当前环境的keycloak地址:http://ovirt.engine.com/ovirt-engine-auth/
在使用keycloak的REST API的时候,一定要在path路径后面添加上auth/admin/realms,然后再跟上对应的API,下面是获取相关信息的几个实例
一、获取token
执行rest api的时候需要先获取token,获取token的方式如下,其中client_id固定为admin-cli,username和password为登录keycloak的用户名和密码,grant_type为固定的password类型
curl -d "client_id=admin-cli" -d "username=admin" -d "password=rootroot" -d "grant_type=password" "http://ovirt.engine.com/ovirt-engine-auth/realms/master/protocol/openid-connect/token"
输出结果如下,其中access_token是我们需要的部分:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJTOVc2ZUktS2hjVldBRjVxRFF3MmZONGFhbFBQZE1BM0VYNXB5Nk84a2JVIn0.eyJleHAiOjE2ODEzOTI3NzEsImlhdCI6MTY4MTM4NTU3MSwianRpIjoiYTc3NjQxODUtMWI3Zi00YzVmLTg1ZGQtMzc2MGYzZWEzN2Y0IiwiaXNzIjoiaHR0cDovL292aXJ0LmVuZ2luZS5jb20vb3ZpcnQtZW5naW5lLWF1dGgvcmVhbG1zL21hc3RlciIsInN1YiI6IjVlYWU0Nzc2LTJkZTgtNDAzOS04NzY4LTk5NTUyMzdlZDQyNCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImFkbWluLWNsaSIsInNlc3Npb25fc3RhdGUiOiI0MmY1NWIzYy03YzgwLTRiMGItODc1MC02ZDNlNTFjZWE3MzQiLCJhY3IiOiIxIiwic2NvcGUiOiJlbWFpbCBwcm9maWxlIiwic2lkIjoiNDJmNTViM2MtN2M4MC00YjBiLTg3NTAtNmQzZTUxY2VhNzM0IiwiZW1haWxfdmVyaWZpZWQiOmZhbHNlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiJ9.dXNVQx6odx_usICvkIwdx298wCFqiJYuDRN3rygCEaR-fWlUZra_zdqbI875Xku6PNuNhlLmUP9zV14SEA66BcyjSyhxgjB_j4fNcqgwQ5k8BnojG1Grv_mcOVTkoV1-cGcxLc7qYk_9s_muiHsp5NvBQimsi_Pt4vt2DzNEOYaRMB4mq53--yEhJiLaxZT2e-4L8xLrJDaNsIdSQVFZ5x2aONZFMrV47Wga7KtA4Ek3hzNiNQwgTc7pzssZx-v38WIeTijnIs697vYFryA3lwPQpApfecsKsmzI-U58FNwiuhoXU4THX3mGPYfXrk3T32_cptLpTPbIBmPPYUeA8g","expires_in":7200,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIzOGE3ODMyNy1lNzQ1LTQwYTktYjU1NC1jYWEyZDZhOTYzOWEifQ.eyJleHAiOjE2ODEzODczNzEsImlhdCI6MTY4MTM4NTU3MSwianRpIjoiYWQ4MDFjZDctZDE2OS00YTdkLWEyZTgtOTlkM2M2ODU2ZDY3IiwiaXNzIjoiaHR0cDovL292aXJ0LmVuZ2luZS5jb20vb3ZpcnQtZW5naW5lLWF1dGgvcmVhbG1zL21hc3RlciIsImF1ZCI6Imh0dHA6Ly9vdmlydC5lbmdpbmUuY29tL292aXJ0LWVuZ2luZS1hdXRoL3JlYWxtcy9tYXN0ZXIiLCJzdWIiOiI1ZWFlNDc3Ni0yZGU4LTQwMzktODc2OC05OTU1MjM3ZWQ0MjQiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiYWRtaW4tY2xpIiwic2Vzc2lvbl9zdGF0ZSI6IjQyZjU1YjNjLTdjODAtNGIwYi04NzUwLTZkM2U1MWNlYTczNCIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsInNpZCI6IjQyZjU1YjNjLTdjODAtNGIwYi04NzUwLTZkM2U1MWNlYTczNCJ9.e1FWQJhljBES602SDo7CROfDVd5vr2Gp1MZ51_iVBQk","token_type":"Bearer","not-before-policy":0,"session_state":"42f55b3c-7c80-4b0b-8750-6d3e51cea734","scope":"email profile"}
有了上述的token之后,我们可以根据keycloak的rest api获取很多信息,下面介绍一些常用的信息
二、获取userinfo信息
使用第一步获取的token信息,获取当前登录用户的userinfo信息,具体命令如下,其中${ACCESS_TOKEN}替换为第一步获取的token值
curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H "Content-Type: application/json" "http://ovirt.engine.com/ovirt-engine-auth/realms/master/protocol/openid-connect/userinfo"
输出结果如下:
{"sub":"5eae4776-2de8-4039-8768-9955237ed424","email_verified":false,"preferred_username":"admin"}
三、获取realm的所有roles
curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H "Content-Type: application/json" "http://ovirt.engine.com/ovir-engine-auth/admin/realms/master/roles"
获取输出如下:
[{"id":"60edcf42-188a-43a7-9d44-7bd00a598c8c","name":"default-roles-master","description":"${role_default-roles}","composite":true,"clientRole":false,"containerId":"master"},{"id":"5f6fe0a9-51ae-41d9-9eed-3a64edab3085","name":"create-realm","description":"${role_create-realm}","composite":false,"clientRole":false,"containerId":"master"},{"id":"afa35046-b7a9-4a5d-97be-ff91d9d339b4","name":"offline_access","description":"${role_offline-access}","composite":false,"clientRole":false,"containerId":"master"},{"id":"e427622c-1e13-4314-b333-2d4592a88ff9","name":"admin","description":"${role_admin}","composite":true,"clientRole":false,"containerId":"master"},{"id":"efc6ed50-daa1-4956-bba1-78fa0b92935f","name":"uma_authorization","description":"${role_uma_authorization}","composite":false,"clientRole":false,"containerId":"master"}]
三、获取所有groups信息
由于默认的master realm中没有group,所以我们获取ovirt-internal这个realm中的group
命令如下:
curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H "Content-Type: application/json" "http://ovirt.engine.com/ovirt-engine-auth/admin/realms/ovirt-internal/groups"
获取的输出如下:
[{"id":"3ac9f9fb-95f7-4ef7-8f2c-bbbfd955655f","name":"ovirt-administrator","path":"/ovirt-administrator","subGroups":[]}]
四、获取users信息
命令:
curl -H "Authorization: Bearer ${ACCESS_TOKEN}" -H "Content-Type: application/json" "http://ovirt-engine-auth/admin/realms/master/users"
返回值如下:
[{"id":"5eae4776-2de8-4039-8768-9955237ed424","createdTimestamp":1678432862693,"username":"admin","enabled":true,"totp":false,"emailVerified":false,"disableableCredentialTypes":[],"requiredActions":[],"notBefore":0,"access":{"manageGroupMembership":true,"view":true,"mapRoles":true,"impersonate":true,"manage":true}}]
有一点需要注意的是,如果显示SSl certificate有错误,可以查看是否是url写错了,是否获取的是https的地址
其他可以参考keycloak restful api获取。