equipes keycloak flow

2025-05-03 17:22:34 +02:00 · 2025-05-03 17:22:34 +02:00 · 15f976d134
commit 15f976d134
parent f2260ba8fb
1 changed files with 40 additions and 16 deletions
--- a/lib/keycloak.ts
+++ b/lib/keycloak.ts
@ -35,43 +35,67 @@ export async function getKeycloakAdminClient(): Promise<KcAdminClient> {
    throw new Error('Missing Keycloak URL configuration');
  }

-  if (!adminClientId || !adminUsername || !adminPassword || !realmName) {
+  if (!adminClientId || !realmName) {
    const missing = [];
    if (!adminClientId) missing.push('KEYCLOAK_CLIENT_ID');
-    if (!adminUsername) missing.push('KEYCLOAK_ADMIN_USERNAME');
-    if (!adminPassword) missing.push('KEYCLOAK_ADMIN_PASSWORD');
    if (!realmName) missing.push('KEYCLOAK_REALM');
    
-    console.error(`Missing Keycloak admin credentials in .env: ${missing.join(', ')}`);
-    throw new Error('Missing Keycloak admin credentials');
+    console.error(`Missing Keycloak client credentials in .env: ${missing.join(', ')}`);
+    throw new Error('Missing Keycloak client credentials');
  }

-  console.log(`Connecting to Keycloak at ${keycloakUrl}, realm: ${realmName}`);
+  // We'll try various authentication methods depending on what credentials we have
+  if (!clientSecret && (!adminUsername || !adminPassword)) {
+    console.error('Missing credentials for Keycloak authentication. Need either a client secret or username/password.');
+    throw new Error('Missing Keycloak authentication credentials');
+  }
+
+  console.log(`Connecting to Keycloak at ${keycloakUrl}, realm: ${realmName}, client: ${adminClientId}`);
  
  try {
    const kcAdminClient = new KcAdminClient({
      baseUrl: keycloakUrl,
-      realmName: 'master', // Use master realm to manage other realms
+      realmName: 'master', // Use master realm for admin operations
+    });
+
+    // Log auth configuration (don't log the actual secret or password)
+    console.log('Auth configuration:', {
+      clientId: adminClientId,
+      hasClientSecret: !!clientSecret,
+      hasUsername: !!adminUsername,
+      hasPassword: !!adminPassword,
+      authUrl: `${keycloakUrl}/realms/master/protocol/openid-connect/token`
    });

    // Authenticate admin client
-    const authParams: Credentials = {
-      clientId: adminClientId,
-      username: adminUsername,
-      password: adminPassword,
-      grantType: 'password',
-    };
+    let authParams: Credentials;
    
-    // Add client secret if available
+    // If we have a client secret, try to use client credentials grant
    if (clientSecret) {
-      authParams.clientSecret = clientSecret;
+      console.log('Using client credentials grant with client secret');
+      authParams = {
+        clientId: adminClientId,
+        clientSecret: clientSecret,
+        grantType: 'client_credentials'
+      };
+    } else {
+      // Fall back to password grant
+      console.log('Using password grant without client secret');
+      authParams = {
+        clientId: adminClientId,
+        username: adminUsername,
+        password: adminPassword,
+        grantType: 'password'
+      };
    }
    
    await kcAdminClient.auth(authParams);

    console.log('Successfully authenticated with Keycloak admin client');

-    // Set the target realm to work with
+    // Now that we're authenticated, we can specify the realm we want to work with
+    // This could be different from the authentication realm (master)
+    console.log(`Setting target realm to: ${realmName}`);
    kcAdminClient.setConfig({
      realmName: realmName,
    });