@keycloak/keycloak-admin-client 26.5.2 → 26.5.4

package/lib/client.d.ts

@@ -57,7 +57,10 @@ export declare class KeycloakAdminClient {
     auth(credentials: Credentials): Promise<void>;
     registerTokenProvider(provider: TokenProvider): void;
     setAccessToken(token: string): void;
+    setRefreshToken(token: string): void;
     getAccessToken(): Promise<string | undefined>;
+    isTokenExpired(): boolean;
+    isRefreshTokenExpired(): boolean;
     getRequestOptions(): RequestOptions | undefined;
     getGlobalRequestArgOptions(): Pick<RequestArgs, "catchNotFound"> | undefined;
     setConfig(connectionConfig: ConnectionConfig): void;

package/lib/client.js

@@ -17,6 +17,8 @@ import { UserStorageProvider } from "./resources/userStorageProvider.js";
 import { WhoAmI } from "./resources/whoAmI.js";
 import { getToken } from "./utils/auth.js";
 import { defaultBaseUrl, defaultRealm } from "./utils/constants.js";
+import { decodeToken } from "./utils/decode.js";
+const MIN_VALIDITY = 5; // in seconds
 export class KeycloakAdminClient {
     // Resources
     users;
@@ -46,6 +48,9 @@ export class KeycloakAdminClient {
     #requestOptions;
     #globalRequestArgOptions;
     #tokenProvider;
+    #accessTokenDecoded;
+    #refreshTokenDecoded;
+    #credentials;
     constructor(connectionConfig) {
         this.baseUrl = connectionConfig?.baseUrl || defaultBaseUrl;
         this.realmName = connectionConfig?.realmName || defaultRealm;
@@ -72,7 +77,13 @@ export class KeycloakAdminClient {
         this.cache = new Cache(this);
     }
     async auth(credentials) {
-        const { accessToken, refreshToken } = await getToken({
+        const { accessToken, refreshToken } = await getToken(this.#getTokenSettings(credentials));
+        this.#credentials = credentials;
+        this.setAccessToken(accessToken);
+        this.setRefreshToken(refreshToken);
+    }
+    #getTokenSettings(credentials) {
+        return {
             baseUrl: this.baseUrl,
             realmName: this.realmName,
             scope: this.scope,
@@ -81,9 +92,7 @@ export class KeycloakAdminClient {
                 ...this.#requestOptions,
                 ...(this.timeout ? { signal: AbortSignal.timeout(this.timeout) } : {}),
             },
-        });
-        this.accessToken = accessToken;
-        this.refreshToken = refreshToken;
+        };
     }
     registerTokenProvider(provider) {
         if (this.#tokenProvider) {
@@ -93,13 +102,50 @@ export class KeycloakAdminClient {
     }
     setAccessToken(token) {
         this.accessToken = token;
+        this.#accessTokenDecoded = decodeToken(token);
+    }
+    setRefreshToken(token) {
+        this.refreshToken = token;
+        this.#refreshTokenDecoded = decodeToken(token);
     }
     async getAccessToken() {
         if (this.#tokenProvider) {
             return this.#tokenProvider.getAccessToken();
         }
+        if (this.isTokenExpired()) {
+            await this.#refreshAccessToken();
+        }
         return this.accessToken;
     }
+    async #refreshAccessToken() {
+        if (!this.refreshToken || !this.#credentials) {
+            throw new Error("Cannot refresh token: missing refresh token or credentials");
+        }
+        if (this.isRefreshTokenExpired()) {
+            throw new Error("Cannot refresh token: refresh token has expired");
+        }
+        const { accessToken, refreshToken } = await getToken(this.#getTokenSettings({
+            grantType: "refresh_token",
+            clientId: this.#credentials.clientId,
+            clientSecret: this.#credentials.clientSecret,
+            refreshToken: this.refreshToken,
+        }));
+        this.setAccessToken(accessToken);
+        this.setRefreshToken(refreshToken);
+    }
+    isTokenExpired() {
+        return this.#isExpired(this.#accessTokenDecoded);
+    }
+    isRefreshTokenExpired() {
+        return this.#isExpired(this.#refreshTokenDecoded);
+    }
+    #isExpired(token) {
+        if (typeof token?.exp !== "number") {
+            return false;
+        }
+        const expiresIn = token.exp - Math.ceil(new Date().getTime() / 1000) - MIN_VALIDITY;
+        return expiresIn < 0;
+    }
     getRequestOptions() {
         return this.#requestOptions;
     }

package/lib/utils/decode.d.ts

@@ -0,0 +1,4 @@
+export interface DecodedToken {
+    exp?: number;
+}
+export declare function decodeToken(token: string): DecodedToken;

package/lib/utils/decode.js

@@ -0,0 +1,50 @@
+export function decodeToken(token) {
+    const [, payload] = token?.split(".") || [];
+    if (typeof payload !== "string") {
+        console.info("Unable to decode token, payload not found.");
+        return {};
+    }
+    let decoded;
+    try {
+        decoded = base64UrlDecode(payload);
+    }
+    catch (error) {
+        throw new Error("Unable to decode token, payload is not a valid Base64URL value.", { cause: error });
+    }
+    try {
+        return JSON.parse(decoded);
+    }
+    catch (error) {
+        throw new Error("Unable to decode token, payload is not a valid JSON value.", { cause: error });
+    }
+}
+function base64UrlDecode(input) {
+    let output = input.replaceAll("-", "+").replaceAll("_", "/");
+    switch (output.length % 4) {
+        case 0:
+            break;
+        case 2:
+            output += "==";
+            break;
+        case 3:
+            output += "=";
+            break;
+        default:
+            throw new Error("Input is not of the correct length.");
+    }
+    try {
+        return b64DecodeUnicode(output);
+    }
+    catch {
+        return atob(output);
+    }
+}
+function b64DecodeUnicode(input) {
+    return decodeURIComponent(atob(input).replace(/(.)/g, (m, p) => {
+        let code = p.charCodeAt(0).toString(16).toUpperCase();
+        if (code.length < 2) {
+            code = "0" + code;
+        }
+        return "%" + code;
+    }));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@keycloak/keycloak-admin-client",
-  "version": "26.5.2",
+  "version": "26.5.4",
   "description": "A client to interact with Keycloak's Administration API",
   "type": "module",
   "main": "lib/index.js",