英文:
How to get the password expired date of a user in Keycloak
问题
我现在使用Keycloak 18.0.1。
当用户通过Keycloak登录我的系统时,我想要确切地知道密码何时会过期。
供您参考,我正在使用keycloak-angular和keycloak-js。
我已在https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation上搜索过,但它没有适合我需求的API。
英文:
I now using Keycloak 18.0.1.
When the user log in my system by Keycloak, I want to know exactly when the password will be expired.
For your information, I'm using keycloak-angular and keycloak-js
I have searched on https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation but it doesn't have an API that suit my need
答案1
得分: 0
这个API可以获取策略的详细信息。
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
示例
http://localhost:8080/auth/admin/realms/test/clients/246d7abb-da85-420b-92b4-65b1b3d287c1/authz/resource-server/policy/04dbe6e9-a1d3-449a-b001-42eab0eb51e6
结果
{
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"noa": "2023-03-02 12:35:45",
"nbf": "2022-01-02 01:02:06"
}
}
这个结果可以获取UI信息。
示例:基于时间的策略可以获取时间段。
概述
在左侧,通过UI设置顺序。
在右侧,通过API调用获取信息。
我认为您对蓝色圆圈 #10 感兴趣。
我将演示用户可以按时间基础策略访问资源。
例如,按时间段控制许可证。
UI设置
API
我正在使用Keycloak v18.0.1(如果使用v19/v20,只需在API端点中删除auth)
获取用户
GET {keycloak_url}/auth/admin/realms/{realm}/users/{user-uuid}
获取客户端
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
获取资源列表
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/
获取资源
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
获取权限和策略列表
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Postman示例 -
您可以查看时间段信息 - 红框
获取特定权限的策略
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
用户映射到策略
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
用户列表将在响应正文中返回
{
"id": {policy-uuid},
"name": {policy-name},
"config": {
"users": "[array of {user-uuid}]"
}
}
通过UI评估
结果 -
*注意权限的决策策略 -
#1 Unanimous (AND - policy1 和 policy 2) 然后许可
#2 Affirmative (OR - policy1 或 policy 2) 然后许可
如果使策略过期
,将被拒绝 - 由于AND条件
通过API评估
POST {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/evaluate
在请求正文中
{
"resources": [
{
"name": <resource-name>,
"owner": {
"id": <client-uuid>,
"name": <client-name>
},
"ownerManagedAccess": false,
"_id": <resource-uuid>,
"uris": [],
"scopes": []
}
],
"context": { "attributes": {} },
"roleIds": [],
"clientId": <client-uuid>,
"userId": <user-uuid>,
"entitlements": false
}
通过Postman评估
结果
{
"results": [
{
"resource": {
"name": "resource1",
"_id": "3cb04615-ed9f-42a6-ab77-4254bf470891"
},
"scopes": [],
"policies": [
{
"policy": {
"id": "8597a6b3-ba5f-4849-9987-9a57b2f3db90",
"name": "permissions1",
"type": "resource",
"resources": [
"resource1"
],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "DENY",
"associatedPolicies": [
{
"policy": {
"id": "6b2a4cce-f6ba-48eb-a8d4-ee3aad88c677",
"name": "policy-user",
"type": "user",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [],
"scopes": []
},
{
"policy": {
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "DENY",
"associatedPolicies": [],
"scopes": []
}
],
"scopes": []
}
],
<details>
<summary>英文:</summary>
This API can get the detail of Policy.
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
Example
http://localhost:8080/auth/admin/realms/test/clients/246d7abb-da85-420b-92b4-65b1b3d287c1/authz/resource-server/policy/04dbe6e9-a1d3-449a-b001-42eab0eb51e6
Result
{
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"noa": "2023-03-02 12:35:45",
"nbf": "2022-01-02 01:02:06"
}
}
This result get this UI information
Example : time based policy can get the time period.
### Overview
In left side, setup order by UI
In Right side, get information by API call
I think you interest blue circle #10.
