@happyvertical/auth 0.74.8

package/dist/chunks/keycloak-t6JEUeOz.js

@@ -0,0 +1,871 @@
+import { ConfigurationError, NetworkError, InvalidCredentialsError, AccessDeniedError, InvalidGrantError, InvalidClientError, UserNotFoundError, ProviderError, UserAlreadyExistsError, MfaRequiredError, InvalidNonceError, TokenExpiredError, InvalidTokenError, NotImplementedError } from "../index.js";
+import { c as createRemoteJWKSet, d as decodeJwt, j as jwtVerify, J as JWTExpired, a as JWTClaimValidationFailed, b as JWSSignatureVerificationFailed } from "./decode_jwt-D2OK1b8a.js";
+function generateRandomString(length = 32) {
+  const array = new Uint8Array(length);
+  crypto.getRandomValues(array);
+  return Array.from(array, (byte) => byte.toString(16).padStart(2, "0")).join(
+    ""
+  );
+}
+async function generatePKCE() {
+  const verifier = generateRandomString(32);
+  const encoder = new TextEncoder();
+  const data = encoder.encode(verifier);
+  const hash = await crypto.subtle.digest("SHA-256", data);
+  const challenge = btoa(String.fromCharCode(...new Uint8Array(hash))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  return { verifier, challenge };
+}
+class KeycloakProvider {
+  options;
+  discoveryDocument = null;
+  jwks = null;
+  constructor(options) {
+    if (!options.serverUrl) {
+      throw new ConfigurationError("serverUrl is required", "keycloak");
+    }
+    if (!options.realm) {
+      throw new ConfigurationError("realm is required", "keycloak");
+    }
+    if (!options.clientId) {
+      throw new ConfigurationError("clientId is required", "keycloak");
+    }
+    this.options = {
+      usePKCE: true,
+      verifySsl: true,
+      scopes: ["openid", "profile", "email"],
+      timeout: 3e4,
+      maxRetries: 3,
+      ...options
+    };
+  }
+  // ---------------------------------------------------------------------------
+  // INTERNAL HELPERS
+  // ---------------------------------------------------------------------------
+  /**
+   * Get the base URL for the realm.
+   */
+  getRealmUrl() {
+    return `${this.options.serverUrl}/realms/${this.options.realm}`;
+  }
+  /**
+   * Get the admin API base URL.
+   */
+  getAdminUrl() {
+    return `${this.options.serverUrl}/admin/realms/${this.options.realm}`;
+  }
+  /**
+   * Make an HTTP request with error handling.
+   */
+  async request(url, options = {}, adminToken) {
+    const headers = {
+      "Content-Type": "application/json",
+      ...this.options.headers,
+      ...options.headers
+    };
+    if (adminToken) {
+      headers["Authorization"] = `Bearer ${adminToken}`;
+    }
+    try {
+      const response = await fetch(url, {
+        ...options,
+        headers,
+        signal: AbortSignal.timeout(this.options.timeout || 3e4)
+      });
+      if (!response.ok) {
+        const errorBody = await response.text().catch(() => "");
+        let errorData = {};
+        try {
+          errorData = JSON.parse(errorBody);
+        } catch {
+        }
+        this.handleHttpError(response.status, errorData, errorBody);
+      }
+      const text = await response.text();
+      if (!text) return {};
+      return JSON.parse(text);
+    } catch (error) {
+      if (error instanceof Error && error.name === "TimeoutError") {
+        throw new NetworkError("Request timed out", "keycloak", error);
+      }
+      if (error instanceof InvalidCredentialsError || error instanceof AccessDeniedError || error instanceof InvalidGrantError || error instanceof InvalidClientError || error instanceof UserNotFoundError || error instanceof ProviderError) {
+        throw error;
+      }
+      throw new NetworkError(
+        `Network error: ${error instanceof Error ? error.message : "Unknown error"}`,
+        "keycloak",
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  /**
+   * Handle HTTP error responses.
