baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(keycloak): creating scope, setting realm token lifespan

Browse Source
This commit is contained in:
Masaki Yatsu
2025-09-19 18:12:06 +09:00
parent 34ecf7fd28
commit 1860b0864b
3 changed files with 175 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
keycloak/justfile
View File

@@ -149,7 +149,7 @@ uninstall-operator:
kubectl delete -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/${KEYCLOAK_OPERATOR_VERSION}/kubernetes/keycloaks.k8s.keycloak.org-v1.yml --ignore-not-found
# Create Keycloak realm
create-realm create-client-for-k8s='true' access_token_lifespan='3600' refresh_token_lifespan='14400' sso_session_idle_timeout='7200':
create-realm create-client-for-k8s='true' access_token_lifespan='43200' refresh_token_lifespan='86400' sso_session_idle_timeout='7200':
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
@@ -268,7 +268,6 @@ delete-client realm client_id:
export KEYCLOAK_CLIENT_ID={{ client_id }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/delete-client.ts
# Add attribute mapper for Keycloak client
add-attribute-mapper client_id attribute_name display_name='' claim_name='' options='' default_value='' mapper_name='' view_perms='admin,user' edit_perms='admin':
#!/bin/bash
@@ -528,16 +527,32 @@ default-admin-password:
show-realm-token-settings realm:
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/show-realm-token-settings.ts
# Update realm token settings (access token lifespan, refresh token lifespan, etc.)
update-realm-token-settings realm access_token_lifespan='3600' refresh_token_lifespan='1800':
update-realm-token-settings realm access_token_lifespan='' refresh_token_lifespan='':
#!/bin/bash
set -euo pipefail
export KEYCLOAK_REALM={{ realm }}
export ACCESS_TOKEN_LIFESPAN={{ access_token_lifespan }}
export REFRESH_TOKEN_LIFESPAN={{ refresh_token_lifespan }}
while [ -z "${ACCESS_TOKEN_LIFESPAN}" ]; do
ACCESS_TOKEN_LIFESPAN=$(
gum input --prompt="Access token lifespan (in seconds): " --width=100 \
--placeholder="e.g., 43200 for 12 hours" --value="43200"
)
done
while [ -z "${REFRESH_TOKEN_LIFESPAN}" ]; do
REFRESH_TOKEN_LIFESPAN=$(
gum input --prompt="Refresh token lifespan (in seconds): " --width=100 \
--placeholder="e.g., 86400 for 24 hours" --value="86400"
)
done
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/update-realm-token-settings.ts
# Create Keycloak client role
@@ -627,3 +642,25 @@ remove-user-from-client-role realm username client_id role_name:
export KEYCLOAK_CLIENT_ID={{ client_id }}
export KEYCLOAK_ROLE_NAME={{ role_name }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/remove-user-from-client-role.ts
# Create client scope
create-client-scope realm scope_name description='':
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
export SCOPE_NAME={{ scope_name }}
export DESCRIPTION="{{ description }}"
dotenvx run -q -f ../.env.local -- tsx ./scripts/create-client-scope.ts
# Add scope to client
add-scope-to-client realm client_id scope_name:
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
export KEYCLOAK_CLIENT_ID={{ client_id }}
export SCOPE_NAME={{ scope_name }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/add-scope-to-client.ts

