123 lines
4.8 KiB
TypeScript
123 lines
4.8 KiB
TypeScript
import KcAdminClient from "@keycloak/keycloak-admin-client";
|
|
import invariant from "tiny-invariant";
|
|
|
|
const main = async () => {
|
|
const keycloakHost = process.env.KEYCLOAK_HOST;
|
|
invariant(keycloakHost, "KEYCLOAK_HOST environment variable is required.");
|
|
|
|
const adminUsername = process.env.KEYCLOAK_ADMIN_USER;
|
|
invariant(adminUsername, "KEYCLOAK_ADMIN_USER environment variable is required.");
|
|
|
|
const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
|
|
invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
|
|
|
|
const realmName = process.env.KEYCLOAK_REALM;
|
|
invariant(realmName, "KEYCLOAK_REALM environment variable is required");
|
|
|
|
const clientId = process.env.KEYCLOAK_CLIENT_ID;
|
|
invariant(clientId, "KEYCLOAK_CLIENT_ID environment variable is required");
|
|
|
|
const clientSecret = process.env.KEYCLOAK_CLIENT_SECRET;
|
|
|
|
const redirectUrl = process.env.KEYCLOAK_REDIRECT_URL;
|
|
invariant(redirectUrl, "KEYCLOAK_REDIRECT_URL environment variable is required");
|
|
|
|
const redirectUris = redirectUrl.split(",").map((url) => url.trim());
|
|
|
|
const sessionIdle = process.env.KEYCLOAK_CLIENT_SESSION_IDLE;
|
|
const sessionMax = process.env.KEYCLOAK_CLIENT_SESSION_MAX;
|
|
const directAccessGrants = process.env.KEYCLOAK_CLIENT_DIRECT_ACCESS_GRANTS;
|
|
const pkceMethod = process.env.KEYCLOAK_CLIENT_PKCE_METHOD;
|
|
const postLogoutRedirectUris = process.env.KEYCLOAK_POST_LOGOUT_REDIRECT_URIS;
|
|
const accessTokenLifespan = process.env.KEYCLOAK_ACCESS_TOKEN_LIFESPAN;
|
|
|
|
const kcAdminClient = new KcAdminClient({
|
|
baseUrl: `https://${keycloakHost}`,
|
|
realmName: "master",
|
|
});
|
|
|
|
try {
|
|
await kcAdminClient.auth({
|
|
username: adminUsername,
|
|
password: adminPassword,
|
|
grantType: "password",
|
|
clientId: "admin-cli",
|
|
});
|
|
console.log("Authentication successful.");
|
|
|
|
kcAdminClient.setConfig({ realmName });
|
|
|
|
const existingClients = await kcAdminClient.clients.find({ clientId });
|
|
if (existingClients.length > 0) {
|
|
console.warn(`Client '${clientId}' already exists.`);
|
|
return;
|
|
}
|
|
|
|
const isPublicClient = !clientSecret || clientSecret === "";
|
|
const clientConfig: any = {
|
|
clientId: clientId,
|
|
secret: clientSecret,
|
|
enabled: true,
|
|
redirectUris: redirectUris,
|
|
publicClient: isPublicClient,
|
|
directAccessGrantsEnabled: directAccessGrants === "true",
|
|
};
|
|
|
|
// Configure PKCE based on environment variable
|
|
// KEYCLOAK_CLIENT_PKCE_METHOD can be: 'S256', 'plain', or unset/empty (no PKCE)
|
|
clientConfig.attributes = {};
|
|
|
|
if (pkceMethod && (pkceMethod === "S256" || pkceMethod === "plain")) {
|
|
clientConfig.attributes["pkce.code.challenge.method"] = pkceMethod;
|
|
console.log(`Setting PKCE Code Challenge Method to ${pkceMethod}`);
|
|
} else if (pkceMethod && pkceMethod !== "") {
|
|
console.warn(
|
|
`Invalid PKCE method '${pkceMethod}'. Valid options: S256, plain, or empty for no PKCE`
|
|
);
|
|
console.log("Creating client without PKCE");
|
|
} else {
|
|
console.log("Creating client without PKCE");
|
|
}
|
|
|
|
// Add session timeout settings if provided
|
|
if (sessionIdle && sessionIdle !== "") {
|
|
clientConfig.attributes["client.session.idle.timeout"] = sessionIdle;
|
|
console.log(`Setting Client Session Idle Timeout: ${sessionIdle}`);
|
|
}
|
|
|
|
if (sessionMax && sessionMax !== "") {
|
|
clientConfig.attributes["client.session.max.lifespan"] = sessionMax;
|
|
console.log(`Setting Client Session Max Lifespan: ${sessionMax}`);
|
|
}
|
|
|
|
// Add post logout redirect URIs if provided
|
|
if (postLogoutRedirectUris && postLogoutRedirectUris !== "") {
|
|
// Split comma-separated URIs and set as array in attributes using ## separator (Keycloak format)
|
|
const postLogoutUris = postLogoutRedirectUris.split(",").map((uri) => uri.trim());
|
|
clientConfig.attributes = clientConfig.attributes || {};
|
|
clientConfig.attributes["post.logout.redirect.uris"] = postLogoutUris.join("##");
|
|
console.log(`Setting Post Logout Redirect URIs: ${postLogoutUris.join(", ")}`);
|
|
}
|
|
|
|
// Add access token lifespan if provided
|
|
if (accessTokenLifespan && accessTokenLifespan !== "") {
|
|
clientConfig.attributes = clientConfig.attributes || {};
|
|
clientConfig.attributes["access.token.lifespan"] = accessTokenLifespan;
|
|
console.log(`Setting Access Token Lifespan: ${accessTokenLifespan} seconds`);
|
|
}
|
|
|
|
if (directAccessGrants === "true") {
|
|
console.log("Enabling Direct Access Grants (Resource Owner Password Credentials)");
|
|
}
|
|
|
|
const createdClient = await kcAdminClient.clients.create(clientConfig);
|
|
console.log(`Client created successfully with ID: ${createdClient.id}`);
|
|
} catch (error) {
|
|
console.error("An error occurred:", error);
|
|
// eslint-disable-next-line unicorn/no-process-exit
|
|
process.exit(1);
|
|
}
|
|
};
|
|
|
|
main();
|