@culturefy/shared 1.0.28 → 1.0.29

package/build/cjs/service/keycloak.service.js

@@ -0,0 +1,1003 @@
+"use strict";
+
+exports.__esModule = true;
+exports.KeycloakAdminService = void 0;
+var _axios = _interopRequireDefault(require("axios"));
+function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
+// keycloak-admin.service.ts
+
+class KeycloakAdminService {
+  constructor(context, config) {
+    this.context = void 0;
+    this.baseUrl = void 0;
+    this.adminClientId = void 0;
+    this.adminClientSecret = void 0;
+    this.axiosInstance = void 0;
+    this.accessToken = null;
+    this.context = context;
+    if (!config.baseUrl || !config.adminClientId || !config.adminClientSecret) {
+      this.context.error("Missing required configuration");
+      throw new Error('Missing required configuration');
+    }
+    this.baseUrl = config.baseUrl;
+    this.adminClientId = config.adminClientId;
+    this.adminClientSecret = config.adminClientSecret;
+    try {
+      this.axiosInstance = _axios.default.create({
+        baseURL: this.baseUrl
+      });
+    } catch (error) {
+      this.context.error("Error in createAxiosInstance", error);
+      throw error;
+    }
+  }
+  async authenticate() {
+    try {
+      const params = new URLSearchParams();
+      params.append('grant_type', 'client_credentials');
+      params.append('client_id', this.adminClientId);
+      params.append('client_secret', this.adminClientSecret);
+      this.context.log(`Params: ${JSON.stringify(params)}`);
+      const response = await this.axiosInstance.post('/realms/master/protocol/openid-connect/token', params, {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        }
+      });
+      if (response.status !== 200) {
+        throw new Error(`Failed to authenticate: ${JSON.stringify(response.data)}`);
+      }
+      // this.context.log(`Response: ${JSON.stringify(response.data)}`);
+
+      const data = response.data;
+      this.accessToken = data.access_token;
+      this.axiosInstance.defaults.headers.common['Authorization'] = `Bearer ${this.accessToken}`;
+      return data;
+    } catch (error) {
+      this.context.error("Error in authenticate", error);
+      throw error;
+    }
+  }
+  async authenticateRelmClient(realm, clientId) {
+    try {
+      const clientUUID = await this.getClientUUID(realm, clientId);
+      if (!clientUUID) {
+        throw new Error(`Client UUID for "${clientId}" not found`);
+      }
+      const clientSecret = await this.getClientSecret(realm, clientId);
+      if (!clientSecret) {
+        throw new Error(`Client secret for "${clientId}" not found`);
+      }
+      const params = new URLSearchParams();
+      params.append('grant_type', 'client_credentials');
+      params.append('client_id', clientId);
+      params.append('client_secret', clientSecret);
+      const response = await this.axiosInstance.post(`/realms/${realm}/protocol/openid-connect/token`, params, {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        }
+      });
+      if (response.status !== 200) {
+        throw new Error(`Failed to authenticate realm client: ${JSON.stringify(response.data)}`);
+      }
+      // this.context.log(`Response: ${JSON.stringify(response.data)}`);
+
+      const data = response.data;
+      this.accessToken = data.access_token;
+      this.axiosInstance.defaults.headers.common['Authorization'] = `Bearer ${this.accessToken}`;
+      return data;
+    } catch (error) {
+      this.context.error("Error in authenticateRelmClient", error);
+      throw error;
+    }
+  }
+  async createRealm(realm) {
+    try {
+      var _realm$enabled;
+      this.context.log(`Realm: ${JSON.stringify(realm)}`);
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.post('/admin/realms', {
+        realm: realm.realm,
+        id: realm.realm,
+        displayName: realm.displayName || realm.realm,
+        enabled: (_realm$enabled = realm.enabled) != null ? _realm$enabled : true,
+        sslRequired: 'external',
+        bruteForceProtected: true,
+        eventsEnabled: false
+      });
+      if (response.status !== 201) {
+        throw new Error(`Failed to create realm: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Response: Successfully created realm`);
+      return;
+    } catch (error) {
+      this.context.error("Error in createRealm", error);
+      throw error;
+    }
+  }
+  async createClient(realm, client) {
+    try {
+      var _client$publicClient, _client$directAccessG, _client$standardFlowE, _client$implicitFlowE, _client$serviceAccoun, _client$authorization, _client$bearerOnly, _client$consentRequir, _client$fullScopeAllo;
+      this.context.log(`Realm name: ${realm}`);
+      this.context.log(`Creating client: ${JSON.stringify(client)}`);
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.post(`/admin/realms/${realm}/clients`, {
+        clientId: client.clientId,
+        name: client.name,
+        description: client.description,
+        enabled: client.enabled,
+        protocol: client.protocol || 'openid-connect',
+        publicClient: (_client$publicClient = client.publicClient) != null ? _client$publicClient : false,
+        secret: client.secret || null,
+        directAccessGrantsEnabled: (_client$directAccessG = client.directAccessGrantsEnabled) != null ? _client$directAccessG : true,
+        standardFlowEnabled: (_client$standardFlowE = client.standardFlowEnabled) != null ? _client$standardFlowE : true,
+        implicitFlowEnabled: (_client$implicitFlowE = client.implicitFlowEnabled) != null ? _client$implicitFlowE : false,
