request and revoke Keycloak APIKey

[leoraba]

No description provided.

[leoraba]

Keycloak API endpoints:

• GET api_keys : list apikeys by user
• DELETE api_keys : revoke apiKeys
• POST api_keys : issue apikey
• POST check_api_key : check apikey

[joneubank]

Auhtorization Changes:

• GET should require Access Token has User ID that matches the user-id provided in parameter, otherwise 403
• DELETE should require Access Token has same User ID that matches the request user-id parameter, or if the request is from an admin user revoking another user's token.
• Create API Key should check that the user ID in the request matches the access token (or an admin user), and that the scopes in the request are included in that access token (scopes are available to that user)
• Check API Key can be used by the user that owns the API Key by providing their access token, or can be used by a keycloak registered client using the client auth credentials (such as basic auth)

Check API Response:
should include isValid boolean property that can indicate if the token is not valid due to revoked or expired. if token is not valid, response should include a property called message that can explain the reason the token is invalid (such as "expired" or "revoked"). When the token is invalid, the response would look like:

{
  "isValid": false,
  "message": "API Key was revoked",
  "exp": 1234556,
  "isRevoked": true,
  "userId": "asdf-1234-asdf"
}

Valid Response:

{
  "isValid": true,
  "exp": 1234556,
  "isRevoked": false,
  "scopes": [
    "asdf.READ",
    "qwerty.WRITE"
  ],
  "userId": "asdf-1234-asdf"
}

[leoraba]

keycloak-apikeys is a Java project created to extend Keycloak to add a customized solution to implement apiKeys.
It has 4 new REST endpoints to allow users to manipulate apiKeys, as described in previous comments.