baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(keycloak): client role management

Browse Source
This commit is contained in:
Masaki Yatsu
2025-09-10 16:34:01 +09:00
parent 7629ea8032
commit 9780753a81
4 changed files with 281 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
keycloak/justfile
View File

@@ -434,3 +434,38 @@ update-realm-token-settings realm access_token_lifespan='3600' refresh_token_lif
export ACCESS_TOKEN_LIFESPAN={{ access_token_lifespan }} export ACCESS_TOKEN_LIFESPAN={{ access_token_lifespan }}
export REFRESH_TOKEN_LIFESPAN={{ refresh_token_lifespan }} export REFRESH_TOKEN_LIFESPAN={{ refresh_token_lifespan }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/update-realm-token-settings.ts dotenvx run -q -f ../.env.local -- tsx ./scripts/update-realm-token-settings.ts
# Create Keycloak client role
create-client-role realm client_id role_name:
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
export KEYCLOAK_CLIENT_ID={{ client_id }}
export KEYCLOAK_ROLE_NAME={{ role_name }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/create-client-role.ts
# Add user to client role
add-user-to-client-role realm username client_id role_name:
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
export USERNAME={{ username }}
export KEYCLOAK_CLIENT_ID={{ client_id }}
export KEYCLOAK_ROLE_NAME={{ role_name }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/add-user-to-client-role.ts
# Remove user from client role
remove-user-from-client-role realm username client_id role_name:
#!/bin/bash
set -euo pipefail
export KEYCLOAK_ADMIN_USER=$(just admin-username)
export KEYCLOAK_ADMIN_PASSWORD=$(just admin-password)
export KEYCLOAK_REALM={{ realm }}
export USERNAME={{ username }}
export KEYCLOAK_CLIENT_ID={{ client_id }}
export KEYCLOAK_ROLE_NAME={{ role_name }}
dotenvx run -q -f ../.env.local -- tsx ./scripts/remove-user-from-client-role.ts

109
keycloak/scripts/add-user-to-client-role.ts Executable file
View File

@@ -0,0 +1,109 @@
#!/usr/bin/env tsx
import KcAdminClient from "@keycloak/keycloak-admin-client";
import RoleRepresentation from "@keycloak/keycloak-admin-client/lib/defs/roleRepresentation";
import invariant from "tiny-invariant";
async function main() {
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${process.env.KEYCLOAK_HOST}`,
realmName: "master",
});
await kcAdminClient.auth({
username: process.env.KEYCLOAK_ADMIN_USER!,
password: process.env.KEYCLOAK_ADMIN_PASSWORD!,
grantType: "password",
clientId: "admin-cli",
});
const realm = process.env.KEYCLOAK_REALM!;
const username = process.env.USERNAME!;
const clientId = process.env.KEYCLOAK_CLIENT_ID!;
const roleName = process.env.KEYCLOAK_ROLE_NAME!;
invariant(realm, "KEYCLOAK_REALM is required");
invariant(username, "USERNAME is required");
invariant(clientId, "KEYCLOAK_CLIENT_ID is required");
invariant(roleName, "KEYCLOAK_ROLE_NAME is required");
// Find the user
const users = await kcAdminClient.users.find({ realm, username });
if (users.length === 0) {
throw new Error(`User '${username}' not found in realm '${realm}'`);
}
const user = users[0];
// Find the client
const clients = await kcAdminClient.clients.find({ realm, clientId });
if (clients.length === 0) {
throw new Error(`Client '${clientId}' not found in realm '${realm}'`);
}
const client = clients[0];
let role: RoleRepresentation | null;
try {
role = await kcAdminClient.clients.findRole({
realm,
id: client.id!,
roleName,
});
} catch (error) {
// If role not found, try to list all roles for debugging
const allRoles = await kcAdminClient.clients.listRoles({
realm,
id: client.id!,
});
console.error(
`Available roles for client '${clientId}':`,
allRoles.map((r) => r.name),
);
throw new Error(
`Role '${roleName}' not found for client '${clientId}' in realm '${realm}'. Available roles: ${allRoles.map((r) => r.name).join(", ")}`,
);
}
if (!role) {
throw new Error(
`Role '${roleName}' not found for client '${clientId}' in realm '${realm}'`,
);
}
// Check if user already has this role
const existingRoles = await kcAdminClient.users.listClientRoleMappings({
realm,
id: user.id!,
clientUniqueId: client.id!,
});
const hasRole = existingRoles.some((r) => r.name === roleName);
if (hasRole) {
console.log(
`User '${username}' already has role '${roleName}' for client '${clientId}'`,
);
return;
}
// Add role to user
await kcAdminClient.users.addClientRoleMappings({
realm,
id: user.id!,
clientUniqueId: client.id!,
roles: [
{
id: role.id!,
name: role.name!,
},
],
});
console.log(
`✓ Role '${roleName}' assigned to user '${username}' for client '${clientId}' in realm '${realm}'`,
);
}
main().catch(console.error);