69
keycloak/scripts/add-scope-to-client.ts Normal file
View File

@@ -0,0 +1,69 @@
#!/usr/bin/env tsx
import KcAdminClient from '@keycloak/keycloak-admin-client';
import invariant from 'tiny-invariant';
const main = async () => {
const KEYCLOAK_HOST = process.env.KEYCLOAK_HOST;
const KEYCLOAK_ADMIN_USER = process.env.KEYCLOAK_ADMIN_USER;
const KEYCLOAK_ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD;
const realm = process.env.KEYCLOAK_REALM;
const clientId = process.env.KEYCLOAK_CLIENT_ID;
const scopeName = process.env.SCOPE_NAME;
invariant(KEYCLOAK_HOST, 'KEYCLOAK_HOST environment variable is required');
invariant(KEYCLOAK_ADMIN_USER, 'KEYCLOAK_ADMIN_USER environment variable is required');
invariant(KEYCLOAK_ADMIN_PASSWORD, 'KEYCLOAK_ADMIN_PASSWORD environment variable is required');
invariant(realm, 'KEYCLOAK_REALM environment variable is required');
invariant(clientId, 'KEYCLOAK_CLIENT_ID environment variable is required');
invariant(scopeName, 'SCOPE_NAME environment variable is required');
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${KEYCLOAK_HOST}`,
realmName: 'master',
});
try {
await kcAdminClient.auth({
username: KEYCLOAK_ADMIN_USER,
password: KEYCLOAK_ADMIN_PASSWORD,
grantType: 'password',
clientId: 'admin-cli',
});
console.log('Authentication successful.');
// Set target realm
kcAdminClient.setConfig({
realmName: realm,
});
// Find the client
const clients = await kcAdminClient.clients.find({ clientId });
if (clients.length === 0) {
throw new Error(`Client '${clientId}' not found`);
}
const client = clients[0];
// Find the client scope
const clientScopes = await kcAdminClient.clientScopes.find();
const scope = clientScopes.find(s => s.name === scopeName);
if (!scope) {
throw new Error(`Client scope '${scopeName}' not found`);
}
// Add scope to client as default scope
await kcAdminClient.clients.addDefaultClientScope({
id: client.id!,
clientScopeId: scope.id!,
});
console.log(`Client scope '${scopeName}' added to client '${clientId}' as default scope.`);
} catch (error) {
console.error('Error adding scope to client:', error);
process.exit(1);
}
};
main();

65
keycloak/scripts/create-client-scope.ts Normal file
View File

@@ -0,0 +1,65 @@
#!/usr/bin/env tsx
import KcAdminClient from '@keycloak/keycloak-admin-client';
import invariant from 'tiny-invariant';
const main = async () => {
const KEYCLOAK_HOST = process.env.KEYCLOAK_HOST;
const KEYCLOAK_ADMIN_USER = process.env.KEYCLOAK_ADMIN_USER;
const KEYCLOAK_ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD;
const realm = process.env.KEYCLOAK_REALM;
const scopeName = process.env.SCOPE_NAME;
const description = process.env.DESCRIPTION || '';
invariant(KEYCLOAK_HOST, 'KEYCLOAK_HOST environment variable is required');
invariant(KEYCLOAK_ADMIN_USER, 'KEYCLOAK_ADMIN_USER environment variable is required');
invariant(KEYCLOAK_ADMIN_PASSWORD, 'KEYCLOAK_ADMIN_PASSWORD environment variable is required');
invariant(realm, 'KEYCLOAK_REALM environment variable is required');
invariant(scopeName, 'SCOPE_NAME environment variable is required');
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${KEYCLOAK_HOST}`,
realmName: 'master',
});
try {
await kcAdminClient.auth({
username: KEYCLOAK_ADMIN_USER,
password: KEYCLOAK_ADMIN_PASSWORD,
grantType: 'password',
clientId: 'admin-cli',
});
console.log('Authentication successful.');
// Set target realm
kcAdminClient.setConfig({
realmName: realm,
});
// Check if scope already exists
const existingScopes = await kcAdminClient.clientScopes.find();
const existingScope = existingScopes.find(scope => scope.name === scopeName);
if (existingScope) {
console.log(`Client scope '${scopeName}' already exists.`);
return;
}
// Create client scope
const result = await kcAdminClient.clientScopes.create({
name: scopeName,
description: description || `${scopeName} scope`,
protocol: 'openid-connect',
includeInTokenScope: true,
});
console.log(`Client scope '${scopeName}' created successfully with ID: ${result.id}`);
} catch (error) {
console.error('Error creating client scope:', error);
process.exit(1);
}
};
main();