How to get the password expired date of a user in Keycloak
I now using Keycloak 18.0.1.
When the user log in my system by Keycloak, I want to know exactly when the password will be expired. For your information, I'm using keycloak-angular and keycloak-js
I have searched on https://www.keycloak.org/docs-api/15.0/rest-api/index.html#_passwordpolicytyperepresentation but it doesn't have an API that suit my need
This API can get the detail of Policy.
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
Example
http://localhost:8080/auth/admin/realms/test/clients/246d7abb-da85-420b-92b4-65b1b3d287c1/authz/resource-server/policy/04dbe6e9-a1d3-449a-b001-42eab0eb51e6
Result
{
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"noa": "2023-03-02 12:35:45",
"nbf": "2022-01-02 01:02:06"
}
}
This result get this UI information
Example : time based policy can get the time period.
Overview
In left side, setup order by UI
In Right side, get information by API call I think you interest blue circle #10.
I will demo user can access the resource by time base policy. Example, the license control by time period.
UI setup
API
I am using Keycloak v18.0.1 (if use v19/v20, just remove auth in API endpoint)
Get User
GET {keycloak_url}/auth/admin/realms/{realm}/users/{user-uuid}
Get Client
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}
Get Resource list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/
Get Resource
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/resource/{resource-uuid}
Get Permissions & Policy list
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy
Example by Postman - You can see the time period information - red box
Get policy of specific permission
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{permission-uuid}/associatedPolicies
User mapped into policy
GET {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/{policy-uuid}
The user list will return in body of response
{
"id": {policy-uuid},
"name": {policy-name},
"config": {
"users": "[array of {user-uuid}]"
}
}
Evaluate by UI
Result - *note permission's Decision Strategy -
#1 Unanimous (AND - policy1 and policy 2) then Permit
#2 Affirmative(OR - policy1 or policy 2) then Permit
If make expired policy
, will be deny - due to AND condition
Evaluate by API
POST {keycloak_url}/auth/admin/realms/{realm}/clients/{client-uuid}/authz/resource-server/policy/evaluate
In body
{
"resources": [
{
"name": <resource-name>,
"owner": {
"id": <client-uuid>,
"name": <client-name>
},
"ownerManagedAccess": false,
"_id": <resource-uuid>,
"uris": [],
"scopes": []
}
],
"context": { "attributes": {} },
"roleIds": [],
"clientId": <client-uuid>,
"userId": <user-uuid>,
"entitlements": false
}
Evaluate by Postman
Result
{
"results": [
{
"resource": {
"name": "resource1",
"_id": "3cb04615-ed9f-42a6-ab77-4254bf470891"
},
"scopes": [],
"policies": [
{
"policy": {
"id": "8597a6b3-ba5f-4849-9987-9a57b2f3db90",
"name": "permissions1",
"type": "resource",
"resources": [
"resource1"
],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "DENY",
"associatedPolicies": [
{
"policy": {
"id": "6b2a4cce-f6ba-48eb-a8d4-ee3aad88c677",
"name": "policy-user",
"type": "user",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "PERMIT",
"associatedPolicies": [],
"scopes": []
},
{
"policy": {
"id": "04dbe6e9-a1d3-449a-b001-42eab0eb51e6",
"name": "policy1",
"description": "short term license",
"type": "time",
"resources": [],
"scopes": [],
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {}
},
"status": "DENY",
"associatedPolicies": [],
"scopes": []
}
],
"scopes": []
}
],
"status": "DENY",
"allowedScopes": []
}
],
"entitlements": false,
"status": "DENY",
"rpt": {
"exp": 1677207180,
"iat": 1677206880,
"jti": "c0f813e4-eff1-4c4a-9c65-4cc31fcc54a8",
"aud": "my-test",
"sub": "fd3d621a-565c-4dfb-b476-b605faadd798",
"typ": "Bearer",
"azp": "my-test",
"session_state": "45f5a765-e95f-48cb-95ea-36e4a6ca22a0",
"acr": "1",
"allowed-origins": [
"http://localhost:3000"
],
"realm_access": {
"roles": [
"default-roles-test",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"authorization": {
"permissions": []
},
"scope": "email profile",
"sid": "45f5a765-e95f-48cb-95ea-36e4a6ca22a0",
"email_verified": true,
"preferred_username": "user1",
"email": "user1@test.com"
}
}
References
how to get all keycloak users who can access to a specific resource
logic when evaluating permissions for a shared resource in keycloak
- How can I close over variables in kdb/Q?
- When is the EACH operator extension necessary in K besides mod/rotate?
- Handling single-character strings - in a function or in its caller? ssr()
- Kdb+ data fomat when writing to a file
- How to convert a symbol to a string in kdb+?
- Sum of each two elements using vector functions
- A dictionary with a single value and multiple keys
- Table transformation, table as list of dicts
- Accumulator gives different result then direct function applying
- Reshape [cols;table]
- FK field over IPC
- Protected execution, 2 cases
- Enums for tables
- Converge (fixed point) syntax difference in q and k
- .Q.trp and bt handling
- NULLs in q and in k.h
- Strange view declaration behaviour
- How to build a parse-tree of projections?
- Could not evaluate manually created equial ~ parse tree
- Select distinct for all columns from keyed table
- Parallel execution: blocking receive, deferred synchronous
- Multiple variable assignment in q
- Select a table from the inside of external select
- Select when one of filter-column may not exists
- What is the meaning of `s attribute on a table?
- On parallel execution - which side reports about an error?
- Validate if a keyed table have unique keys
- Applying dictionary to dictionary
- About xkey implementation
- Parse tree built on values from vars