+        serviceAccountsEnabled: (_client$serviceAccoun = client.serviceAccountsEnabled) != null ? _client$serviceAccoun : true,
+        authorizationServicesEnabled: (_client$authorization = client.authorizationServicesEnabled) != null ? _client$authorization : true,
+        redirectUris: client.redirectUris || [],
+        webOrigins: client.webOrigins || [],
+        bearerOnly: (_client$bearerOnly = client.bearerOnly) != null ? _client$bearerOnly : false,
+        consentRequired: (_client$consentRequir = client.consentRequired) != null ? _client$consentRequir : false,
+        fullScopeAllowed: (_client$fullScopeAllo = client.fullScopeAllowed) != null ? _client$fullScopeAllo : true,
+        attributes: client.attributes || {
+          tls_client_certificate_bound_access_tokens: "false",
+          client_credentials_use_refresh_token: "true"
+        }
+      });
+      if (response.status !== 201) {
+        throw new Error(`Failed to create client: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Response: ${JSON.stringify(response.data)}`);
+      return;
+    } catch (error) {
+      this.context.error("Error in createClient", error);
+      throw error;
+    }
+  }
+  async getClient(realm, clientId, clientUUID) {
+    try {
+      this.context.log(`Realm: ${realm}`);
+      this.context.log(`Client ID: ${clientId}`);
+      await this.authenticateRelmClient(realm, clientId);
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/clients/${clientUUID}`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to get client: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`(getClient) Client: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      this.context.error("Error in getClient", error);
+      throw error;
+    }
+  }
+  async getClientUUID(realm, clientId) {
+    try {
+      this.context.log(`Realm: ${realm}`);
+      this.context.log(`Client ID: ${clientId}`);
+      await this.authenticate();
+      // this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/clients`, {
+        params: {
+          clientId
+        }
+      });
+      if (response.status !== 200) {
+        throw new Error(`Failed to get clients: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Clients: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      const client = data.find(c => c.clientId == clientId);
+      this.context.log(`(getClientUUID) Client: ${JSON.stringify(client)}`);
+      if (!client) {
+        throw new Error(`Client "${clientId}" not found`);
+      }
+      return client.id;
+    } catch (error) {
+      this.context.error("Error in getClientUUID", error);
+      throw error;
+    }
+  }
+  async getServiceAccountUserId(realm, clientUUID) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/clients/${clientUUID}/service-account-user`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to get service account user: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Service account user: ${JSON.stringify(response.data)}`);
+      return response.data.id;
+    } catch (error) {
+      this.context.error("Error in getServiceAccountUserId", error);
+      throw error;
+    }
+  }
+  async getAllRoles(realm, clientUUID) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/clients/${clientUUID}/roles`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to get all roles: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`All roles: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      this.context.error("Error in getAllRoles", error);
+      throw error;
+    }
+  }
+  async getAssignedRoles(realm, userId, clientUUID) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/users/${userId}/role-mappings/clients/${clientUUID}`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to get assigned roles: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Assigned roles: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      this.context.error("Error in getAssignedRoles", error);
+      throw error;
+    }
+  }
+  async assignRolesToServiceAccount(realm, userId, clientUUID, roles) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+
+      // According to Keycloak REST API documentation, we need to send role objects, not just IDs
+      const roleMappings = roles.map(role => ({
+        id: role.id,
+        name: role.name,
+        description: role.description,
+        composite: role.composite,
+        clientRole: role.clientRole,
+        containerId: role.containerId
+      }));
+      const response = await this.axiosInstance.post(`/admin/realms/${realm}/users/${userId}/role-mappings/clients/${clientUUID}`, roleMappings);
+      if (response.status !== 204) {
+        throw new Error(`Failed to assign roles to service account: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Response: ${JSON.stringify(response.data)}`);
+      return;
+    } catch (error) {
+      this.context.error("Error in assignRolesToServiceAccount", error);
+      throw error;
+    }
+  }
+  async assignAllRealmMgmtRolesToClient(realm, clientId) {
+    try {
+      this.context.log(`🔍 Getting UUID for clientId = ${clientId}`);
+      const clientUUID = await this.getClientUUID(realm, clientId);
+      this.context.log(`🔍 Getting UUID for realm-management`);
+      const realmMgmtUUID = await this.getClientUUID(realm, "realm-management");
+      this.context.log(`🔍 Getting service account user for ${clientId}`);
+      const serviceUserId = await this.getServiceAccountUserId(realm, clientUUID);
+      this.context.log(`🔍 Fetching all roles from realm-management`);
+      const allRoles = await this.getAllRoles(realm, realmMgmtUUID);
