OpenAPI definitions for Keycloak's Admin API.
These can be used to generate libraries for interacting with Keycloak from any mainstream programming langauge.
OpenAPI definitions are sometimes known by their previous name of Swagger specifications.
Keycloak 13.0 Admin API with patches
Red Hat Single Sign-On Admin API definitions are not distributed in this repository, but can be generated.
make keycloak/sso-6.json keycloak/sso-7.3.json keycloak/sso-7.4.json
Typically to use Keycloak's admin Rest API, you first get a token from a realm. This is done using the OAuth2 protocol.
bearer_token=$(curl -X POST 'http://localhost:8080/auth/realms/master/protocol/openid-connect/token' \
--data-urlencode 'username=admin-user' \
--data-urlencode 'password=admin-password' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=admin-cli' \
| jq -r '.access_token')
The realm used for the token is not necessarily the realm used in the API.
The endpoints in this specification can then be used with a base url of the form
http://localhost:8080/auth/admin/realms
and the above bearer token.
Please see the example app.
The definitions are computer generated, but could do with a human's input.
Please provide additional example apps.
2021 Early - Renamed master branch to main. Anyone fetching the schema directly from the branch should update their reference.
2020 May - Added tags to operations. Users of OpenAPI Generator generated
clients will need to swap from using the DefaultApi
class to multiple classes
such as UsersApi
or ClientsApi
.
This example uses openapi-generator to build an API-client. The app in the example is very simple and only fetches a list of Keycloak-clients.
# Create a keycloak instance to run against
docker container run --rm -e KEYCLOAK_USER=admin-user -e KEYCLOAK_PASSWORD=admin-password -p 8080:8080 docker.io/jboss/keycloak:13.0.0
# Open http://localhost:8080/ and wait for keycloak to start up
# In a second terminal run
cd example_app
npm install
npm run generate-client
npm run compile
node dist/index.js
# prints out
# The default clients:
# account
# account-console
# admin-cli
# broker
# master-realm
# security-admin-console
In general, clients can be generated by running a command similar to:
openapi-generator generate -i 'https://github.com/ccouzens/keycloak-openapi/raw/main/keycloak/13.0-patched.json' -g 'typescript-axios' -o 'src/keycloak-client'
All the OpenAPI definitions are generated from the published HTML documentation. This tool transforms the HTML documentation into OpenAPI definitions.
HTML of the documentation is inputted through stdin
and the JSON of the
definition is outputted through stdout
.
Building Red Hat Single Sign-On definitions or rebuilding Keycloak's definitions requires:
Building the transformer requires
Rust
.
Building the example app requires Node
and Java
.
Running the keycloak instance that pairs with the example app requires Docker
.
The OpenAPI definitions are Apache 2.0 licensed.
The transformer is MIT licensed.
The example app has a CC0 waiver (has had its copyright waived).