keycloak(feat): add recipes for client management

keycloak/scripts/get-user-token.ts

@@ -0,0 +1,112 @@
+#!/usr/bin/env tsx
+
+import KcAdminClient from "@keycloak/keycloak-admin-client";
+import invariant from "tiny-invariant";
+
+async function main() {
+  const kcAdminClient = new KcAdminClient({
+    baseUrl: `https://${process.env.KEYCLOAK_HOST}`,
+    realmName: "master",
+  });
+
+  await kcAdminClient.auth({
+    username: process.env.KEYCLOAK_ADMIN_USER!,
+    password: process.env.KEYCLOAK_ADMIN_PASSWORD!,
+    grantType: "password",
+    clientId: "admin-cli",
+  });
+
+  const realm = process.env.KEYCLOAK_REALM!;
+  const username = process.env.USERNAME!;
+  const clientId = process.env.KEYCLOAK_CLIENT_ID!;
+
+  invariant(realm, "KEYCLOAK_REALM is required");
+  invariant(username, "USERNAME is required");
+  invariant(clientId, "KEYCLOAK_CLIENT_ID is required");
+
+  // Find the user
+  const users = await kcAdminClient.users.find({ realm, username });
+  if (users.length === 0) {
+    throw new Error(`User '${username}' not found in realm '${realm}'`);
+  }
+  const user = users[0];
+
+  // Find the client
+  const clients = await kcAdminClient.clients.find({ realm, clientId });
+  if (clients.length === 0) {
+    throw new Error(`Client '${clientId}' not found in realm '${realm}'`);
+  }
+  const client = clients[0];
+
+  try {
+    // Get a token for this user (impersonation)
+    console.log(`Getting token for user '${username}' with client '${clientId}'...`);
+
+    // Get client secret
+    const clientSecret = await kcAdminClient.clients.getClientSecret({
+      realm,
+      id: client.id!,
+    });
+
+    // Create a new client instance for the specific realm/client
+    const userClient = new KcAdminClient({
+      baseUrl: `https://${process.env.KEYCLOAK_HOST}`,
+      realmName: realm,
+    });
+
+    // Note: This requires the user's actual password or impersonation capability
+    console.log("To get actual user token, you need:");
+    console.log("1. User's password, or");
+    console.log("2. Impersonation permissions");
+    console.log("\nAlternatively, check the browser's Network tab:");
+    console.log("1. Open DevTools -> Network tab");
+    console.log("2. Try to trigger a DAG in Airflow");
+    console.log("3. Look for the request with 403 error");
+    console.log("4. Check Authorization header: 'Bearer <token>'");
+    console.log("5. Decode at https://jwt.io");
+
+    // Show client configuration that affects tokens
+    console.log("\n=== Client Configuration ===");
+    console.log(`Client ID: ${client.clientId}`);
+    console.log(`Client Name: ${client.name}`);
+    console.log(`Protocol: ${client.protocol}`);
+    console.log(`Public Client: ${client.publicClient}`);
+
+    // Get protocol mappers
+    const mappers = await kcAdminClient.clients.listProtocolMappers({
+      realm,
+      id: client.id!,
+    });
+
+    console.log("\n=== Protocol Mappers ===");
+    mappers.forEach(mapper => {
+      console.log(`- ${mapper.name} (${mapper.protocolMapper})`);
+      if (mapper.config) {
+        console.log(`  Claim: ${mapper.config['claim.name'] || 'N/A'}`);
+        console.log(`  Access Token: ${mapper.config['access.token.claim'] || 'false'}`);
+        console.log(`  ID Token: ${mapper.config['id.token.claim'] || 'false'}`);
+      }
+    });
+
+    // Show user's client roles
+    const clientRoles = await kcAdminClient.users.listClientRoleMappings({
+      realm,
+      id: user.id!,
+      clientUniqueId: client.id!,
+    });
+
+    console.log("\n=== User's Client Roles ===");
+    if (clientRoles.length === 0) {
+      console.log("No client roles assigned");
+    } else {
+      clientRoles.forEach(role => {
+        console.log(`- ${role.name} (${role.id})`);
+      });
+    }
+
+  } catch (error) {
+    console.error(`Error: ${error}`);
+  }
+}
+
+main().catch(console.error);