+      this.context.log(`🔍 Fetching already assigned roles`);
+      const assignedRoles = await this.getAssignedRoles(realm, serviceUserId, realmMgmtUUID);
+      const assignedNames = new Set(assignedRoles.map(r => r.name));
+      const unassignedRoles = allRoles.filter(r => !assignedNames.has(r.name));
+      this.context.log(`✅ Found ${unassignedRoles.length} unassigned roles`);
+      if (unassignedRoles.length) {
+        this.context.log(`🚀 Assigning roles to service account`);
+        await this.assignRolesToServiceAccount(realm, serviceUserId, realmMgmtUUID, unassignedRoles);
+        this.context.log("✅ Roles successfully assigned!");
+      } else {
+        this.context.log("ℹ️ All roles are already assigned.");
+      }
+    } catch (error) {
+      this.context.error("Error in assignAllRealmMgmtRolesToClient", error);
+      throw error;
+    }
+  }
+  async assignAllAccountMgmtRolesToClient(realm, clientId) {
+    try {
+      this.context.log(`🔍 Getting UUID for clientId = ${clientId}`);
+      const clientUUID = await this.getClientUUID(realm, clientId);
+      this.context.log(`🔍 Getting UUID for account`);
+      const accountMgmtUUID = await this.getClientUUID(realm, "account");
+      this.context.log(`🔍 Getting service account user for ${clientId}`);
+      const serviceUserId = await this.getServiceAccountUserId(realm, clientUUID);
+      this.context.log(`🔍 Fetching all roles from account`);
+      const allRoles = await this.getAllRoles(realm, accountMgmtUUID);
+      this.context.log(`🔍 Fetching already assigned roles`);
+      const assignedRoles = await this.getAssignedRoles(realm, serviceUserId, accountMgmtUUID);
+      const assignedNames = new Set(assignedRoles.map(r => r.name));
+      const unassignedRoles = allRoles.filter(r => !assignedNames.has(r.name));
+      this.context.log(`✅ Found ${unassignedRoles.length} unassigned roles`);
+      if (unassignedRoles.length) {
+        this.context.log(`🚀 Assigning roles to service account`);
+        await this.assignRolesToServiceAccount(realm, serviceUserId, accountMgmtUUID, unassignedRoles);
+        this.context.log("✅ Roles successfully assigned!");
+      } else {
+        this.context.log("ℹ️ All roles are already assigned.");
+      }
+    } catch (error) {
+      this.context.error("Error in assignAllAccountMgmtRolesToClient", error);
+      throw error;
+    }
+  }
+  async assignAllBrokerMgmtRolesToClient(realm, clientId) {
+    try {
+      this.context.log(`🔍 Getting UUID for clientId = ${clientId}`);
+      const clientUUID = await this.getClientUUID(realm, clientId);
+      this.context.log(`🔍 Getting UUID for broker`);
+      const brokerMgmtUUID = await this.getClientUUID(realm, "broker");
+      this.context.log(`🔍 Getting service broker user for ${clientId}`);
+      const serviceUserId = await this.getServiceAccountUserId(realm, clientUUID);
+      this.context.log(`🔍 Fetching all roles from broker`);
+      const allRoles = await this.getAllRoles(realm, brokerMgmtUUID);
+      this.context.log(`🔍 Fetching already assigned roles`);
+      const assignedRoles = await this.getAssignedRoles(realm, serviceUserId, brokerMgmtUUID);
+      const assignedNames = new Set(assignedRoles.map(r => r.name));
+      const unassignedRoles = allRoles.filter(r => !assignedNames.has(r.name));
+      this.context.log(`✅ Found ${unassignedRoles.length} unassigned roles`);
+      if (unassignedRoles.length) {
+        this.context.log(`🚀 Assigning roles to service account`);
+        await this.assignRolesToServiceAccount(realm, serviceUserId, brokerMgmtUUID, unassignedRoles);
+        this.context.log("✅ Roles successfully assigned!");
+      } else {
+        this.context.log("ℹ️ All roles are already assigned.");
+      }
+    } catch (error) {
+      this.context.error("Error in assignAllBrokerMgmtRolesToClient", error);
+      throw error;
+    }
+  }
+  async getClientSecret(realm, clientId) {
+    try {
+      this.context.log(`Realm: ${realm}`);
+      this.context.log(`Client ID: ${clientId}`);
+      await this.authenticate();
+      // this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+
+      const clientUUID = await this.getClientUUID(realm, clientId);
+      if (!clientUUID) {
+        throw new Error(`Failed to get UUID for client "${clientId}"`);
+      }
+      this.context.log(`Client UUID: ${clientUUID}`);
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/clients/${clientUUID}/client-secret`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to get client secret: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Client secret: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data.value;
+    } catch (error) {
+      this.context.error("Error in getClientSecret", error);
+      throw error;
+    }
+  }
+  async createUser(realm, clientId, user) {
+    try {
+      this.context.log(`Realm name: ${realm}`);
+      this.context.log(`Client ID: ${clientId}`);
+      this.context.log(`User: ${JSON.stringify(user)}`);
+      await this.authenticateRelmClient(realm, clientId);
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.post(`/admin/realms/${realm}/users`, {
+        username: user.username,
+        email: user.email,
+        firstName: user.firstName,
+        lastName: user.lastName,
+        enabled: true,
+        emailVerified: true,
+        credentials: [{
+          type: "password",
+          value: user.password,
+          temporary: true // true if user must reset on first login
+        }],
+        requiredActions: [
+        // Options: "VERIFY_EMAIL", "UPDATE_PROFILE", "UPDATE_PASSWORD", "CONFIGURE_TOTP"
+        "UPDATE_PASSWORD"],