+   */
+  handleHttpError(status, data, rawBody) {
+    const error = data.error;
+    const errorDescription = data.errorMessage || data.error_description || rawBody;
+    switch (status) {
+      case 400:
+        if (error === "invalid_grant") {
+          throw new InvalidGrantError(errorDescription, "keycloak");
+        }
+        if (error === "invalid_client") {
+          throw new InvalidClientError("keycloak");
+        }
+        throw new ProviderError(`Bad request: ${errorDescription}`, "keycloak");
+      case 401:
+        throw new InvalidCredentialsError("keycloak");
+      case 403:
+        throw new AccessDeniedError(errorDescription, "keycloak");
+      case 404:
+        throw new UserNotFoundError(void 0, "keycloak");
+      case 409:
+        throw new UserAlreadyExistsError(void 0, "keycloak");
+      default:
+        throw new ProviderError(
+          `Keycloak error (${status}): ${errorDescription}`,
+          "keycloak"
+        );
+    }
+  }
+  /**
+   * Fetch and cache the OIDC discovery document.
+   */
+  async fetchDiscoveryDocument() {
+    if (this.discoveryDocument) {
+      return this.discoveryDocument;
+    }
+    const url = `${this.getRealmUrl()}/.well-known/openid-configuration`;
+    this.discoveryDocument = await this.request(url);
+    return this.discoveryDocument;
+  }
+  /**
+   * Get JWKS for token validation.
+   */
+  async getJWKS() {
+    if (this.jwks) {
+      return this.jwks;
+    }
+    const discovery = await this.fetchDiscoveryDocument();
+    this.jwks = createRemoteJWKSet(new URL(discovery.jwks_uri));
+    return this.jwks;
+  }
+  // ---------------------------------------------------------------------------
+  // AUTHENTICATION FLOWS
+  // ---------------------------------------------------------------------------
+  async getAuthorizationUrl(options) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const state = options?.state || generateRandomString();
+    const nonce = options?.nonce || generateRandomString();
+    const scopes = options?.scopes || this.options.scopes || ["openid", "profile", "email"];
+    const redirectUri = options?.redirectUri || this.options.redirectUri;
+    if (!redirectUri) {
+      throw new ConfigurationError("redirectUri is required", "keycloak");
+    }
+    const params = new URLSearchParams({
+      client_id: this.options.clientId,
+      redirect_uri: redirectUri,
+      response_type: "code",
+      scope: scopes.join(" "),
+      state,
+      nonce
+    });
+    if (options?.prompt) {
+      params.set("prompt", options.prompt);
+    }
+    if (options?.loginHint) {
+      params.set("login_hint", options.loginHint);
+    }
+    if (options?.extraParams) {
+      for (const [key, value] of Object.entries(options.extraParams)) {
+        params.set(key, value);
+      }
+    }
+    let codeVerifier;
+    if (this.options.usePKCE) {
+      const pkce = await generatePKCE();
+      codeVerifier = pkce.verifier;
+      params.set("code_challenge", pkce.challenge);
+      params.set("code_challenge_method", "S256");
+    }
+    const url = `${discovery.authorization_endpoint}?${params.toString()}`;
+    return {
+      url,
+      state,
+      nonce,
+      codeVerifier
+    };
+  }
+  async exchangeCode(params) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const redirectUri = params.redirectUri || this.options.redirectUri;
+    if (!redirectUri) {
+      throw new ConfigurationError("redirectUri is required", "keycloak");
+    }
+    const body = new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: this.options.clientId,
+      code: params.code,
+      redirect_uri: redirectUri
+    });
+    if (this.options.clientSecret) {
+      body.set("client_secret", this.options.clientSecret);
+    }
+    if (params.codeVerifier) {
+      body.set("code_verifier", params.codeVerifier);
+    }
+    const response = await this.request(discovery.token_endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    let userId = "";
+    if (response.id_token) {
+      const payload = decodeJwt(response.id_token);
+      userId = payload.sub || "";
+    }
+    return {
+      accessToken: response.access_token,
