90 lines
2.7 KiB
TypeScript
90 lines
2.7 KiB
TypeScript
#!/usr/bin/env tsx
|
|
|
|
import KcAdminClient from "@keycloak/keycloak-admin-client";
|
|
import invariant from "tiny-invariant";
|
|
|
|
async function main() {
|
|
const keycloakHost = process.env.KEYCLOAK_HOST;
|
|
invariant(keycloakHost, "KEYCLOAK_HOST environment variable is required.");
|
|
|
|
const adminUsername = process.env.KEYCLOAK_ADMIN_USER;
|
|
invariant(adminUsername, "KEYCLOAK_ADMIN_USER environment variable is required.");
|
|
|
|
const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
|
|
invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
|
|
|
|
const realmName = process.env.KEYCLOAK_REALM;
|
|
invariant(realmName, "KEYCLOAK_REALM environment variable is required");
|
|
|
|
const clientId = process.env.CLIENT_ID;
|
|
invariant(clientId, "CLIENT_ID environment variable is required");
|
|
|
|
const mapperName = process.env.MAPPER_NAME || `${clientId} client roles`;
|
|
const claimName = process.env.CLAIM_NAME || "client_roles";
|
|
|
|
const kcAdminClient = new KcAdminClient({
|
|
baseUrl: `https://${keycloakHost}`,
|
|
realmName: "master",
|
|
});
|
|
|
|
try {
|
|
await kcAdminClient.auth({
|
|
username: adminUsername,
|
|
password: adminPassword,
|
|
grantType: "password",
|
|
clientId: "admin-cli",
|
|
});
|
|
|
|
kcAdminClient.setConfig({
|
|
realmName,
|
|
});
|
|
|
|
const clients = await kcAdminClient.clients.find({ clientId });
|
|
if (clients.length === 0) {
|
|
throw new Error(`Client '${clientId}' not found in realm '${realmName}'`);
|
|
}
|
|
|
|
const client = clients[0];
|
|
const clientInternalId = client.id!;
|
|
|
|
const mappers = await kcAdminClient.clients.listProtocolMappers({
|
|
id: clientInternalId,
|
|
});
|
|
const existingMapper = mappers.find((mapper) => mapper.name === mapperName);
|
|
|
|
if (existingMapper) {
|
|
console.log(`Client roles mapper '${mapperName}' already exists for client '${clientId}'`);
|
|
return;
|
|
}
|
|
|
|
await kcAdminClient.clients.addProtocolMapper(
|
|
{ id: clientInternalId },
|
|
{
|
|
name: mapperName,
|
|
protocol: "openid-connect",
|
|
protocolMapper: "oidc-usermodel-client-role-mapper",
|
|
config: {
|
|
"userinfo.token.claim": "true",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": claimName,
|
|
"jsonType.label": "String",
|
|
multivalued: "true",
|
|
"usermodel.clientRoleMapping.clientId": clientId,
|
|
},
|
|
}
|
|
);
|
|
|
|
console.log(
|
|
`✓ Client roles mapper '${mapperName}' created for client '${clientId}' in realm '${realmName}'`
|
|
);
|
|
console.log(` Claim name: ${claimName}`);
|
|
console.log(` Maps client roles from '${clientId}' to JWT token`);
|
|
} catch (error) {
|
|
console.error("An error occurred:", error);
|
|
process.exit(1);
|
|
}
|
|
}
|
|
|
|
main().catch(console.error);
|