+        realmRoles: [
+        // Optional: assign realm-level roles
+        "offline_access", "uma_authorization"],
+        groups: [
+          // Optional: assign to realm groups
+          // "/devs",
+          // "/admins"
+        ],
+        federationLink: null,
+        // for federated identity provider
+        totp: false,
+        // TOTP is not configured initially
+        disableableCredentialTypes: [],
+        // Optional advanced fields
+        notBefore: 0,
+        access: {
+          manage: true
+        }
+      });
+      if (response.status !== 201) {
+        throw new Error(`Failed to create user: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Response: ${JSON.stringify(response.data)}`);
+      return;
+    } catch (error) {
+      this.context.error("Error in createUser", error);
+      throw error;
+    }
+  }
+  async listUsers(realm) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/users`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to list users: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`Users: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      this.context.error("Error in listUsers", error);
+      throw error;
+    }
+  }
+  async getUser(realm, userId) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/users/${userId}`);
+      if (response.status !== 200) {
+        throw new Error(`Failed to get user: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`User: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      this.context.error("Error in getUser", error);
+      throw error;
+    }
+  }
+  async getUserByUsername(realm, username) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/users`, {
+        params: {
+          username
+        }
+      });
+      if (response.status !== 200) {
+        throw new Error(`Failed to get user by username: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`User: ${JSON.stringify(response.data)}`);
+      if (response.data.length === 0) {
+        throw new Error(`User "${username}" not found`);
+      }
+      const data = response.data[0];
+      return data;
+    } catch (error) {
+      this.context.error("Error in getUserByUsername", error);
+      throw error;
+    }
+  }
+  async getUserByEmail(realm, email) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.get(`/admin/realms/${realm}/users`, {
+        params: {
+          email
+        }
+      });
+      if (response.status !== 200) {
+        throw new Error(`Failed to get user by email: ${JSON.stringify(response.data)}`);
+      }
+      this.context.log(`User: ${JSON.stringify(response.data)}`);
+      if (response.data.length === 0) {
+        throw new Error(`User "${email}" not found`);
+      }
+      const data = response.data[0];
+      return data;
+    } catch (error) {
+      this.context.error("Error in getUserByEmail", error);
+      throw error;
+    }
+  }
+  async login(realm, clientId, user) {
+    try {
+      this.context.log(`Realm name: ${realm}`);
+      this.context.log(`Client ID: ${clientId}`);
+      this.context.log(`User: ${JSON.stringify(user)}`);
+      await this.authenticateRelmClient(realm, clientId);
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const clientSecret = await this.getClientSecret(realm, clientId);
+      if (!clientSecret) {
+        throw new Error(`Client secret for "${clientId}" not found`);
+      }
+      const loginIdentifier = user.username || user.email;
+      const params = new URLSearchParams();
+      params.append('grant_type', 'password');
+      params.append('username', loginIdentifier);
+      params.append('password', user.password);
+      params.append('client_id', clientId);
+      params.append('client_secret', clientSecret);
+      this.context.log(`Params: ${JSON.stringify(params)}`);
+      const response = await this.axiosInstance.post(`/realms/${realm}/protocol/openid-connect/token`, params, {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        }
+      });
+      if (response.status !== 200) {
+        this.context.error(`Response: ${JSON.stringify(response.data)}`);
+        if (response.data.error === 'invalid_grant') {
+          if (response.data.error_description === 'Account is not fully set up') {
+            throw new Error(`Please reset your password`);
+          }
+          if (response.data.error_description === 'Invalid user credentials') {
+            throw new Error(`Invalid username or password`);
+          }
+        } else if (response.data.error === 'invalid_token') {
+          throw new Error(`Invalid token`);
+        } else if (response.data.error === 'invalid_client') {
+          throw new Error(`Invalid client`);
+        } else if (response.data.error === 'invalid_request') {
+          throw new Error(`Invalid request`);
+        }
+        throw new Error(`Failed to login user using keycloak`);
+      }
+      this.context.log(`Response: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      this.context.error("Error in login", error);
+      if ((error == null ? void 0 : error.response.data.error) === 'invalid_grant') {
+        if ((error == null ? void 0 : error.response.data.error_description) === 'Account is not fully set up') {
+          throw new Error(`Please reset your password`);
+        }
+        if ((error == null ? void 0 : error.response.data.error_description) === 'Invalid user credentials') {
+          throw new Error(`Invalid username or password`);
+        }
+      } else if ((error == null ? void 0 : error.response.data.error) === 'invalid_token') {
+        throw new Error(`Invalid token`);
