From 7bc24641d8b973a07503f3a9db5e6ab60ef0639e Mon Sep 17 00:00:00 2001
From: Masaki Yatsu <yatsu@yatsu.info>
Date: Fri, 19 Sep 2025 15:16:01 +0900
Subject: [PATCH] feat(keycloak): set access token lifespan

---
 keycloak/justfile                 | 1 +
 keycloak/scripts/create-client.ts | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/keycloak/justfile b/keycloak/justfile
index 5092955..8f537e4 100644
--- a/keycloak/justfile
+++ b/keycloak/justfile
@@ -233,6 +233,7 @@ create-client *args:
     # client_direct_access_grants: Whether to enable direct access grants (true/false)
     # client_pkce_method: PKCE method ('S256', 'plain' or empty)
     # post_logout_redirect_uris: Post logout redirect URIs (comma-separated input, converted to Keycloak ## format)
+    # access_token_lifespan: Access token lifespan in seconds
     set -euo pipefail
     export KEYCLOAK_ADMIN_USER=$(just admin-username)
     export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
diff --git a/keycloak/scripts/create-client.ts b/keycloak/scripts/create-client.ts
index b356a8c..ff1c8e2 100644
--- a/keycloak/scripts/create-client.ts
+++ b/keycloak/scripts/create-client.ts
@@ -29,6 +29,7 @@ const main = async () => {
   const directAccessGrants = process.env.KEYCLOAK_CLIENT_DIRECT_ACCESS_GRANTS;
   const pkceMethod = process.env.KEYCLOAK_CLIENT_PKCE_METHOD;
   const postLogoutRedirectUris = process.env.KEYCLOAK_POST_LOGOUT_REDIRECT_URIS;
+  const accessTokenLifespan = process.env.KEYCLOAK_ACCESS_TOKEN_LIFESPAN;
 
   const kcAdminClient = new KcAdminClient({
     baseUrl: `https://${keycloakHost}`,
@@ -96,6 +97,13 @@ const main = async () => {
       console.log(`Setting Post Logout Redirect URIs: ${postLogoutUris.join(', ')}`);
     }
 
+    // Add access token lifespan if provided
+    if (accessTokenLifespan && accessTokenLifespan !== '') {
+      clientConfig.attributes = clientConfig.attributes || {};
+      clientConfig.attributes['access.token.lifespan'] = accessTokenLifespan;
+      console.log(`Setting Access Token Lifespan: ${accessTokenLifespan} seconds`);
+    }
+
     if (directAccessGrants === 'true') {
       console.log('Enabling Direct Access Grants (Resource Owner Password Credentials)');
     }