65
keycloak/scripts/create-client-role.ts Executable file
View File

@@ -0,0 +1,65 @@
#!/usr/bin/env tsx
import KcAdminClient from "@keycloak/keycloak-admin-client";
import invariant from "tiny-invariant";
async function main() {
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${process.env.KEYCLOAK_HOST}`,
realmName: "master",
});
await kcAdminClient.auth({
username: process.env.KEYCLOAK_ADMIN_USER!,
password: process.env.KEYCLOAK_ADMIN_PASSWORD!,
grantType: "password",
clientId: "admin-cli",
});
const realm = process.env.KEYCLOAK_REALM!;
const clientId = process.env.KEYCLOAK_CLIENT_ID!;
const roleName = process.env.KEYCLOAK_ROLE_NAME!;
invariant(realm, "KEYCLOAK_REALM is required");
invariant(clientId, "KEYCLOAK_CLIENT_ID is required");
invariant(roleName, "KEYCLOAK_ROLE_NAME is required");
// Find the client by clientId
const clients = await kcAdminClient.clients.find({ realm, clientId });
if (clients.length === 0) {
throw new Error(`Client '${clientId}' not found in realm '${realm}'`);
}
const client = clients[0];
// Check if role already exists
try {
const existingRole = await kcAdminClient.clients.findRole({
realm,
id: client.id!,
roleName,
});
if (existingRole) {
console.log(`Role '${roleName}' already exists for client '${clientId}'`);
return;
}
} catch (error) {
// Role doesn't exist, continue to create it
console.log(`Role '${roleName}' doesn't exist, creating it...`);
}
// Create the client role
await kcAdminClient.clients.createRole({
realm,
id: client.id!,
name: roleName,
});
console.log(
`✓ Client role '${roleName}' created for client '${clientId}' in realm '${realm}'`,
);
}
main().catch(console.error);

72
keycloak/scripts/remove-user-from-client-role.ts Executable file
View File

@@ -0,0 +1,72 @@
#!/usr/bin/env tsx
import KcAdminClient from "@keycloak/keycloak-admin-client";
import invariant from "tiny-invariant";
async function main() {
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${process.env.KEYCLOAK_HOST}`,
realmName: "master",
});
await kcAdminClient.auth({
username: process.env.KEYCLOAK_ADMIN_USER!,
password: process.env.KEYCLOAK_ADMIN_PASSWORD!,
grantType: "password",
clientId: "admin-cli",
});
const realm = process.env.KEYCLOAK_REALM!;
const username = process.env.USERNAME!;
const clientId = process.env.KEYCLOAK_CLIENT_ID!;
const roleName = process.env.KEYCLOAK_ROLE_NAME!;
invariant(realm, "KEYCLOAK_REALM is required");
invariant(username, "USERNAME is required");
invariant(clientId, "KEYCLOAK_CLIENT_ID is required");
invariant(roleName, "KEYCLOAK_ROLE_NAME is required");
// Find the user
const users = await kcAdminClient.users.find({ realm, username });
if (users.length === 0) {
throw new Error(`User '${username}' not found in realm '${realm}'`);
}
const user = users[0];
// Find the client
const clients = await kcAdminClient.clients.find({ realm, clientId });
if (clients.length === 0) {
throw new Error(`Client '${clientId}' not found in realm '${realm}'`);
}
const client = clients[0];
// Find the role
const role = await kcAdminClient.clients.findRole({
realm,
id: client.id!,
roleName,
});
// Remove role from user
await kcAdminClient.users.delClientRoleMappings({
realm,
id: user.id!,
clientUniqueId: client.id!,
roles: [
{
id: role?.id!,
name: role?.name!,
},
],
});
console.log(
`✓ Role '${roleName}' removed from user '${username}' for client '${clientId}' in realm '${realm}'`,
);
}
main().catch(console.error);