baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6550c2f51c9f749844673af4185b2d263f547f19
buun-stack/keycloak/scripts/add-audience-mapper-to-scope.ts
Masaki Yatsu 82f90f621b chore(keycloak): code cleanup
2025-10-29 15:33:20 +09:00

76 lines
2.5 KiB
TypeScript
Executable File
Raw Blame History

#!/usr/bin/env tsx
import KcAdminClient from "@keycloak/keycloak-admin-client";
import invariant from "tiny-invariant";
const main = async () => {
const KEYCLOAK_HOST = process.env.KEYCLOAK_HOST;
const KEYCLOAK_ADMIN_USER = process.env.KEYCLOAK_ADMIN_USER;
const KEYCLOAK_ADMIN_PASSWORD = process.env.KEYCLOAK_ADMIN_PASSWORD;
const realm = process.env.KEYCLOAK_REALM;
const scopeName = process.env.SCOPE_NAME;
const audience = process.env.KEYCLOAK_AUDIENCE;
invariant(KEYCLOAK_HOST, "KEYCLOAK_HOST environment variable is required");
invariant(KEYCLOAK_ADMIN_USER, "KEYCLOAK_ADMIN_USER environment variable is required");
invariant(KEYCLOAK_ADMIN_PASSWORD, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
invariant(realm, "KEYCLOAK_REALM environment variable is required");
invariant(scopeName, "SCOPE_NAME environment variable is required");
invariant(audience, "KEYCLOAK_AUDIENCE environment variable is required");
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${KEYCLOAK_HOST}`,
realmName: "master",
});
try {
await kcAdminClient.auth({
username: KEYCLOAK_ADMIN_USER,
password: KEYCLOAK_ADMIN_PASSWORD,
grantType: "password",
clientId: "admin-cli",
});
console.log("Authentication successful.");
kcAdminClient.setConfig({
realmName: realm,
});
const clientScopes = await kcAdminClient.clientScopes.find();
const scope = clientScopes.find((s) => s.name === scopeName);
if (!scope) {
throw new Error(`Client scope '${scopeName}' not found`);
}
invariant(scope.id, "Client scope ID is not set");
const mapperName = `aud-mapper-${audience}`;
const existingMappers = await kcAdminClient.clientScopes.listProtocolMappers({ id: scope.id });
if (existingMappers.some((mapper) => mapper.name === mapperName)) {
console.warn(`Audience mapper '${mapperName}' already exists in scope '${scopeName}'.`);
return;
}
const audienceMapper = {
name: mapperName,
protocol: "openid-connect",
protocolMapper: "oidc-audience-mapper",
config: {
"included.client.audience": audience,
"id.token.claim": "false",
"access.token.claim": "true",
},
};
await kcAdminClient.clientScopes.addProtocolMapper({ id: scope.id }, audienceMapper);
console.log(`Audience mapper '${mapperName}' added to client scope '${scopeName}'.`);
} catch (error) {
console.error("Error adding audience mapper to scope:", error);
process.exit(1);
}
};
main();
Reference in New Issue View Git Blame Copy Permalink