英文:
How to get the password expired date of a user in Keycloak
问题
我现在使用Keycloak 18.0.1。
当用户通过Keycloak登录我的系统时,我想要确切地知道密码何时会过期。
供您参考,我正在使用keycloak-angular和keycloak-js。
我已在https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation上搜索过,但它没有适合我需求的API。
英文:
I now using Keycloak 18.0.1.
When the user log in my system by Keycloak, I want to know exactly when the password will be expired.
For your information, I'm using keycloak-angular and keycloak-js
I have searched on https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation but it doesn't have an API that suit my need
答案1
得分: 0
这个API可以获取策略的详细信息。
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
示例
http://localhost:8080/auth/admin/realms/test/clients/246d7abb-da85-420b-92b4-65b1b3d287c1/authz/resource-server/policy/04dbe6e9-a1d3-449a-b001-42eab0eb51e6
结果
{"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6","name": "policy1","description": "short term license","type": "time","logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {"noa": "2023-03-02 12:35:45","nbf": "2022-01-02 01:02:06"}}
这个结果可以获取UI信息。
示例:基于时间的策略可以获取时间段。
概述
在左侧,通过UI设置顺序。
在右侧,通过API调用获取信息。
我认为您对蓝色圆圈 #10 感兴趣。
我将演示用户可以按时间基础策略访问资源。
例如,按时间段控制许可证。
UI设置
API
我正在使用Keycloak v18.0.1(如果使用v19/v20,只需在API端点中删除auth)
获取用户
GET {keycloak_url}/auth/admin/realms/{realm}/users/{user-uuid}
获取客户端
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
获取资源列表
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/
获取资源
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
获取权限和策略列表
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Postman示例 -
您可以查看时间段信息 - 红框
获取特定权限的策略
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
用户映射到策略
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
用户列表将在响应正文中返回
{"id": {policy-uuid},"name": {policy-name},"config": {"users": "[array of {user-uuid}]"}}
通过UI评估
结果 -
*注意权限的决策策略 -
#1 Unanimous (AND - policy1 和 policy 2) 然后许可
#2 Affirmative (OR - policy1 或 policy 2) 然后许可
如果使策略过期
,将被拒绝 - 由于AND条件
通过API评估
POST {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/evaluate
在请求正文中
{"resources": [{"name": <resource-name>,"owner": {"id": <client-uuid>,"name": <client-name>},"ownerManagedAccess": false,"_id": <resource-uuid>,"uris": [],"scopes": []}],"context": { "attributes": {} },"roleIds": [],"clientId": <client-uuid>,"userId": <user-uuid>,"entitlements": false}
通过Postman评估
结果
{"results": [{"resource": {"name": "resource1","_id": "3cb04615-ed9f-42a6-ab77-4254bf470891"},"scopes": [],"policies": [{"policy": {"id": "8597a6b3-ba5f-4849-9987-9a57b2f3db90","name": "permissions1","type": "resource","resources": ["resource1"],"scopes": [],"logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {}},"status": "DENY","associatedPolicies": [{"policy": {"id": "6b2a4cce-f6ba-48eb-a8d4-ee3aad88c677","name": "policy-user","type": "user","resources": [],"scopes": [],"logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {}},"status": "PERMIT","associatedPolicies": [],"scopes": []},{"policy": {"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6","name": "policy1","description": "short term license","type": "time","resources": [],"scopes": [],"logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {}},"status": "DENY","associatedPolicies": [],"scopes": []}],"scopes": []}],<details><summary>英文:</summary>This API can get the detail of Policy.
