#!/usr/bin/env tsx import KcAdminClient from "@keycloak/keycloak-admin-client"; import invariant from "tiny-invariant"; const main = async () => { // Environment variables const keycloakHost = process.env.KEYCLOAK_HOST; const adminUser = process.env.KEYCLOAK_ADMIN_USER; const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD; const realm = process.env.KEYCLOAK_REALM; const accessTokenLifespan = parseInt(process.env.ACCESS_TOKEN_LIFESPAN || "3600"); const refreshTokenLifespan = parseInt(process.env.REFRESH_TOKEN_LIFESPAN || "1800"); invariant(keycloakHost, "KEYCLOAK_HOST is required"); invariant(adminUser, "KEYCLOAK_ADMIN_USER is required"); invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD is required"); invariant(realm, "KEYCLOAK_REALM is required"); console.log(`Updating token settings for realm: ${realm}`); console.log(`Access token lifespan: ${accessTokenLifespan} seconds (${accessTokenLifespan/60} minutes)`); console.log(`Refresh token lifespan: ${refreshTokenLifespan} seconds (${refreshTokenLifespan/60} minutes)`); // Initialize Keycloak admin client const kcAdminClient = new KcAdminClient({ baseUrl: `https://${keycloakHost}`, realmName: "master", }); try { // Authenticate await kcAdminClient.auth({ username: adminUser, password: adminPassword, grantType: "password", clientId: "admin-cli", }); console.log("✓ Authenticated with Keycloak admin"); // Set the target realm kcAdminClient.setConfig({ realmName: realm }); // Get current realm settings const currentRealm = await kcAdminClient.realms.findOne({ realm }); if (!currentRealm) { throw new Error(`Realm ${realm} not found`); } console.log(`Current settings:`); console.log(` - Access token lifespan: ${currentRealm.accessTokenLifespan} seconds`); console.log(` - Refresh token lifespan: ${currentRealm.ssoSessionMaxLifespan} seconds`); console.log(` - SSO session idle: ${currentRealm.ssoSessionIdleTimeout} seconds`); // Update realm settings await kcAdminClient.realms.update( { realm }, { ...currentRealm, // Access token settings accessTokenLifespan: accessTokenLifespan, accessTokenLifespanForImplicitFlow: accessTokenLifespan, // Refresh token settings refreshTokenMaxReuse: 0, ssoSessionMaxLifespan: refreshTokenLifespan, ssoSessionIdleTimeout: Math.min(refreshTokenLifespan, 1800), // Max 30 minutes idle // Other token settings offlineSessionMaxLifespan: refreshTokenLifespan * 2, offlineSessionMaxLifespanEnabled: true, // Client session settings clientSessionMaxLifespan: accessTokenLifespan, clientSessionIdleTimeout: Math.min(accessTokenLifespan, 1800), } ); console.log("✓ Realm token settings updated successfully"); // Verify the changes const updatedRealm = await kcAdminClient.realms.findOne({ realm }); console.log(`Updated settings:`); console.log(` - Access token lifespan: ${updatedRealm?.accessTokenLifespan} seconds`); console.log(` - Refresh token lifespan: ${updatedRealm?.ssoSessionMaxLifespan} seconds`); console.log(` - SSO session idle: ${updatedRealm?.ssoSessionIdleTimeout} seconds`); } catch (error) { console.error("✗ Failed to update realm token settings:", error); process.exit(1); } }; main().catch(console.error);