+      tokenType: response.token_type || "Bearer",
+      expiresIn: response.expires_in,
+      refreshToken: response.refresh_token,
+      idToken: response.id_token,
+      scope: response.scope,
+      userId
+    };
+  }
+  async authenticate(credentials) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const grantType = credentials.grantType || "password";
+    const scopes = credentials.scopes || this.options.scopes || ["openid", "profile", "email"];
+    const body = new URLSearchParams({
+      grant_type: grantType,
+      client_id: this.options.clientId,
+      scope: scopes.join(" ")
+    });
+    if (grantType === "client_credentials") {
+      if (!this.options.clientSecret) {
+        throw new InvalidCredentialsError("keycloak", {
+          reason: "Client secret is required for client_credentials grant"
+        });
+      }
+      body.set("client_secret", this.options.clientSecret);
+    } else {
+      if (!credentials.username || !credentials.password) {
+        throw new InvalidCredentialsError("keycloak", {
+          reason: "Username and password are required"
+        });
+      }
+      body.set("username", credentials.username);
+      body.set("password", credentials.password);
+      if (this.options.clientSecret) {
+        body.set("client_secret", this.options.clientSecret);
+      }
+      if (credentials.mfaCode) {
+        body.set("totp", credentials.mfaCode);
+      }
+    }
+    try {
+      const response = await this.request(discovery.token_endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: body.toString()
+      });
+      let userId = "";
+      if (response.id_token) {
+        const payload = decodeJwt(response.id_token);
+        userId = payload.sub || "";
+      } else if (response.access_token) {
+        const payload = decodeJwt(response.access_token);
+        userId = payload.sub || "";
+      }
+      return {
+        accessToken: response.access_token,
+        tokenType: response.token_type || "Bearer",
+        expiresIn: response.expires_in,
+        refreshToken: response.refresh_token,
+        idToken: response.id_token,
+        scope: response.scope,
+        userId
+      };
+    } catch (error) {
+      if (error instanceof ProviderError && error.message.includes("invalid_grant") && error.message.includes("totp")) {
+        throw new MfaRequiredError("keycloak", ["totp"]);
+      }
+      throw error;
+    }
+  }
+  async refresh(refreshToken) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const body = new URLSearchParams({
+      grant_type: "refresh_token",
+      client_id: this.options.clientId,
+      refresh_token: refreshToken
+    });
+    if (this.options.clientSecret) {
+      body.set("client_secret", this.options.clientSecret);
+    }
+    const response = await this.request(discovery.token_endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    let userId = "";
+    if (response.access_token) {
+      const payload = decodeJwt(response.access_token);
+      userId = payload.sub || "";
+    }
+    return {
+      accessToken: response.access_token,
+      tokenType: response.token_type || "Bearer",
+      expiresIn: response.expires_in,
+      refreshToken: response.refresh_token || refreshToken,
+      idToken: response.id_token,
+      scope: response.scope,
+      userId
+    };
+  }
+  async logout(options) {
+    const discovery = await this.fetchDiscoveryDocument();
+    if (!discovery.end_session_endpoint) {
+      if (options?.refreshToken && discovery.revocation_endpoint) {
+        await this.request(discovery.revocation_endpoint, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            client_id: this.options.clientId,
+            token: options.refreshToken,
+            token_type_hint: "refresh_token"
+          }).toString()
+        });
+      }
+      return;
+    }
+    const params = new URLSearchParams({
+      client_id: this.options.clientId
+    });
+    if (options?.token) {
+      params.set("id_token_hint", options.token);
+    }
+    if (options?.postLogoutRedirectUri) {
+      params.set("post_logout_redirect_uri", options.postLogoutRedirectUri);
+    }
+    if (options?.refreshToken && discovery.revocation_endpoint) {
