Add necessary token claim to access admin in dev mode

2024-12-16 18:02:52 +01:00 · 2024-12-16 18:02:52 +01:00 · 5d3b7c9a82
commit 5d3b7c9a82
parent 95b9b12a3b
3 changed files with 111 additions and 12 deletions
--- a/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts
+++ b/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts
@ -39,7 +39,14 @@ export type ParsedRealmJson = {
            "post.logout.redirect.uris"?: string;
        };
        protocol?: string;
-        protocolMappers?: unknown[];
+        protocolMappers?: {
+            id: string;
+            name: string;
+            protocol: string; // "openid-connect" or something else
+            protocolMapper: string; // "oidc-hardcoded-claim-mapper" or something else
+            consentRequired: boolean;
+            config?: Record<string, string>;
+        }[];
    }[];
 };

@ -89,7 +96,18 @@ const zParsedRealmJson = (() => {
                    })
                    .optional(),
                protocol: z.string().optional(),
-                protocolMappers: z.array(z.unknown()).optional()
+                protocolMappers: z
+                    .array(
+                        z.object({
+                            id: z.string(),
+                            name: z.string(),
+                            protocol: z.string(),
+                            protocolMapper: z.string(),
+                            consentRequired: z.boolean(),
+                            config: z.record(z.string()).optional()
+                        })
+                    )
+                    .optional()
            })
        )
    });
--- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json
+++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json
@ -985,6 +985,24 @@
                        "claim.name": "locale",
                        "jsonType.label": "String"
                    }
+                },
+                {
+                    "id": "8fd0d584-7052-4d04-a615-d18a71050873",
+                    "name": "allowed-origins",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-hardcoded-claim-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "introspection.token.claim": "true",
+                        "claim.value": "[\"*\"]",
+                        "userinfo.token.claim": "true",
+                        "id.token.claim": "false",
+                        "lightweight.claim": "false",
+                        "access.token.claim": "true",
+                        "claim.name": "allowed-origins",
+                        "jsonType.label": "JSON",
+                        "access.tokenResponse.claim": "false"
+                    }
                }
            ],
            "defaultClientScopes": [
@ -1640,13 +1658,13 @@
                "config": {
                    "allowed-protocol-mapper-types": [
                        "oidc-usermodel-property-mapper",
-                        "saml-user-attribute-mapper",
                        "saml-user-property-mapper",
-                        "oidc-full-name-mapper",
-                        "oidc-sha256-pairwise-sub-mapper",
                        "oidc-address-mapper",
+                        "saml-user-attribute-mapper",
+                        "saml-role-list-mapper",
+                        "oidc-sha256-pairwise-sub-mapper",
                        "oidc-usermodel-attribute-mapper",
-                        "saml-role-list-mapper"
+                        "oidc-full-name-mapper"
                    ]
                }
            },
@ -1676,14 +1694,14 @@
                "subComponents": {},
                "config": {
                    "allowed-protocol-mapper-types": [
-                        "oidc-sha256-pairwise-sub-mapper",
                        "saml-user-attribute-mapper",
-                        "oidc-usermodel-property-mapper",
                        "oidc-full-name-mapper",
-                        "saml-role-list-mapper",
+                        "oidc-sha256-pairwise-sub-mapper",
                        "saml-user-property-mapper",
-                        "oidc-usermodel-attribute-mapper",
-                        "oidc-address-mapper"
+                        "oidc-usermodel-property-mapper",
+                        "saml-role-list-mapper",
+                        "oidc-address-mapper",
+                        "oidc-usermodel-attribute-mapper"
                    ]
                }
            },
--- a/src/bin/start-keycloak/realmConfig/prepareRealmConfig.ts
+++ b/src/bin/start-keycloak/realmConfig/prepareRealmConfig.ts
@ -276,7 +276,7 @@ function editAccountConsoleAndSecurityAdminConsole(params: {
 }) {
    const { parsedRealmJson } = params;

-    for (const clientId of ["account-console", "security-admin-console"]) {
+    for (const clientId of ["account-console", "security-admin-console"] as const) {
        const client = parsedRealmJson.clients.find(
            client => client.clientId === clientId
        );
@ -298,5 +298,68 @@ function editAccountConsoleAndSecurityAdminConsole(params: {
        (client.attributes ??= {})["post.logout.redirect.uris"] = "+";

        client.webOrigins = ["*"];
+
+        admin_specific: {
+            if (clientId !== "security-admin-console") {
+                break admin_specific;
+            }
+
+            const protocolMapper_preexisting = client.protocolMappers?.find(
+                protocolMapper => {
+                    if (protocolMapper.protocolMapper !== "oidc-hardcoded-claim-mapper") {
+                        return false;
+                    }
+
+                    if (protocolMapper.protocol !== "openid-connect") {
+                        return false;
+                    }
+
+                    if (protocolMapper.config === undefined) {
+                        return false;
+                    }
+
+                    if (protocolMapper.config["claim.name"] !== "allowed-origins") {
+                        return false;
+                    }
+
+                    return true;
+                }
+            );
+
+            let protocolMapper: NonNullable<typeof protocolMapper_preexisting>;
+
+            const config = {
+                "introspection.token.claim": "true",
+                "claim.value": '["*"]',
+                "userinfo.token.claim": "true",
+                "id.token.claim": "false",
+                "lightweight.claim": "false",
+                "access.token.claim": "true",
+                "claim.name": "allowed-origins",
+                "jsonType.label": "JSON",
+                "access.tokenResponse.claim": "false"
+            };
+
+            if (protocolMapper_preexisting !== undefined) {
+                protocolMapper = protocolMapper_preexisting;
+            } else {
+                protocolMapper = {
+                    id: "8fd0d584-7052-4d04-a615-d18a71050873",
+                    name: "allowed-origins",
+                    protocol: "openid-connect",
+                    protocolMapper: "oidc-hardcoded-claim-mapper",
+                    consentRequired: false,
+                    config
+                };
+
+                (client.protocolMappers ??= []).push(protocolMapper);
+            }
+
+            assert(protocolMapper.config !== undefined);
+
+            if (config !== protocolMapper.config) {
+                Object.assign(protocolMapper.config, config);
+            }
+        }
    }
 }