feat(keycloak): setting PKCE method for clients

keycloak/scripts/create-client.ts

@@ -27,6 +27,7 @@ const main = async () => {
   const sessionIdle = process.env.KEYCLOAK_CLIENT_SESSION_IDLE;
   const sessionMax = process.env.KEYCLOAK_CLIENT_SESSION_MAX;
   const directAccessGrants = process.env.KEYCLOAK_CLIENT_DIRECT_ACCESS_GRANTS;
+  const pkceMethod = process.env.KEYCLOAK_CLIENT_PKCE_METHOD;
 
   const kcAdminClient = new KcAdminClient({
     baseUrl: `https://${keycloakHost}`,
@@ -60,15 +61,18 @@ const main = async () => {
       directAccessGrantsEnabled: directAccessGrants === 'true',
     };
 
-    // Only set PKCE for public clients
-    if (isPublicClient) {
-      clientConfig.attributes = {
-        'pkce.code.challenge.method': 'S256'
-      };
-      console.log('Setting PKCE Code Challenge Method to S256 for public client');
+    // Configure PKCE based on environment variable
+    // KEYCLOAK_CLIENT_PKCE_METHOD can be: 'S256', 'plain', or unset/empty (no PKCE)
+    clientConfig.attributes = {};
+
+    if (pkceMethod && (pkceMethod === 'S256' || pkceMethod === 'plain')) {
+      clientConfig.attributes['pkce.code.challenge.method'] = pkceMethod;
+      console.log(`Setting PKCE Code Challenge Method to ${pkceMethod}`);
+    } else if (pkceMethod && pkceMethod !== '') {
+      console.warn(`Invalid PKCE method '${pkceMethod}'. Valid options: S256, plain, or empty for no PKCE`);
+      console.log('Creating client without PKCE');
     } else {
-      clientConfig.attributes = {};
-      console.log('Creating confidential client without PKCE');
+      console.log('Creating client without PKCE');
     }
 
     // Add session timeout settings if provided

keycloak/scripts/list-clients.ts

@@ -0,0 +1,64 @@
+import KcAdminClient from "@keycloak/keycloak-admin-client";
+import invariant from "tiny-invariant";
+
+const main = async () => {
+  const keycloakHost = process.env.KEYCLOAK_HOST;
+  invariant(keycloakHost, "KEYCLOAK_HOST environment variable is required.");
+
+  const adminUsername = process.env.KEYCLOAK_ADMIN_USER;
+  invariant(adminUsername, "KEYCLOAK_ADMIN_USER environment variable is required.");
+
+  const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
+  invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
+
+  const realmName = process.env.KEYCLOAK_REALM;
+  invariant(realmName, "KEYCLOAK_REALM environment variable is required");
+
+  const kcAdminClient = new KcAdminClient({
+    baseUrl: `https://${keycloakHost}`,
+    realmName: "master",
+  });
+
+  try {
+    await kcAdminClient.auth({
+      username: adminUsername,
+      password: adminPassword,
+      grantType: "password",
+      clientId: "admin-cli",
+    });
+
+    kcAdminClient.setConfig({ realmName });
+
+    const clients = await kcAdminClient.clients.find();
+
+    console.log(`Found ${clients.length} clients in realm '${realmName}':`);
+    console.log("");
+
+    clients.forEach((client, index) => {
+      const clientType = client.publicClient ? "Public" : "Confidential";
+      const status = client.enabled ? "Enabled" : "Disabled";
+      const protocol = client.protocol || "unknown";
+
+      console.log(`${(index + 1).toString().padStart(2, ' ')}. ${client.clientId}`);
+      console.log(`    ID: ${client.id}`);
+      console.log(`    Type: ${clientType}`);
+      console.log(`    Protocol: ${protocol}`);
+      console.log(`    Status: ${status}`);
+
+      if (client.redirectUris && client.redirectUris.length > 0) {
+        console.log(`    Redirect URIs: ${client.redirectUris.join(', ')}`);
+      }
+
+      if (client.webOrigins && client.webOrigins.length > 0) {
+        console.log(`    Web Origins: ${client.webOrigins.join(', ')}`);
+      }
+
+      console.log("");
+    });
+  } catch (error) {
+    console.error("An error occurred:", error);
+    process.exit(1);
+  }
+};
+
+main();