+      const revokeParams = new URLSearchParams({
+        client_id: this.options.clientId,
+        token: options.refreshToken,
+        token_type_hint: "refresh_token"
+      });
+      if (this.options.clientSecret) {
+        revokeParams.set("client_secret", this.options.clientSecret);
+      }
+      await this.request(discovery.revocation_endpoint, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: revokeParams.toString()
+      });
+    }
+  }
+  // ---------------------------------------------------------------------------
+  // TOKEN OPERATIONS
+  // ---------------------------------------------------------------------------
+  async validateToken(token, options) {
+    try {
+      const jwks = await this.getJWKS();
+      const discovery = await this.fetchDiscoveryDocument();
+      const verifyOptions = {
+        issuer: options?.issuer || discovery.issuer,
+        clockTolerance: options?.clockTolerance || 0
+      };
+      if (options?.audience) {
+        verifyOptions.audience = options.audience;
+      }
+      const { payload } = await jwtVerify(token, jwks, verifyOptions);
+      if (options?.nonce && payload.nonce !== options.nonce) {
+        throw new InvalidNonceError("keycloak");
+      }
+      const roles = [];
+      if (payload.realm_access && typeof payload.realm_access === "object") {
+        const realmAccess = payload.realm_access;
+        if (realmAccess.roles) {
+          roles.push(...realmAccess.roles);
+        }
+      }
+      if (payload.resource_access && typeof payload.resource_access === "object") {
+        const resourceAccess = payload.resource_access;
+        for (const client of Object.values(resourceAccess)) {
+          if (client.roles) {
+            roles.push(...client.roles);
+          }
+        }
+      }
+      return {
+        sub: payload.sub || "",
+        iss: payload.iss || "",
+        aud: payload.aud || "",
+        exp: payload.exp || 0,
+        iat: payload.iat || 0,
+        nbf: payload.nbf,
+        azp: payload.azp,
+        email: payload.email,
+        email_verified: payload.email_verified,
+        preferred_username: payload.preferred_username,
+        name: payload.name,
+        roles,
+        ...payload
+      };
+    } catch (error) {
+      if (error instanceof JWTExpired) {
+        throw new TokenExpiredError("keycloak");
+      }
+      if (error instanceof JWTClaimValidationFailed) {
+        return null;
+      }
+      if (error instanceof JWSSignatureVerificationFailed) {
+        throw new InvalidTokenError("Invalid token signature", "keycloak");
+      }
+      if (error instanceof InvalidNonceError) {
+        throw error;
+      }
+      return null;
+    }
+  }
+  decodeToken(token) {
+    try {
+      const parts = token.split(".");
+      if (parts.length !== 3) {
+        throw new InvalidTokenError("Invalid JWT format", "keycloak");
+      }
+      const header = JSON.parse(atob(parts[0]));
+      const payload = decodeJwt(token);
+      return {
+        header: {
+          alg: header.alg,
+          typ: header.typ,
+          kid: header.kid
+        },
+        payload,
+        signature: parts[2]
+      };
+    } catch {
+      throw new InvalidTokenError("Failed to decode token", "keycloak");
+    }
+  }
+  async introspectToken(token) {
+    const discovery = await this.fetchDiscoveryDocument();
+    if (!discovery.introspection_endpoint) {
+      const claims = await this.validateToken(token);
+      return {
+        active: claims !== null,
+        claims: claims || void 0
+      };
+    }
+    const body = new URLSearchParams({
+      client_id: this.options.clientId,
+      token
+    });
+    if (this.options.clientSecret) {
+      body.set("client_secret", this.options.clientSecret);
+    }
+    const response = await this.request(discovery.introspection_endpoint, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.active) {
+      return { active: false };
+    }
+    return {
+      active: true,
+      claims: {
+        sub: response.sub || "",
+        iss: response.iss || "",
+        aud: response.aud || "",
+        exp: response.exp || 0,
+        iat: response.iat || 0,
+        ...response