+      } else if ((error == null ? void 0 : error.response.data.error) === 'invalid_client') {
+        throw new Error(`Invalid client`);
+      } else if ((error == null ? void 0 : error.response.data.error) === 'invalid_request') {
+        throw new Error(`Invalid request`);
+      }
+      throw new Error(`Failed to login user using keycloak`);
+    }
+  }
+  async resetPassword(realm, userId, password) {
+    try {
+      await this.authenticate();
+      this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+      const response = await this.axiosInstance.put(`/admin/realms/${realm}/users/${userId}/reset-password`, {
+        type: "password",
+        value: password,
+        temporary: false
+      });
+      if (response.status !== 204) {
+        throw new Error(`Failed to reset password: ${JSON.stringify(response.data)}`);
+      }
+      return;
+    } catch (error) {
+      var _error$response;
+      this.context.error("Error in resetPassword", error);
+      if (error != null && (_error$response = error.response) != null && (_error$response = _error$response.data) != null && _error$response.error_description) {
+        var _error$response2;
+        throw new Error(error == null || (_error$response2 = error.response) == null || (_error$response2 = _error$response2.data) == null ? void 0 : _error$response2.error_description);
+      }
+      if ((error == null ? void 0 : error.response.data.error) === 'invalid_grant') {
+        throw new Error(`Invalid grant`);
+      } else if ((error == null ? void 0 : error.response.data.error) === 'invalid_token') {
+        throw new Error(`Invalid token`);
+      } else if ((error == null ? void 0 : error.response.data.error) === 'invalid_client') {
+        throw new Error(`Invalid client`);
+      } else if ((error == null ? void 0 : error.response.data.error) === 'invalid_request') {
+        throw new Error(`Invalid request`);
+      }
+      throw error;
+    }
+  }
+
+  /**
+   * Logout culturefy and revoke refresh token
+   * This method uses Keycloak's standard OpenID Connect logout endpoint
+   * which both logs out the culturefy and invalidates the refresh token
+   * 
+   * @param realm - The Keycloak realm name 
+   * @param clientId - The client ID
+   * @param refreshToken - The refresh token to revoke
+   * @returns Promise<void>
+   */
+  async logout(realm, clientId, refreshToken) {
+    try {
+      this.context.log(`Culturefy Logout - Realm: ${realm}, Client: ${clientId}`);
+      this.context.log(`Culturefy Logout - Refresh Token: ${refreshToken}`);
+      await this.authenticateRelmClient(realm, clientId);
+      // this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+
+      // Try to get client secret, but handle the case where it might not exist
+      let clientSecret = null;
+      try {
+        clientSecret = await this.getClientSecret(realm, clientId);
+      } catch (error) {
+        this.context.warn(`Could not retrieve client secret for ${clientId}:`, error);
+        // For admin-cli, we might not need a client secret
+        clientSecret = null;
+      }
+      const params = new URLSearchParams();
+      params.append('refresh_token', refreshToken || '');
+      params.append('client_id', clientId || '');
+
+      // Only add client_secret if it exists
+      if (clientSecret) {
+        params.append('client_secret', clientSecret || '');
+      }
+      this.context.log(`Culturefy Logout Params: ${JSON.stringify(params)}`);
+      const response = await this.axiosInstance.post(`/realms/${realm}/protocol/openid-connect/logout`, params, {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        }
+      });
+      if (response.status !== 200) {
+        this.context.error(`Culturefy Logout Response: ${JSON.stringify(response.data)}`);
+
+        // Handle specific error cases
+        if (response.data.error === 'invalid_grant') {
+          throw new Error(`Invalid refresh token`);
+        } else if (response.data.error === 'invalid_token') {
+          throw new Error(`Invalid token`);
+        } else if (response.data.error === 'invalid_client') {
+          throw new Error(`Invalid client configuration - admin-cli client may not be properly configured`);
+        } else if (response.data.error === 'invalid_request') {
+          throw new Error(`Invalid request`);
+        }
+        throw new Error(`Failed to logout culturefy - check admin-cli client configuration`);
+      }
+      this.context.log(`Culturefy Logout Response: ${JSON.stringify(response.data)}`);
+      return;
+    } catch (error) {
+      var _error$response3, _error$response4, _error$response5, _error$response6, _error$response7;
+      this.context.error("Error in logoutCulturefy", error);
+
+      // Handle specific error cases
+      if ((error == null || (_error$response3 = error.response) == null || (_error$response3 = _error$response3.data) == null ? void 0 : _error$response3.error) === 'invalid_grant') {
+        throw new Error(`Invalid refresh token`);
+      } else if ((error == null || (_error$response4 = error.response) == null || (_error$response4 = _error$response4.data) == null ? void 0 : _error$response4.error) === 'invalid_token') {
+        throw new Error(`Invalid token`);
+      } else if ((error == null || (_error$response5 = error.response) == null || (_error$response5 = _error$response5.data) == null ? void 0 : _error$response5.error) === 'invalid_client') {
+        throw new Error(`Invalid client configuration - admin-cli client may not be properly configured`);