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
Example
http://localhost:8080/auth/admin/realms/test/clients/246d7abb-da85-420b-92b4-65b1b3d287c1/authz/resource-server/policy/04dbe6e9-a1d3-449a-b001-42eab0eb51e6
Result
{
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"noa": "2023-03-02 12:35:45",
"nbf": "2022-01-02 01:02:06"
}
}
This result get this UI informationExample : time based policy can get the time period.### OverviewIn left side, setup order by UIIn Right side, get information by API callI think you interest blue circle #10.I will demo user can access the resource by time base policy.Example, the license control by time period.[![Overview][1]][1]### UI setup[![UI setup][2]][2]### APII am using Keycloak v18.0.1 (if use v19/v20, just remove auth in API endpoint)Get User
GET {keycloak_url}/auth/admin/realms/{realm}/users/{user-uuid}
Get Client
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
Get Resource list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/
Get Resource
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
Get Permissions & Policy list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Example by Postman -You can see the time period information - red box[![enter image description here][3]][3]Get policy of specific permission
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
[![enter image description here][4]][4]User mapped into policy
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
The user list will return in body of response
{
"id": {policy-uuid},
"name": {policy-name},
"config": {
"users": "[array of {user-uuid}]"
}
}
[![enter image description here][5]][5]### Evaluate by UI[![enter image description here][6]][6]Result -*note permission's Decision Strategy -#1 Unanimous (AND - policy1 and policy 2) then Permit#2 Affirmative(OR - policy1 or policy 2) then Permit[![enter image description here][7]][7]If make expired policy[![enter image description here][8]][8], will be deny - due to AND condition[![enter image description here][9]][9]### Evaluate by API
POST {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/evaluate
In body
{
"resources": [
{
"name": <resource-name>,
"owner": {
"id": <client-uuid>,
"name": <client-name>
},
"ownerManagedAccess": false,
"_id": <resource-uuid>,
"uris": [],
"scopes": []
}
],
"context": { "attributes": {} },
"roleIds": [],
"clientId": <client-uuid>,
"userId": <user-uuid>,
"entitlements": false
}
Evaluate by Postman[![enter image description here][10]][10]Result```json{"results": [{"resource": {"name": "resource1","_id": "3cb04615-ed9f-42a6-ab77-4254bf470891"},"scopes": [],"policies": [{"policy": {"id": "8597a6b3-ba5f-4849-9987-9a57b2f3db90","name": "permissions1","type": "resource","resources": ["resource1"],"scopes": [],"logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {}},"status": "DENY","associatedPolicies": [{"policy": {"id": "6b2a4cce-f6ba-48eb-a8d4-ee3aad88c677","name": "policy-user","type": "user","resources": [],"scopes": [],"logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {}},"status": "PERMIT","associatedPolicies": [],"scopes": []},{"policy": {"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6","name": "policy1","description": "short term license","type": "time","resources": [],"scopes": [],"logic": "POSITIVE","decisionStrategy": "UNANIMOUS","config": {}},"status": "DENY","associatedPolicies": [],"scopes": []}],"scopes": []}],"status": "DENY","allowedScopes": []}],"entitlements": false,"status": "DENY","rpt": {"exp": 1677207180,"iat": 1677206880,"jti": "c0f813e4-eff1-4c4a-9c65-4cc31fcc54a8","aud": "my-test","sub": "fd3d621a-565c-4dfb-b476-b605faadd798","typ": "Bearer","azp": "my-test","session_state": "45f5a765-e95f-48cb-95ea-36e4a6ca22a0","acr": "1","allowed-origins": ["http://localhost:3000"],"realm_access": {"roles": ["default-roles-test","offline_access","uma_authorization"]},"resource_access": {"account": {"roles": ["manage-account","manage-account-links","view-profile"]}},"authorization": {"permissions": []},"scope": "email profile","sid": "45f5a765-e95f-48cb-95ea-36e4a6ca22a0","email_verified": true,"preferred_username": "user1","email": "user1@test.com"}}
References
how to get all keycloak users who can access to a specific resource
logic when evaluating permissions for a shared resource in keycloak
答案2
得分: 0
没有直接提供该信息的 API 端点,但可以通过使用密码策略和密码创建日期来计算该信息。
参考链接:
https://medium.com/@lejdiprifti/expiration-date-of-users-password-in-keycloak-389566d5d78c
英文:
There is not an API endpoint that gives that information directly, but it can be calculated by using the password policy and the password creation date.
Reference
https://medium.com/@lejdiprifti/expiration-date-of-users-password-in-keycloak-389566d5d78c
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论