83 lines
2.5 KiB
TypeScript
83 lines
2.5 KiB
TypeScript
#!/usr/bin/env tsx
|
|
|
|
import KcAdminClient from "@keycloak/keycloak-admin-client";
|
|
import invariant from "tiny-invariant";
|
|
|
|
const main = async () => {
|
|
const KEYCLOAK_HOST = process.env.KEYCLOAK_HOST;
|
|
invariant(KEYCLOAK_HOST, "KEYCLOAK_HOST environment variable is required");
|
|
|
|
const KEYCLOAK_ADMIN_USER = process.env.KEYCLOAK_ADMIN_USER;
|
|
invariant(KEYCLOAK_ADMIN_USER, "KEYCLOAK_ADMIN_USER environment variable is required");
|
|
|
|
const KEYCLOAK_ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD;
|
|
invariant(KEYCLOAK_ADMIN_PASSWORD, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
|
|
|
|
const realm = process.env.KEYCLOAK_REALM;
|
|
invariant(realm, "KEYCLOAK_REALM environment variable is required");
|
|
|
|
const scopeName = process.env.SCOPE_NAME;
|
|
invariant(scopeName, "SCOPE_NAME environment variable is required");
|
|
|
|
const kcAdminClient = new KcAdminClient({
|
|
baseUrl: `https://${KEYCLOAK_HOST}`,
|
|
realmName: "master",
|
|
});
|
|
|
|
try {
|
|
await kcAdminClient.auth({
|
|
username: KEYCLOAK_ADMIN_USER,
|
|
password: KEYCLOAK_ADMIN_PASSWORD,
|
|
grantType: "password",
|
|
clientId: "admin-cli",
|
|
});
|
|
|
|
console.log("Authentication successful.");
|
|
|
|
kcAdminClient.setConfig({
|
|
realmName: realm,
|
|
});
|
|
|
|
const clientScopes = await kcAdminClient.clientScopes.find();
|
|
const scope = clientScopes.find((s) => s.name === scopeName);
|
|
if (!scope) {
|
|
throw new Error(`Client scope '${scopeName}' not found`);
|
|
}
|
|
|
|
invariant(scope.id, "Client scope ID is not set");
|
|
|
|
const mapperName = "groups";
|
|
const existingMappers = await kcAdminClient.clientScopes.listProtocolMappers({ id: scope.id });
|
|
|
|
if (
|
|
existingMappers.some(
|
|
(mapper) => mapper.name === mapperName || mapper.config?.["claim.name"] === "groups"
|
|
)
|
|
) {
|
|
console.warn(`Groups mapper already exists in scope '${scopeName}'.`);
|
|
return;
|
|
}
|
|
|
|
const groupsMapper = {
|
|
name: mapperName,
|
|
protocol: "openid-connect",
|
|
protocolMapper: "oidc-group-membership-mapper",
|
|
config: {
|
|
"claim.name": "groups",
|
|
"full.path": "false",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"userinfo.token.claim": "true",
|
|
},
|
|
};
|
|
|
|
await kcAdminClient.clientScopes.addProtocolMapper({ id: scope.id }, groupsMapper);
|
|
console.log(`Groups mapper added to client scope '${scopeName}'.`);
|
|
} catch (error) {
|
|
console.error("Error adding groups mapper to scope:", error);
|
|
process.exit(1);
|
|
}
|
|
};
|
|
|
|
main();
|