+      } else if ((error == null || (_error$response6 = error.response) == null || (_error$response6 = _error$response6.data) == null ? void 0 : _error$response6.error) === 'invalid_request') {
+        throw new Error(`Invalid request`);
+      }
+      if (error != null && (_error$response7 = error.response) != null && (_error$response7 = _error$response7.data) != null && _error$response7.error_description) {
+        var _error$response8;
+        throw new Error(error == null || (_error$response8 = error.response) == null || (_error$response8 = _error$response8.data) == null ? void 0 : _error$response8.error_description);
+      }
+      throw new Error(`Failed to logout culturefy - check admin-cli client configuration`);
+    }
+  }
+
+  /**
+   * Refresh culturefy access token using refresh token
+   * This method uses Keycloak's standard OpenID Connect token endpoint
+   * to refresh the access token for culturefy users
+   * 
+   * @param realm - The Keycloak realm name
+   * @param clientId - The client ID
+   * @param refreshToken - The refresh token to use for getting new access token
+   * @returns Promise<KeycloakUserLoginResponse> - New access and refresh tokens
+   */
+  async refreshToken(realm, clientId, refreshToken) {
+    try {
+      this.context.log(`Culturefy Token Refresh - Realm: ${realm}, Client: ${clientId}`);
+      await this.authenticate();
+      // this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+
+      // Try to get client secret, but handle the case where it might not exist
+      let clientSecret = null;
+      try {
+        clientSecret = await this.getClientSecret(realm, clientId);
+      } catch (error) {
+        this.context.warn(`Could not retrieve client secret for ${clientId}:`, error);
+        // For admin-cli, we might not need a client secret
+        clientSecret = null;
+      }
+      const params = new URLSearchParams();
+      params.append('grant_type', 'refresh_token');
+      params.append('refresh_token', refreshToken);
+      params.append('client_id', clientId);
+
+      // Only add client_secret if it exists
+      if (clientSecret) {
+        params.append('client_secret', clientSecret);
+      }
+      this.context.log(`Culturefy Token Refresh Params: ${JSON.stringify(params)}`);
+      const response = await this.axiosInstance.post(`/realms/${realm}/protocol/openid-connect/token`, params, {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        }
+      });
+      if (response.status !== 200) {
+        this.context.error(`Culturefy Token Refresh Response: ${JSON.stringify(response.data)}`);
+
+        // Handle specific error cases
+        if (response.data.error === 'invalid_grant') {
+          if (response.data.error_description === 'Token is not active') {
+            throw new Error(`Refresh token has expired, please login again`);
+          }
+          if (response.data.error_description === 'Invalid refresh token') {
+            throw new Error(`Invalid refresh token`);
+          }
+          throw new Error(`Invalid refresh token`);
+        } else if (response.data.error === 'invalid_token') {
+          throw new Error(`Invalid token`);
+        } else if (response.data.error === 'invalid_client') {
+          throw new Error(`Invalid client configuration - admin-cli client may not be properly configured`);
+        } else if (response.data.error === 'invalid_request') {
+          throw new Error(`Invalid request`);
+        }
+        throw new Error(`Failed to refresh culturefy token - check admin-cli client configuration`);
+      }
+      this.context.log(`Culturefy Token Refresh Response: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+      return data;
+    } catch (error) {
+      var _error$response9, _error$response10, _error$response11, _error$response12, _error$response13;
+      this.context.error("Error in refreshCulturefyToken", error);
+
+      // Handle specific error cases
+      if ((error == null || (_error$response9 = error.response) == null || (_error$response9 = _error$response9.data) == null ? void 0 : _error$response9.error) === 'invalid_grant') {
+        var _error$response0, _error$response1;
+        if ((error == null || (_error$response0 = error.response) == null || (_error$response0 = _error$response0.data) == null ? void 0 : _error$response0.error_description) === 'Token is not active') {
+          throw new Error(`Refresh token has expired, please login again`);
+        }
+        if ((error == null || (_error$response1 = error.response) == null || (_error$response1 = _error$response1.data) == null ? void 0 : _error$response1.error_description) === 'Invalid refresh token') {
+          throw new Error(`Invalid refresh token`);
+        }
+        throw new Error(`Invalid refresh token`);
+      } else if ((error == null || (_error$response10 = error.response) == null || (_error$response10 = _error$response10.data) == null ? void 0 : _error$response10.error) === 'invalid_token') {
+        throw new Error(`Invalid token`);
+      } else if ((error == null || (_error$response11 = error.response) == null || (_error$response11 = _error$response11.data) == null ? void 0 : _error$response11.error) === 'invalid_client') {
+        throw new Error(`Invalid client configuration - admin-cli client may not be properly configured`);
+      } else if ((error == null || (_error$response12 = error.response) == null || (_error$response12 = _error$response12.data) == null ? void 0 : _error$response12.error) === 'invalid_request') {
+        throw new Error(`Invalid request`);
+      }
