Identity Service Management

You can manage a client using the Keycloak administration panel or CLI.

Managing a Client Using the Keycloak Administration Panel

To manage a client, complete the following steps:

1. Log in to the Keycloak administration panel.
2. Select the required Realm according to the brand ID.
3. Go to Clients and perform the required action regarding a client.

Managing a Client Using the CLI

Creating a Client

To create a client, complete the following steps:

1. On the management node, create a JSON file with IDP client properties. Use the following client JSON template to create a client:

   {
   "name": "psaweb",
   "clientId": "psaweb",
   "baseUrl": "https://cp.us.na.cloud.im",
   "redirectUris": ["https://cp.us.na.cloud.im/*"],
   "clientAuthenticatorType": "client-secret",
   "publicClient": true,
   "protocol": "openid-connect",
   "defaultClientScopes": ["user_account_ids_v1"]
   }

   baseUrl and redirectUris must point to the brand. Use other parameters as is.

2. Copy this file to the IDP pod. Execute a client creation script on the IDP pod:

   # kubectl cp client.json $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2):/opt/jboss/scripts/
   kubectl exec $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- bash -c "cd scripts && python /opt/jboss/scripts/create_client.py <brand_id>"

Backing Up a Client

1. Create the get-client-presentation.py script:
   get-client-presentation.py

   Copy

   import urllib
   import urllib2
   import json
   import sys
   import kc_cli_common as cc
    
    
   reaml_id = "sr%s" % sys.argv[1]
   client_id = sys.argv[2]
   print "getting client %s in realm %s" % (client_id, reaml_id)
    
   cc.authenticate()
   token = cc.get_access_token()
    
   url = "%s/admin/realms/%s/clients" % (cc.get_base_url(), reaml_id)
   params = {'clientId': client_id}
   query = urllib.urlencode(params)
   req = urllib2.Request(url + "?" + query, headers={"Authorization" : "bearer %s" % token, "Content-Type": "application/json;charset=UTF-8"})
   resp = urllib2.urlopen(req)
   print "response code: %s" % (resp.getcode(),)
   print "presentation of client is: \n%s" % (resp.read(),)

2. Copy this script to the IDP pod:

   # kubectl cp get-client-presentation.py $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2):/opt/jboss/scripts/get-client-presentation.py

3. Run this script for each brand integrated with PSA:

   # kubectl exec $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- bash -c "cd scripts && python /opt/jboss/scripts/get-client-presentation.py ${brand-id} psaweb" > psaweb-client-brand-${brand-id}.txt

   where:

   ${brand-id}: the internal ID of the brand integrated with PSA.

Deleting a Client

1. Create the delete-client.py script:

   delete-client.py

   Copy

   import urllib
   import urllib2
   import json
   import sys
   import kc_cli_common as cc
    
    
   def get_client(base_url, token, reaml_id, client_id):
       print "getting client %s in realm %s" % (client_id, reaml_id)
       url = "%s/admin/realms/%s/clients" % (base_url, reaml_id)
       params = {'clientId': client_id}
       query = urllib.urlencode(params)
       req = urllib2.Request(url + "?" + query, headers={"Authorization" : "bearer %s" % token, "Content-Type": "application/json;charset=UTF-8"})
       resp = urllib2.urlopen(req)
       resp_data = resp.read()
       print "response code: %s, data: %s" % (resp.getcode(), resp_data)
       clients_json = json.loads(resp_data)
       print "client presentation: \n%s" % (clients_json[0],)
       return clients_json[0]
    
    
   def delete_client(base_url, token, reaml_id, client_id):
       client_json = get_client(base_url, token, reaml_id, client_id)
       internal_id = client_json["id"]
       url = "%s/admin/realms/%s/clients/%s" % (base_url, reaml_id, internal_id)
       req = urllib2.Request(url, headers={"Authorization" : "bearer %s" % token, "Content-Type": "application/json;charset=UTF-8"})
       req.get_method = lambda: 'DELETE'
       resp = urllib2.urlopen(req)
       print "response code: %s" % (resp.getcode(),)
    
    
   reaml_id = "sr%s" % sys.argv[1]
   client_id = sys.argv[2]
    
   cc.authenticate()
   base_url = cc.get_base_url()
   token = cc.get_access_token()
    
   delete_client(base_url, token, reaml_id, client_id)

2. Copy this script to the IDP pod:

   # kubectl cp get-client-presentation.py $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2):/opt/jboss/scripts/get-client-presentation.py

3. Run this script for each brand integrated with PSA:

   # kubectl exec $(kubectl get pods -o name -l app=idp-backend | cut -d'/' -f 2) -- bash -c "cd scripts && python /opt/jboss/scripts/delete-client.py ${brand-id} psaweb"

   where:

   ${brand-id}: the internal ID of the brand integrated with PSA.