diff --git a/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts b/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts index ed67d501..396a13d1 100644 --- a/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts +++ b/src/bin/start-keycloak/realmConfig/ParsedRealmJson.ts @@ -39,7 +39,14 @@ export type ParsedRealmJson = { "post.logout.redirect.uris"?: string; }; protocol?: string; - protocolMappers?: unknown[]; + protocolMappers?: { + id: string; + name: string; + protocol: string; // "openid-connect" or something else + protocolMapper: string; // "oidc-hardcoded-claim-mapper" or something else + consentRequired: boolean; + config?: Record; + }[]; }[]; }; @@ -89,7 +96,18 @@ const zParsedRealmJson = (() => { }) .optional(), protocol: z.string().optional(), - protocolMappers: z.array(z.unknown()).optional() + protocolMappers: z + .array( + z.object({ + id: z.string(), + name: z.string(), + protocol: z.string(), + protocolMapper: z.string(), + consentRequired: z.boolean(), + config: z.record(z.string()).optional() + }) + ) + .optional() }) ) }); diff --git a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json index 1ae0dcd7..f26c4aed 100644 --- a/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json +++ b/src/bin/start-keycloak/realmConfig/defaultConfig/realm-kc-26.json @@ -985,6 +985,24 @@ "claim.name": "locale", "jsonType.label": "String" } + }, + { + "id": "8fd0d584-7052-4d04-a615-d18a71050873", + "name": "allowed-origins", + "protocol": "openid-connect", + "protocolMapper": "oidc-hardcoded-claim-mapper", + "consentRequired": false, + "config": { + "introspection.token.claim": "true", + "claim.value": "[\"*\"]", + "userinfo.token.claim": "true", + "id.token.claim": "false", + "lightweight.claim": "false", + "access.token.claim": "true", + "claim.name": "allowed-origins", + "jsonType.label": "JSON", + "access.tokenResponse.claim": "false" + } } ], "defaultClientScopes": [ @@ -1640,13 +1658,13 @@ "config": { "allowed-protocol-mapper-types": [ "oidc-usermodel-property-mapper", - "saml-user-attribute-mapper", "saml-user-property-mapper", - "oidc-full-name-mapper", - "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", + "saml-user-attribute-mapper", + "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", "oidc-usermodel-attribute-mapper", - "saml-role-list-mapper" + "oidc-full-name-mapper" ] } }, @@ -1676,14 +1694,14 @@ "subComponents": {}, "config": { "allowed-protocol-mapper-types": [ - "oidc-sha256-pairwise-sub-mapper", "saml-user-attribute-mapper", - "oidc-usermodel-property-mapper", "oidc-full-name-mapper", - "saml-role-list-mapper", + "oidc-sha256-pairwise-sub-mapper", "saml-user-property-mapper", - "oidc-usermodel-attribute-mapper", - "oidc-address-mapper" + "oidc-usermodel-property-mapper", + "saml-role-list-mapper", + "oidc-address-mapper", + "oidc-usermodel-attribute-mapper" ] } }, diff --git a/src/bin/start-keycloak/realmConfig/prepareRealmConfig.ts b/src/bin/start-keycloak/realmConfig/prepareRealmConfig.ts index e97bf3ca..335f04bf 100644 --- a/src/bin/start-keycloak/realmConfig/prepareRealmConfig.ts +++ b/src/bin/start-keycloak/realmConfig/prepareRealmConfig.ts @@ -276,7 +276,7 @@ function editAccountConsoleAndSecurityAdminConsole(params: { }) { const { parsedRealmJson } = params; - for (const clientId of ["account-console", "security-admin-console"]) { + for (const clientId of ["account-console", "security-admin-console"] as const) { const client = parsedRealmJson.clients.find( client => client.clientId === clientId ); @@ -298,5 +298,68 @@ function editAccountConsoleAndSecurityAdminConsole(params: { (client.attributes ??= {})["post.logout.redirect.uris"] = "+"; client.webOrigins = ["*"]; + + admin_specific: { + if (clientId !== "security-admin-console") { + break admin_specific; + } + + const protocolMapper_preexisting = client.protocolMappers?.find( + protocolMapper => { + if (protocolMapper.protocolMapper !== "oidc-hardcoded-claim-mapper") { + return false; + } + + if (protocolMapper.protocol !== "openid-connect") { + return false; + } + + if (protocolMapper.config === undefined) { + return false; + } + + if (protocolMapper.config["claim.name"] !== "allowed-origins") { + return false; + } + + return true; + } + ); + + let protocolMapper: NonNullable; + + const config = { + "introspection.token.claim": "true", + "claim.value": '["*"]', + "userinfo.token.claim": "true", + "id.token.claim": "false", + "lightweight.claim": "false", + "access.token.claim": "true", + "claim.name": "allowed-origins", + "jsonType.label": "JSON", + "access.tokenResponse.claim": "false" + }; + + if (protocolMapper_preexisting !== undefined) { + protocolMapper = protocolMapper_preexisting; + } else { + protocolMapper = { + id: "8fd0d584-7052-4d04-a615-d18a71050873", + name: "allowed-origins", + protocol: "openid-connect", + protocolMapper: "oidc-hardcoded-claim-mapper", + consentRequired: false, + config + }; + + (client.protocolMappers ??= []).push(protocolMapper); + } + + assert(protocolMapper.config !== undefined); + + if (config !== protocolMapper.config) { + Object.assign(protocolMapper.config, config); + } + } } }