+      if (error != null && (_error$response13 = error.response) != null && (_error$response13 = _error$response13.data) != null && _error$response13.error_description) {
+        var _error$response14;
+        throw new Error(error == null || (_error$response14 = error.response) == null || (_error$response14 = _error$response14.data) == null ? void 0 : _error$response14.error_description);
+      }
+      throw new Error(`Failed to refresh culturefy token - check admin-cli client configuration`);
+    }
+  }
+
+  /**
+   * Introspect culturefy token to check if it's active
+   * This method uses Keycloak's standard OpenID Connect token introspection endpoint
+   * to verify the active state of a culturefy token
+   * 
+   * @param realm - The Keycloak realm name
+   * @param clientId - The client ID
+   * @param token - The token to introspect
+   * @returns Promise<KeycloakIntrospectTokenResponse> - Token introspection result
+   */
+  async introspectToken(realm, clientId, token) {
+    try {
+      this.context.log(`Culturefy Token Introspection - Realm: ${realm}, Client: ${clientId}`);
+      await this.authenticateRelmClient(realm, clientId);
+      // this.context.log(`Authenticated`, JSON.stringify(this.accessToken));
+
+      // Try to get client secret, but handle the case where it might not exist
+      let clientSecret = null;
+      try {
+        clientSecret = await this.getClientSecret(realm, clientId);
+      } catch (error) {
+        this.context.warn(`Could not retrieve client secret for ${clientId}:`, error);
+        // For admin-cli, we might not need a client secret
+        clientSecret = null;
+      }
+
+      // Create introspection parameters
+      const params = new URLSearchParams();
+      params.append('token', token);
+      this.context.log(`Culturefy Token Introspection Params: ${JSON.stringify(params)}`);
+
+      // Perform the introspection request
+      const response = await this.axiosInstance.post(`/realms/${realm}/protocol/openid-connect/token/introspect`, params, {
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded'
+        },
+        auth: {
+          username: clientId,
+          password: clientSecret || '' // Use empty string if no client secret
+        }
+      });
+      if (response.status !== 200) {
+        this.context.error(`Culturefy Token Introspection Response: ${JSON.stringify(response.data)}`);
+
+        // Handle specific error cases
+        if (response.data.error === 'invalid_token') {
+          throw new Error(`Invalid token`);
+        } else if (response.data.error === 'invalid_client') {
+          throw new Error(`Invalid client configuration - admin-cli client may not be properly configured`);
+        } else if (response.data.error === 'invalid_request') {
+          throw new Error(`Invalid request`);
+        }
+        throw new Error(`Failed to introspect culturefy token - check admin-cli client configuration`);
+      }
+      this.context.log(`Culturefy Token Introspection Response: ${JSON.stringify(response.data)}`);
+      const data = response.data;
+
+      // Check if token is active
+      if (!data.active) {
+        throw new Error(`Token is not active or has expired`);
+      }
+      return data;
+    } catch (error) {
+      var _error$response15, _error$response16, _error$response17, _error$response18;
+      this.context.error("Error in introspectCulturefyToken", error);
+
+      // Handle specific error cases
+      if ((error == null || (_error$response15 = error.response) == null || (_error$response15 = _error$response15.data) == null ? void 0 : _error$response15.error) === 'invalid_token') {
+        throw new Error(`Invalid token`);
+      } else if ((error == null || (_error$response16 = error.response) == null || (_error$response16 = _error$response16.data) == null ? void 0 : _error$response16.error) === 'invalid_client') {
+        throw new Error(`Invalid client configuration - admin-cli client may not be properly configured`);
+      } else if ((error == null || (_error$response17 = error.response) == null || (_error$response17 = _error$response17.data) == null ? void 0 : _error$response17.error) === 'invalid_request') {
+        throw new Error(`Invalid request`);
+      }
+      if (error != null && (_error$response18 = error.response) != null && (_error$response18 = _error$response18.data) != null && _error$response18.error_description) {
+        var _error$response19;
+        throw new Error(error == null || (_error$response19 = error.response) == null || (_error$response19 = _error$response19.data) == null ? void 0 : _error$response19.error_description);
+      }
+      throw new Error(`Failed to introspect culturefy token - check admin-cli client configuration`);
+    }
+  }
+
+  /**
+   * Get user details from a token using Keycloak's userinfo endpoint
+   * This method uses Keycloak's standard OpenID Connect userinfo endpoint
+   * to get the user details associated with the token
+   * 
+   * @param realm - The Keycloak realm name
+   * @param clientId - The client ID
+   * @param token - The access token to get user info for
+   * @returns Promise<KeycloakUserResponse> - User details from the token
+   */
+  async getUserByToken(realm, token) {
+    try {
+      try {
+        const response = await this.axiosInstance.get(`/realms/${realm}/protocol/openid-connect/userinfo`, {
+          headers: {
+            'Authorization': `Bearer ${token}`,
+            'Content-Type': 'application/json'
+          }
+        });
+        if (response.status === 200) {
+          this.context.log(`User info from userinfo endpoint: ${JSON.stringify(response.data)}`);
+