+      },
+      tokenType: response.token_type,
+      clientId: response.client_id,
+      scope: response.scope
+    };
+  }
+  // ---------------------------------------------------------------------------
+  // USER OPERATIONS
+  // ---------------------------------------------------------------------------
+  async getProfile(tokenOrSession) {
+    const discovery = await this.fetchDiscoveryDocument();
+    const response = await this.request(discovery.userinfo_endpoint, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${tokenOrSession}` }
+    });
+    return {
+      id: response.sub,
+      username: response.preferred_username,
+      email: response.email,
+      emailVerified: response.email_verified,
+      firstName: response.given_name,
+      lastName: response.family_name,
+      displayName: response.name,
+      picture: response.picture
+    };
+  }
+  async updateProfile(tokenOrSession, profile) {
+    const payload = decodeJwt(tokenOrSession);
+    const userId = payload.sub;
+    if (!userId) {
+      throw new InvalidTokenError("Token does not contain user ID", "keycloak");
+    }
+    const accountUrl = `${this.getRealmUrl()}/account`;
+    const updateData = {};
+    if (profile.firstName !== void 0)
+      updateData.firstName = profile.firstName;
+    if (profile.lastName !== void 0) updateData.lastName = profile.lastName;
+    if (profile.email !== void 0) updateData.email = profile.email;
+    await this.request(accountUrl, {
+      method: "POST",
+      headers: { Authorization: `Bearer ${tokenOrSession}` },
+      body: JSON.stringify(updateData)
+    });
+    return this.getProfile(tokenOrSession);
+  }
+  async getUser(userId, adminToken) {
+    if (!adminToken) {
+      throw new AccessDeniedError("Admin token required", "keycloak");
+    }
+    const response = await this.request(
+      `${this.getAdminUrl()}/users/${userId}`,
+      { method: "GET" },
+      adminToken
+    );
+    return this.mapKeycloakUser(response);
+  }
+  async createUser(user, adminToken) {
+    const keycloakUser = {
+      username: user.username,
+      email: user.email,
+      firstName: user.firstName,
+      lastName: user.lastName,
+      enabled: user.enabled ?? true,
+      emailVerified: user.emailVerified ?? false,
+      attributes: user.attributes
+    };
+    if (user.password) {
+      keycloakUser.credentials = [
+        {
+          type: "password",
+          value: user.password,
+          temporary: false
+        }
+      ];
+    }
+    const response = await fetch(`${this.getAdminUrl()}/users`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${adminToken}`
+      },
+      body: JSON.stringify(keycloakUser)
+    });
+    if (!response.ok) {
+      const errorBody = await response.text();
+      if (response.status === 409) {
+        throw new UserAlreadyExistsError(user.username, "keycloak");
+      }
+      throw new ProviderError(
+        `Failed to create user: ${errorBody}`,
+        "keycloak"
+      );
+    }
+    const location = response.headers.get("Location");
+    if (!location) {
+      throw new ProviderError("Failed to get created user ID", "keycloak");
+    }
+    const userId = location.split("/").pop();
+    if (user.roles?.length) {
+      await this.assignRoles(userId, user.roles, adminToken);
+    }
+    if (user.groups?.length) {
+      for (const groupName of user.groups) {
+        await this.addUserToGroup(userId, groupName, adminToken);
+      }
+    }
+    return this.getUser(userId, adminToken);
+  }
+  async updateUser(userId, updates, adminToken) {
+    const keycloakUser = {};
+    if (updates.username !== void 0)
+      keycloakUser.username = updates.username;
+    if (updates.email !== void 0) keycloakUser.email = updates.email;
+    if (updates.firstName !== void 0)
+      keycloakUser.firstName = updates.firstName;
+    if (updates.lastName !== void 0)
+      keycloakUser.lastName = updates.lastName;
+    if (updates.enabled !== void 0) keycloakUser.enabled = updates.enabled;
+    if (updates.emailVerified !== void 0)
+      keycloakUser.emailVerified = updates.emailVerified;
+    if (updates.attributes !== void 0) {
+      keycloakUser.attributes = updates.attributes;
