baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2092e7e9fbea7fd32e63fb2c4a20350877369161
buun-stack/keycloak/scripts/add-audience-mapper-to-scope.ts
Masaki Yatsu af4dcb939c feat(keycloak): keycloak::add-audience-mapper-to-scope
2025-10-27 20:27:10 +09:00

81 lines
2.9 KiB
TypeScript
Executable File
Raw Blame History

#!/usr/bin/env tsx
import KcAdminClient from '@keycloak/keycloak-admin-client';
import invariant from 'tiny-invariant';
const main = async () => {
const KEYCLOAK_HOST = process.env.KEYCLOAK_HOST;
const KEYCLOAK_ADMIN_USER = process.env.KEYCLOAK_ADMIN_USER;
const KEYCLOAK_ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD;
const realm = process.env.KEYCLOAK_REALM;
const scopeName = process.env.SCOPE_NAME;
const audience = process.env.KEYCLOAK_AUDIENCE;
invariant(KEYCLOAK_HOST, 'KEYCLOAK_HOST environment variable is required');
invariant(KEYCLOAK_ADMIN_USER, 'KEYCLOAK_ADMIN_USER environment variable is required');
invariant(KEYCLOAK_ADMIN_PASSWORD, 'KEYCLOAK_ADMIN_PASSWORD environment variable is required');
invariant(realm, 'KEYCLOAK_REALM environment variable is required');
invariant(scopeName, 'SCOPE_NAME environment variable is required');
invariant(audience, 'KEYCLOAK_AUDIENCE environment variable is required');
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${KEYCLOAK_HOST}`,
realmName: 'master',
});
try {
await kcAdminClient.auth({
username: KEYCLOAK_ADMIN_USER,
password: KEYCLOAK_ADMIN_PASSWORD,
grantType: 'password',
clientId: 'admin-cli',
});
console.log('Authentication successful.');
// Set target realm
kcAdminClient.setConfig({
realmName: realm,
});
// Find the client scope
const clientScopes = await kcAdminClient.clientScopes.find();
const scope = clientScopes.find(s => s.name === scopeName);
if (!scope) {
throw new Error(`Client scope '${scopeName}' not found`);
}
invariant(scope.id, 'Client scope ID is not set');
// Check if mapper already exists
const mapperName = `aud-mapper-${audience}`;
const existingMappers = await kcAdminClient.clientScopes.listProtocolMappers({ id: scope.id });
if (existingMappers.some((mapper) => mapper.name === mapperName)) {
console.warn(`Audience mapper '${mapperName}' already exists in scope '${scopeName}'.`);
return;
}
// Create audience mapper
const audienceMapper = {
name: mapperName,
protocol: 'openid-connect',
protocolMapper: 'oidc-audience-mapper',
config: {
'included.client.audience': audience,
'id.token.claim': 'false',
'access.token.claim': 'true',
},
};
await kcAdminClient.clientScopes.addProtocolMapper({ id: scope.id }, audienceMapper);
console.log(`Audience mapper '${mapperName}' added to client scope '${scopeName}'.`);
} catch (error) {
console.error('Error adding audience mapper to scope:', error);
process.exit(1);
}
};
main();
Reference in New Issue View Git Blame Copy Permalink