+          // Transform the userinfo response to match KeycloakUserResponse format
+          const userInfo = response.data;
+          const userResponse = {
+            id: userInfo.sub || userInfo.user_id,
+            username: userInfo.preferred_username || userInfo.username,
+            email: userInfo.email,
+            firstName: userInfo.given_name || userInfo.first_name,
+            lastName: userInfo.family_name || userInfo.last_name,
+            emailVerified: userInfo.email_verified || false,
+            enabled: true,
+            // userinfo doesn't provide this, assume true if token is valid
+            createdTimestamp: userInfo.iat ? userInfo.iat * 1000 : 0,
+            totp: false,
+            disableableCredentialTypes: [],
+            requiredActions: [],
+            notBefore: 0,
+            access: {
+              manage: true
+            }
+          };
+          return userResponse;
+        }
+      } catch (userinfoError) {
+        this.context.warn(`Userinfo endpoint failed, trying alternative method:`, userinfoError);
+      }
+      // Method 2: Decode JWT token and extract user ID, then get user details
+      try {
+        // Decode the JWT token to get the user ID
+        const decoded = this.decodeJwtToken(token);
+        if (!decoded || !decoded.sub) {
+          throw new Error('Invalid token or missing user ID');
+        }
+        const userId = decoded.sub;
+        this.context.log(`Extracted user ID from token: ${userId}`);
+
+        // Get user details using the admin API
+        await this.authenticate();
+        const response = await this.axiosInstance.get(`/admin/realms/${realm}/users/${userId}`);
+        if (response.status === 200) {
+          this.context.log(`User details from admin API: ${JSON.stringify(response.data)}`);
+          const userResponse = response.data;
+          return userResponse;
+        }
+      } catch (adminApiError) {
+        this.context.warn(`Admin API method failed:`, adminApiError);
+      }
+
+      // Method 3: Extract user details directly from JWT token claims
+      try {
+        const decoded = this.decodeJwtToken(token);
+        if (decoded) {
+          this.context.log(`Extracting user details from JWT claims: ${JSON.stringify(decoded)}`);
+          const userResponse = {
+            id: decoded.sub,
+            username: decoded.preferred_username || decoded.username,
+            email: decoded.email,
+            firstName: decoded.given_name || decoded.first_name,
+            lastName: decoded.family_name || decoded.last_name,
+            emailVerified: decoded.email_verified || false,
+            enabled: true,
+            createdTimestamp: decoded.iat ? decoded.iat * 1000 : 0,
+            totp: false,
+            disableableCredentialTypes: [],
+            requiredActions: [],
+            notBefore: 0,
+            access: {
+              manage: true
+            }
+            // Note: Additional user attributes are available in decoded token but not in KeycloakUserResponse interface
+          };
+          return userResponse;
+        }
+      } catch (jwtError) {
+        this.context.error(`JWT decoding failed:`, jwtError);
+      }
+      throw new Error('Failed to get user details from culturefy token');
+    } catch (error) {
+      var _error$response20, _error$response21, _error$response22, _error$response23;
+      this.context.error("Error in getUserByCulturefyToken", error);
+      if ((error == null || (_error$response20 = error.response) == null || (_error$response20 = _error$response20.data) == null ? void 0 : _error$response20.error) === 'invalid_token') {
+        throw new Error(`Invalid token`);
+      } else if ((error == null || (_error$response21 = error.response) == null || (_error$response21 = _error$response21.data) == null ? void 0 : _error$response21.error) === 'insufficient_scope') {
+        throw new Error(`Token does not have required scope to access user info`);
+      } else if ((error == null || (_error$response22 = error.response) == null || (_error$response22 = _error$response22.data) == null ? void 0 : _error$response22.error) === 'invalid_request') {
+        throw new Error(`Invalid request`);
+      }
+      if (error != null && (_error$response23 = error.response) != null && (_error$response23 = _error$response23.data) != null && _error$response23.error_description) {
+        var _error$response24;
+        throw new Error(error == null || (_error$response24 = error.response) == null || (_error$response24 = _error$response24.data) == null ? void 0 : _error$response24.error_description);
+      }
+      throw new Error(`Failed to get user details from culturefy token`);
+    }
+  }
+
+  /**
+   * Decode JWT token without verification (for extracting claims)
+   * This is used to extract user information from the token
+   * 
+   * @param token - The JWT token to decode
+   * @returns any - Decoded token payload
+   */
+  decodeJwtToken(token) {
+    try {
+      // Split the token and get the payload part
+      const parts = token.split('.');
+      if (parts.length !== 3) {
+        throw new Error('Invalid JWT token format');
+      }
+
+      // Decode the payload (second part)
+      const payload = parts[1];
+      const decodedPayload = Buffer.from(payload, 'base64').toString('utf-8');
+      return JSON.parse(decodedPayload);
+    } catch (error) {
+      this.context.error("Error decoding JWT token:", error);
+      throw new Error('Failed to decode JWT token');
+    }
+  }
+}
+exports.KeycloakAdminService = KeycloakAdminService;
+//# sourceMappingURL=keycloak.service.js.map