+    }
+    await this.request(
+      `${this.getAdminUrl()}/users/${userId}`,
+      {
+        method: "PUT",
+        body: JSON.stringify(keycloakUser)
+      },
+      adminToken
+    );
+    if (updates.password) {
+      await this.request(
+        `${this.getAdminUrl()}/users/${userId}/reset-password`,
+        {
+          method: "PUT",
+          body: JSON.stringify({
+            type: "password",
+            value: updates.password,
+            temporary: false
+          })
+        },
+        adminToken
+      );
+    }
+    return this.getUser(userId, adminToken);
+  }
+  async deleteUser(userId, adminToken) {
+    await this.request(
+      `${this.getAdminUrl()}/users/${userId}`,
+      { method: "DELETE" },
+      adminToken
+    );
+  }
+  async listUsers(query, adminToken) {
+    if (!adminToken) {
+      throw new AccessDeniedError("Admin token required", "keycloak");
+    }
+    const params = new URLSearchParams();
+    if (query.search) params.set("search", query.search);
+    if (query.email) params.set("email", query.email);
+    if (query.username) params.set("username", query.username);
+    if (query.enabled !== void 0)
+      params.set("enabled", String(query.enabled));
+    if (query.limit) params.set("max", String(query.limit));
+    if (query.offset) params.set("first", String(query.offset));
+    const users = await this.request(
+      `${this.getAdminUrl()}/users?${params.toString()}`,
+      { method: "GET" },
+      adminToken
+    );
+    const countResponse = await this.request(
+      `${this.getAdminUrl()}/users/count?${params.toString()}`,
+      { method: "GET" },
+      adminToken
+    );
+    return {
+      users: users.map((u) => this.mapKeycloakUser(u)),
+      total: countResponse,
+      limit: query.limit || 100,
+      offset: query.offset || 0
+    };
+  }
+  async requestPasswordReset(email) {
+    throw new NotImplementedError("requestPasswordReset", "keycloak", {
+      reason: "Requires admin token or use Keycloak login page for self-service reset"
+    });
+  }
+  async resetPassword(token, newPassword) {
+    throw new NotImplementedError("resetPassword", "keycloak", {
+      reason: "Password reset is handled by Keycloak login flow"
+    });
+  }
+  // ---------------------------------------------------------------------------
+  // SESSION OPERATIONS
+  // ---------------------------------------------------------------------------
+  async listSessions(userId, adminToken) {
+    if (!adminToken) {
+      throw new AccessDeniedError("Admin token required", "keycloak");
+    }
+    const sessions = await this.request(
+      `${this.getAdminUrl()}/users/${userId}/sessions`,
+      { method: "GET" },
+      adminToken
+    );
+    return sessions.map((s) => ({
+      id: s.id,
+      userId: s.userId,
+      clientId: s.clients ? Object.keys(s.clients).join(", ") : void 0,
+      startedAt: new Date(s.start),
+      lastAccessedAt: new Date(s.lastAccess),
+      ipAddress: s.ipAddress,
+      userAgent: s.userAgent
+    }));
+  }
+  async revokeSession(sessionId, adminToken) {
+    if (!adminToken) {
+      throw new AccessDeniedError("Admin token required", "keycloak");
+    }
+    await this.request(
+      `${this.getAdminUrl()}/sessions/${sessionId}`,
+      { method: "DELETE" },
+      adminToken
+    );
+  }
+  async revokeAllSessions(userId, adminToken) {
+    if (!adminToken) {
+      throw new AccessDeniedError("Admin token required", "keycloak");
+    }
+    await this.request(
+      `${this.getAdminUrl()}/users/${userId}/logout`,
+      { method: "POST" },
+      adminToken
+    );
+  }
+  // ---------------------------------------------------------------------------
+  // AUTHORIZATION
+  // ---------------------------------------------------------------------------
+  async hasRole(tokenOrUserId, role) {
+    const roles = await this.getRoles(tokenOrUserId);
+    return roles.includes(role);
+  }
+  async hasPermission(tokenOrUserId, permission, resource) {
+    const roles = await this.getRoles(tokenOrUserId);
+    const permissionRole = resource ? `${resource}:${permission}` : permission;
+    return roles.includes(permissionRole) || roles.includes(permission);
