Keycloak-Admin-OpenAPI-Definition

OpenAPI definitions for Keycloak's Admin API.

These can be used to generate libraries for interacting with Keycloak from any mainstream programming langauge.

OpenAPI definitions are sometimes known by their previous name of Swagger specifications.

Keycloak 14.0 Admin API

Keycloak 13.0 Admin API with patches

Other versions

Red Hat Single Sign-On Admin API definitions are not distributed in this repository, but can be generated.

make keycloak/sso-6.json keycloak/sso-7.3.json keycloak/sso-7.4.json

General Usage

Typically to use Keycloak's admin Rest API, you first get a token from a realm. This is done using the OAuth2 protocol.

bearer_token=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
     --data-urlencode 'username=admin-user' \
     --data-urlencode 'password=admin-password' \
     --data-urlencode 'grant_type=password' \
     --data-urlencode 'client_id=admin-cli' \
      | jq -r '.access_token')

The realm used for the token is not necessarily the realm used in the API.

The endpoints in this specification can then be used with a base url of the form http://localhost:8080/auth/admin/realms and the above bearer token.

Please see the example app.

Help wanted

The definitions are computer generated, but could do with a human's input.

Please provide additional example apps.

Notable Changes

2021 Early - Renamed master branch to main. Anyone fetching the schema directly from the branch should update their reference.

2020 May - Added tags to operations. Users of OpenAPI Generator generated clients will need to swap from using the DefaultApi class to multiple classes such as UsersApi or ClientsApi.

Example App

This example uses openapi-generator to build an API-client. The app in the example is very simple and only fetches a list of Keycloak-clients.

# Create a keycloak instance to run against
docker container run --rm -e KEYCLOAK_USER=admin-user -e KEYCLOAK_PASSWORD=admin-password -p 8080:8080 docker.io/jboss/keycloak:13.0.0
# Open http://localhost:8080/ and wait for keycloak to start up

# In a second terminal run
cd example_app
npm install
npm run generate-client
npm run compile
node dist/index.js
# prints out
# The default clients:
#   account
#   account-console
#   admin-cli
#   broker
#   master-realm
#   security-admin-console

In general, clients can be generated by running a command similar to:

openapi-generator generate -i 'https://github.com/ccouzens/keycloak-openapi/raw/main/keycloak/13.0-patched.json' -g 'typescript-axios' -o 'src/keycloak-client'

Keycloak OpenAPI Transformer

All the OpenAPI definitions are generated from the published HTML documentation. This tool transforms the HTML documentation into OpenAPI definitions.

HTML of the documentation is inputted through stdin and the JSON of the definition is outputted through stdout.

Requirements

Building Red Hat Single Sign-On definitions or rebuilding Keycloak's definitions requires:

• make
• Rust
• yq

Building the transformer requires Rust.

Building the example app requires Node and Java.

Running the keycloak instance that pairs with the example app requires Docker.

Licensing

The OpenAPI definitions are Apache 2.0 licensed.

The transformer is MIT licensed.

The example app has a CC0 waiver (has had its copyright waived).