I will demo user can access the resource by time base policy.
Example, the license control by time period.
[![Overview][1]][1]
### UI setup
[![UI setup][2]][2]
### API
I am using Keycloak v18.0.1 (if use v19/v20, just remove auth in API endpoint)
Get User
GET {keycloak_url}/auth/admin/realms/{realm}/users/{user-uuid}
Get Client
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
Get Resource list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/
Get Resource
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
Get Permissions & Policy list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Example by Postman -
You can see the time period information - red box
[![enter image description here][3]][3]
Get policy of specific permission
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
[![enter image description here][4]][4]
User mapped into policy
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
The user list will return in body of response
{
"id": {policy-uuid},
"name": {policy-name},
"config": {
"users": "[array of {user-uuid}]"
}
}
[![enter image description here][5]][5]
### Evaluate by UI
[![enter image description here][6]][6]
Result -
*note permission's Decision Strategy -
#1 Unanimous (AND - policy1 and policy 2) then Permit
#2 Affirmative(OR - policy1 or policy 2) then Permit
[![enter image description here][7]][7]
If make expired policy
[![enter image description here][8]][8]
, will be deny - due to AND condition
[![enter image description here][9]][9]
### Evaluate by API
POST {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/evaluate
In body
{
"resources": [
{
"name": <resource-name>,
"owner": {
"id": <client-uuid>,
"name": <client-name>
},
"ownerManagedAccess": false,
"_id": <resource-uuid>,
"uris": [],
"scopes": []
}
],
"context": { "attributes": {} },
"roleIds": [],
"clientId": <client-uuid>,
"userId": <user-uuid>,
"entitlements": false
}
Evaluate by Postman
[![enter image description here][10]][10]
Result
```json
{
"results": [
{
"resource": {
"name": "resource1",
"_id": "3cb04615-ed9f-42a6-ab77-4254bf470891"
},
"scopes": [],
"policies": [
{
"policy": {
"id": "8597a6b3-ba5f-4849-9987-9a57b2f3db90",
"name": "permissions1",
"type": "resource",
"resources": [
"resource1"
],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "DENY",
"associatedPolicies": [
{
"policy": {
"id": "6b2a4cce-f6ba-48eb-a8d4-ee3aad88c677",
"name": "policy-user",
"type": "user",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [],
"scopes": []
},
{
"policy": {
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "DENY",
"associatedPolicies": [],
"scopes": []
}
],
"scopes": []
}
],
"status": "DENY",
"allowedScopes": []
}
],
"entitlements": false,
"status": "DENY",
"rpt": {
"exp": 1677207180,
"iat": 1677206880,
"jti": "c0f813e4-eff1-4c4a-9c65-4cc31fcc54a8",
"aud": "my-test",
"sub": "fd3d621a-565c-4dfb-b476-b605faadd798",
"typ": "Bearer",
"azp": "my-test",
"session_state": "45f5a765-e95f-48cb-95ea-36e4a6ca22a0",
"acr": "1",
"allowed-origins": [
"http://localhost:3000"
],
"realm_access": {
"roles": [
"default-roles-test",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": []
},
"scope": "email profile",
"sid": "45f5a765-e95f-48cb-95ea-36e4a6ca22a0",
"email_verified": true,
"preferred_username": "user1",
"email": "user1@test.com"
}
}
References
how to get all keycloak users who can access to a specific resource
logic when evaluating permissions for a shared resource in keycloak
答案2
得分: 0
没有直接提供该信息的 API 端点,但可以通过使用密码策略和密码创建日期来计算该信息。
参考链接:
https://medium.com/@lejdiprifti/expiration-date-of-users-password-in-keycloak-389566d5d78c
英文:
There is not an API endpoint that gives that information directly, but it can be calculated by using the password policy and the password creation date.
Reference
https://medium.com/@lejdiprifti/expiration-date-of-users-password-in-keycloak-389566d5d78c
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论