roles from the client’s scope
❌
Get realm-level roles that are available to attach to this client’s scope
❌
Get effective realm-level roles associated with the client’s scope What this does is recurse any composite roles associated with the client’s scope and adds the roles to this lists.
Get users Returns a list of users, filtered according to query parameters
getUsers
✔️
GET /{realm}/users/count
getUserCount
✔️
Get representation of the user
getUser
️️️✔️
Update the user
updateUser
️️️✔️
Delete the user
deleteUser
️️️✔️
Get consents granted by the user
️✔️
Revoke consent and offline tokens for particular client from user
❌
Disable all credentials for a user of a specific type
❌
Send a update account email to the user An email contains a link the user can click to perform a set of required actions.
executeActionsEmail
✔️
Get social logins associated with the user
✔️
Add a social login provider to the user
✔️
Remove a social login provider from user
✔️
GET /{realm}/users/{id}/groups
getUserGroups
✔️
GET /{realm}/users/{id}/groups/count
getUserGroupsCount
✔️
PUT /{realm}/users/{id}/groups/{groupId}
addUserToGroup
✔️
DELETE /{realm}/users/{id}/groups/{groupId}
deleteUserFromGroup
✔️
Impersonate the user
impersonateUser
✔️
Remove all user sessions associated with the user Also send notification to all clients that have an admin URL to invalidate the sessions for the particular user.
logoutUser
✔️
Get offline sessions associated with the user and client
❌
Remove TOTP from the user
❌
Set up a new password for the user.
resetUserPassword
✔️
Send an email-verification email to the user An email contains a link the user can click to verify their email address.