baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e19e2fa3101f1657bf02e6a878a18a0ba65ea77b
buun-stack/keycloak/scripts/create-realm.ts
Masaki Yatsu ddf867d1f1 feat(keycloak): set access/refresh token lifespan
2025-08-31 16:28:32 +09:00

74 lines
3.2 KiB
TypeScript
Raw Blame History

import KcAdminClient from "@keycloak/keycloak-admin-client";
import invariant from "tiny-invariant";
const main = async () => {
const keycloakHost = process.env.KEYCLOAK_HOST;
invariant(keycloakHost, "KEYCLOAK_HOST environment variable is required.");
const adminUsername = process.env.KEYCLOAK_ADMIN_USER;
invariant(adminUsername, "KEYCLOAK_ADMIN_USER environment variable is required.");
const adminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD;
invariant(adminPassword, "KEYCLOAK_ADMIN_PASSWORD environment variable is required");
const realmName = process.env.KEYCLOAK_REALM;
invariant(realmName, "KEYCLOAK_REALM environment variable is required");
// Token lifespan settings (with defaults suitable for JupyterHub)
const accessTokenLifespan = parseInt(process.env.ACCESS_TOKEN_LIFESPAN || "3600"); // 1 hour
const refreshTokenLifespan = parseInt(process.env.REFRESH_TOKEN_LIFESPAN || "14400"); // 4 hours - changed from 30min
const ssoSessionMaxLifespan = parseInt(process.env.SSO_SESSION_MAX_LIFESPAN || refreshTokenLifespan.toString()); // Use refreshTokenLifespan
const ssoSessionIdleTimeout = parseInt(process.env.SSO_SESSION_IDLE_TIMEOUT || "7200"); // 2 hours
const kcAdminClient = new KcAdminClient({
baseUrl: `https://${keycloakHost}`,
realmName: "master",
});
try {
await kcAdminClient.auth({
username: adminUsername,
password: adminPassword,
grantType: "password",
clientId: "admin-cli",
});
console.log("Authentication successful.");
const existingRealms = await kcAdminClient.realms.find();
const realmExists = existingRealms.some((realm) => realm.realm === realmName);
if (realmExists) {
console.warn(`Realm '${realmName}' already exists.`);
return;
}
await kcAdminClient.realms.create({
realm: realmName,
enabled: true,
// Token lifespan settings
accessTokenLifespan: accessTokenLifespan,
accessTokenLifespanForImplicitFlow: accessTokenLifespan,
ssoSessionMaxLifespan: ssoSessionMaxLifespan,
ssoSessionIdleTimeout: Math.min(ssoSessionMaxLifespan, ssoSessionIdleTimeout),
// Refresh token settings
refreshTokenMaxReuse: 0,
// Offline session settings
offlineSessionMaxLifespan: ssoSessionMaxLifespan * 2,
offlineSessionMaxLifespanEnabled: true,
// Client session settings
clientSessionMaxLifespan: accessTokenLifespan,
clientSessionIdleTimeout: Math.min(accessTokenLifespan, ssoSessionIdleTimeout),
});
console.log(`Realm '${realmName}' created successfully with token settings:`);
console.log(` - Access Token Lifespan: ${accessTokenLifespan} seconds (${accessTokenLifespan/60} minutes)`);
console.log(` - Refresh Token Lifespan: ${refreshTokenLifespan} seconds (${refreshTokenLifespan/60} minutes)`);
console.log(` - SSO Session Max: ${ssoSessionMaxLifespan} seconds (${ssoSessionMaxLifespan/60} minutes)`);
console.log(` - SSO Session Idle: ${ssoSessionIdleTimeout} seconds (${ssoSessionIdleTimeout/60} minutes)`);
} catch (error) {
console.error("An error occurred:", error);
// eslint-disable-next-line unicorn/no-process-exit
process.exit(1);
}
};
main();
Reference in New Issue View Git Blame Copy Permalink