+  }
+  async getRoles(tokenOrUserId, adminToken) {
+    try {
+      const claims = await this.validateToken(tokenOrUserId);
+      if (claims) {
+        return claims.roles || [];
+      }
+    } catch {
+    }
+    if (adminToken) {
+      try {
+        const roleMappings = await this.request(
+          `${this.getAdminUrl()}/users/${tokenOrUserId}/role-mappings`,
+          { method: "GET" },
+          adminToken
+        );
+        return roleMappings.realmMappings?.map((r) => r.name) || [];
+      } catch {
+      }
+    }
+    return [];
+  }
+  async assignRole(userId, role, adminToken) {
+    const roles = await this.request(
+      `${this.getAdminUrl()}/roles`,
+      { method: "GET" },
+      adminToken
+    );
+    const roleObj = roles.find((r) => r.name === role);
+    if (!roleObj) {
+      throw new ProviderError(`Role not found: ${role}`, "keycloak");
+    }
+    await this.request(
+      `${this.getAdminUrl()}/users/${userId}/role-mappings/realm`,
+      {
+        method: "POST",
+        body: JSON.stringify([roleObj])
+      },
+      adminToken
+    );
+  }
+  async removeRole(userId, role, adminToken) {
+    const roles = await this.request(
+      `${this.getAdminUrl()}/roles`,
+      { method: "GET" },
+      adminToken
+    );
+    const roleObj = roles.find((r) => r.name === role);
+    if (!roleObj) {
+      throw new ProviderError(`Role not found: ${role}`, "keycloak");
+    }
+    await this.request(
+      `${this.getAdminUrl()}/users/${userId}/role-mappings/realm`,
+      {
+        method: "DELETE",
+        body: JSON.stringify([roleObj])
+      },
+      adminToken
+    );
+  }
+  // ---------------------------------------------------------------------------
+  // PROVIDER INFORMATION
+  // ---------------------------------------------------------------------------
+  async getCapabilities() {
+    return {
+      authorizationCode: true,
+      passwordGrant: true,
+      clientCredentials: true,
+      tokenRefresh: true,
+      oidc: true,
+      userManagement: true,
+      sessionManagement: true,
+      rbac: true,
+      passwordReset: true,
+      mfa: true,
+      socialLogin: true,
+      federation: true,
+      decentralized: false
+    };
+  }
+  async getDiscoveryDocument() {
+    return this.fetchDiscoveryDocument();
+  }
+  // ---------------------------------------------------------------------------
+  // PRIVATE HELPERS
+  // ---------------------------------------------------------------------------
+  mapKeycloakUser(user) {
+    return {
+      id: user.id,
+      username: user.username,
+      email: user.email,
+      emailVerified: user.emailVerified,
+      firstName: user.firstName,
+      lastName: user.lastName,
+      displayName: user.firstName && user.lastName ? `${user.firstName} ${user.lastName}` : user.username,
+      enabled: user.enabled,
+      createdAt: user.createdTimestamp ? new Date(user.createdTimestamp) : void 0,
+      attributes: user.attributes,
+      groups: user.groups
+    };
+  }
+  async assignRoles(userId, roleNames, adminToken) {
+    const allRoles = await this.request(
+      `${this.getAdminUrl()}/roles`,
+      { method: "GET" },
+      adminToken
+    );
+    const rolesToAssign = allRoles.filter((r) => roleNames.includes(r.name));
+    if (rolesToAssign.length > 0) {
+      await this.request(
+        `${this.getAdminUrl()}/users/${userId}/role-mappings/realm`,
+        {
+          method: "POST",
+          body: JSON.stringify(rolesToAssign)
+        },
+        adminToken
+      );
+    }
+  }
+  async addUserToGroup(userId, groupName, adminToken) {
+    const groups = await this.request(
+      `${this.getAdminUrl()}/groups?search=${encodeURIComponent(groupName)}`,
+      { method: "GET" },
+      adminToken
+    );
+    const group = groups.find((g) => g.name === groupName);
+    if (!group) {
+      throw new ProviderError(`Group not found: ${groupName}`, "keycloak");
+    }
+    await this.request(
+      `${this.getAdminUrl()}/users/${userId}/groups/${group.id}`,
+      { method: "PUT" },
+      adminToken
+    );
+  }
+}
+export {
+  KeycloakProvider
+};
+//# sourceMappingURL=keycloak-t6JEUeOz.js.map