@tidecloak/create-nextjs 0.0.1

package/template-js-app/init/realm.json

@@ -0,0 +1,162 @@
+{
+    "realm": "nextjs-test",
+    "accessTokenLifespan": 600,
+    "enabled": true,
+    "sslRequired": "external",
+    "registrationAllowed": false,
+    "duplicateEmailsAllowed": true,
+    "roles": {
+        "realm": [
+            {
+                "name": "appUser",
+                "description": "Standard application user"
+            },
+            {
+                "name": "_tide_dob.selfencrypt",
+                "description": "Tide E2EE self-encrypt DoB data"
+            },
+            {
+                "name": "_tide_dob.selfdecrypt",
+                "description": "Tide E2EE self-decrypt DoB data"
+            },
+            {
+                "name": "default-roles-nextjs-test",
+                "description": "${role_default-roles}",
+                "composite": true,
+                "composites": {
+                    "realm": [
+                        "_tide_dob.selfencrypt",
+                        "_tide_dob.selfdecrypt",
+                        "appUser"
+                    ]
+                }
+            }
+        ],
+        "client": {
+            "myclient": []
+        }
+    },
+    "defaultRole": {
+        "name": "default-roles-nextjs-test",
+        "description": "${role_default-roles}",
+        "composite": true,
+        "clientRole": false
+    },
+    "clients": [
+        {
+            "clientId": "myclient",
+            "enabled": true,
+            "redirectUris": [
+                "http://localhost:3000",
+                "http://localhost:3000/*",
+                "http://localhost:3000/silent-check-sso.html",
+                "http://localhost:3000/auth/redirect"
+            ],
+            "webOrigins": [
+                "http://localhost:3000"
+            ],
+            "standardFlowEnabled": true,
+            "implicitFlowEnabled": false,
+            "publicClient": true,
+            "fullScopeAllowed": true,
+            "protocolMappers": [
+                {
+                    "name": "Tide User Key",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-usermodel-attribute-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "introspection.token.claim": "true",
+                        "userinfo.token.claim": "true",
+                        "user.attribute": "tideUserKey",
+                        "lightweight.claim": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "claim.name": "tideuserkey",
+                        "jsonType.label": "String"
+                    }
+                },
+                {
+                    "name": "Tide IGA Role Mapper",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "tide-roles-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "lightweight.claim": "true",
+                        "access.token.claim": "true"
+                    }
+                },
+                {
+                    "name": "Tide vuid",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-usermodel-attribute-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "introspection.token.claim": "true",
+                        "userinfo.token.claim": "true",
+                        "user.attribute": "vuid",
+                        "lightweight.claim": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "claim.name": "vuid",
+                        "jsonType.label": "String"
+                    }
+                }
+            ]
+        }
+    ],
+    "components": {
+        "org.keycloak.userprofile.UserProfileProvider": [
+            {
+              "providerId": "declarative-user-profile",
+              "config": {
+                "kc.user.profile.config": [
+                    "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"
+                ]
+              }
+            }
+        ]
+    },
+    "authenticationFlows": [
+        {
+            "alias": "tidebrowser",
+            "providerId": "basic-flow",
+            "topLevel": true,
+            "authenticationExecutions": [
+                {
+                    "authenticator": "auth-cookie",
+                    "authenticatorFlow": false,
+                    "requirement": "ALTERNATIVE",
+                    "priority": 10,
+                    "userSetupAllowed": false
+                },
+                {
+                    "authenticatorConfig": "tide browser",
+                    "authenticator": "identity-provider-redirector",
+                    "authenticatorFlow": false,
+                    "requirement": "ALTERNATIVE",
+                    "priority": 25,
+                    "userSetupAllowed": false
+                }
+            ]
+        }
+    ],
+    "authenticatorConfig": [
+        {
+            "alias": "tide browser",
+            "config": {
+                "defaultProvider": "tide"
+            }
+        }
+    ],
+    "browserFlow": "tidebrowser",
+    "requiredActions": [
+        {
+            "alias": "link-tide-account-action",
+            "name": "Link Tide Account",
+            "providerId": "link-tide-account-action",
+            "enabled": true
+        }
+    ],
+    "keycloakVersion": "26.1.4"
+}

