feat(keycloak): set access/refresh token lifespan

keycloak/scripts/show-realm-token-settings.ts

@@ -0,0 +1,80 @@
+#!/usr/bin/env tsx
+
+import KcAdminClient from "@keycloak/keycloak-admin-client";
+import invariant from "tiny-invariant";
+
+const main = async () => {
+    // Environment variables
+    const keycloakHost = process.env.KEYCLOAK_HOST;
+    const adminUser = process.env.KEYCLOAK_ADMIN_USER;
+    const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
+    const realm = process.env.KEYCLOAK_REALM;
+
+    invariant(keycloakHost, "KEYCLOAK_HOST is required");
+    invariant(adminUser, "KEYCLOAK_ADMIN_USER is required");
+    invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD is required");
+    invariant(realm, "KEYCLOAK_REALM is required");
+
+    console.log(`Checking token settings for realm: ${realm}`);
+
+    // Initialize Keycloak admin client
+    const kcAdminClient = new KcAdminClient({
+        baseUrl: `https://${keycloakHost}`,
+        realmName: "master",
+    });
+
+    try {
+        // Authenticate
+        await kcAdminClient.auth({
+            username: adminUser,
+            password: adminPassword,
+            grantType: "password",
+            clientId: "admin-cli",
+        });
+
+        console.log("✓ Authenticated with Keycloak admin");
+
+        // Set the target realm
+        kcAdminClient.setConfig({ realmName: realm });
+
+        // Get current realm settings
+        const currentRealm = await kcAdminClient.realms.findOne({ realm });
+        if (!currentRealm) {
+            throw new Error(`Realm ${realm} not found`);
+        }
+
+        console.log(`\n=== Current Token Settings for Realm: ${realm} ===`);
+        console.log(`Access Token Lifespan: ${currentRealm.accessTokenLifespan || 'not set'} seconds (${(currentRealm.accessTokenLifespan || 0)/60} minutes)`);
+        console.log(`Access Token Lifespan (Implicit): ${currentRealm.accessTokenLifespanForImplicitFlow || 'not set'} seconds`);
+        console.log(`SSO Session Max Lifespan: ${currentRealm.ssoSessionMaxLifespan || 'not set'} seconds (${(currentRealm.ssoSessionMaxLifespan || 0)/60} minutes)`);
+        console.log(`SSO Session Idle Timeout: ${currentRealm.ssoSessionIdleTimeout || 'not set'} seconds (${(currentRealm.ssoSessionIdleTimeout || 0)/60} minutes)`);
+        console.log(`Client Session Max Lifespan: ${currentRealm.clientSessionMaxLifespan || 'not set'} seconds`);
+        console.log(`Client Session Idle Timeout: ${currentRealm.clientSessionIdleTimeout || 'not set'} seconds`);
+        console.log(`Offline Session Max Lifespan: ${currentRealm.offlineSessionMaxLifespan || 'not set'} seconds`);
+        console.log(`Refresh Token Max Reuse: ${currentRealm.refreshTokenMaxReuse || 0}`);
+
+        // Also check specific client settings if JupyterHub client exists
+        try {
+            const clients = await kcAdminClient.clients.find({ clientId: 'jupyterhub' });
+            if (clients.length > 0) {
+                const jupyterhubClient = clients[0];
+                console.log(`\n=== JupyterHub Client Settings ===`);
+                console.log(`Client ID: ${jupyterhubClient.clientId}`);
+                console.log(`Access Token Lifespan: ${jupyterhubClient.attributes?.['access.token.lifespan'] || 'inherit from realm'}`);
+            }
+        } catch (clientError) {
+            console.log(`\n⚠️  Could not retrieve JupyterHub client settings: ${clientError}`);
+        }
+
+        console.log(`\n=== Keycloak Default Values (for reference) ===`);
+        console.log(`Default Access Token Lifespan: 300 seconds (5 minutes)`);
+        console.log(`Default SSO Session Max: 36000 seconds (10 hours)`);
+        console.log(`Default SSO Session Idle: 1800 seconds (30 minutes)`);
+
+    } catch (error) {
+        console.error("✗ Failed to retrieve realm token settings:", error);
+        process.exit(1);
+    }
+};
+
+main().catch(console.error);