Skip to content

Authorization Service API Examples

The following are simple python examples of how to call the API. This is a non-exhaustive list. All endpoints can be found on the Authorization Service API Swagger Interface

Applications can be added to groups through the Application Portal.

Get an API token

import requests
import json
keycloak_api_token_endpoint = "https://keycloak-dev.cern.ch/auth/realms/cern/api-access/token"

token_resp = requests.post(
    keycloak_api_token_endpoint,
    data={
        "grant_type": "client_credentials",
        "client_id": "MY_CLIENT",
        "client_secret": "MY_SECRET",
        "audience" : "authorization-service-api"
    },
    headers={"Content-Type": "application/x-www-form-urlencoded"},
)

api_token = token_resp.json()['access_token']

Get the Identity object of the caller

authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"

me = requests.get(
    "{}Identity/current".format(authzsvc_endpoint),
    headers={"Authorization": "Bearer {}".format(api_token)},
)

my_id = me.json()["data"]["id"]

Update an application

Pre-requisites: The client used to request the token must

  • Be a member of the administrator group for the application
  • Be a member of authorization-service-applications-users
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"
application_id = "08d9421f-1b3f-4785-8889-5034fa343418"

new_role = requests.post(
    "{0}Application/{1}/roles".format(authzsvc_endpoint, application_id),
    headers={"Authorization": "Bearer {}".format(api_token)},
    json={
      "name": f"testrole",
      "displayName": f"test role",
      "description": "testing role creation",
      "required": False,
      "multifactor": False,
      "applyToAllUsers": False,
      "minimumLoaId" : "f0000000-0000-0000-0000-0000000000b4",
      "applicationId": application_id
    }
)

Get group memberships

Pre-requisites: The client used to request the token must

  • Be a member of the administrator group of the group to be updated

OR

  • Be a member of authorization-service-groups-readers
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"
my_group = "testgroup"

my_group_members = requests.get(
    "{0}Group/{1}/memberidentities".format(authzsvc_endpoint, my_group),
    headers={
    "Authorization": "Bearer {}".format(api_token),
    }
)

Add external members to a group

Pre-requisites: The client used to request the token must

  • Be a member of the administrator group of the group to be updated
email="test77@example.com"
authzsvc_endpoint = "https://authorization-service-api-dev.web.cern.ch/api/v1.0/"
my_group = "testgroup"

my_group_new_member = requests.post(
    "{0}Group/{1}/memberidentities/external?emails={2}".format(authzsvc_endpoint, my_group, email),
    headers={
    "Authorization": "Bearer {}".format(api_token),
    }
)