package/template-js-app/init/tcinit.sh

@@ -0,0 +1,261 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Determine paths
+# ─────────────────────────────────────────────────────────────────────────────
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+# Load overrides from .env in the project root
+if [ -f "${PROJECT_ROOT}/.env.example" ]; then
+  # shellcheck disable=SC1090
+  source "${PROJECT_ROOT}/.env.example"
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Defaults (override via env)
+# ─────────────────────────────────────────────────────────────────────────────
+TIDECLOAK_LOCAL_URL="${TIDECLOAK_LOCAL_URL:-http://localhost:8080}"
+CLIENT_APP_URL="${CLIENT_APP_URL:-http://localhost:3000}"
+REALM_JSON_PATH="${REALM_JSON_PATH:-${SCRIPT_DIR}/realm.json}"
+ADAPTER_OUTPUT_PATH="${ADAPTER_OUTPUT_PATH:-${PROJECT_ROOT}/tidecloak.json}"
+NEW_REALM_NAME="${NEW_REALM_NAME:-nextjs-test}"
+REALM_MGMT_CLIENT_ID="realm-management"
+ADMIN_ROLE_NAME="tide-realm-admin"
+KC_USER="${KC_USER:-admin}"
+KC_PASSWORD="${KC_PASSWORD:-password}"
+CLIENT_NAME="${CLIENT_NAME:-myclient}"
+
+# ─────────────────────────────────────────────────────────────────────────────
+# sed -i portability
+# ─────────────────────────────────────────────────────────────────────────────
+if sed --version >/dev/null 2>&1; then
+  SED_INPLACE=(-i)
+else
+  SED_INPLACE=(-i '')
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Helper: grab an admin token
+# ─────────────────────────────────────────────────────────────────────────────
+get_admin_token() {
+  curl -s -X POST "${TIDECLOAK_LOCAL_URL}/realms/master/protocol/openid-connect/token" \
+       -H "Content-Type: application/x-www-form-urlencoded" \
+       -d "username=${KC_USER}" \
+       -d "password=${KC_PASSWORD}" \
+       -d "grant_type=password" \
+       -d "client_id=admin-cli" \
+    | jq -r .access_token
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 1: prepare realm JSON
+# ─────────────────────────────────────────────────────────────────────────────
+REALM_NAME="${NEW_REALM_NAME}"
+echo "${REALM_NAME}" > "${PROJECT_ROOT}/.realm_name"
+
+TMP_REALM_JSON="$(mktemp)"
+cp "${REALM_JSON_PATH}" "${TMP_REALM_JSON}"
+
+# replace placeholders
+sed "${SED_INPLACE[@]}" "s|http://localhost:3000|${CLIENT_APP_URL}|g" "${TMP_REALM_JSON}"
+sed "${SED_INPLACE[@]}" "s|nextjs-test|${REALM_NAME}|g"      "${TMP_REALM_JSON}"
+sed "${SED_INPLACE[@]}" "s|myclient|${CLIENT_NAME}|g"        "${TMP_REALM_JSON}"
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 2: create realm (allow 409 if already exists)
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🌍 Creating realm..."
+status=$(curl -s -o /dev/null -w "%{http_code}" \
+  -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/json" \
+  --data-binary @"${TMP_REALM_JSON}")
+
+if [[ ${status} == 2* || ${status} -eq 409 ]]; then
+  echo "✅ Realm created (or already exists)."
+else
+  echo "❌ Realm creation failed (HTTP ${status})" >&2
+  exit 1
+fi
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 3: initialize Tide realm + IGA
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🔐 Initializing Tide realm + IGA..."
+
+response=$(curl -i -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/vendorResources/setUpTideRealm" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  --data-urlencode "email=email@tide.org" 2>&1)
+
+# parse status code from response
+status=$(printf "%s" "${response}" | awk '/HTTP\/1\.[01]/ { code=$2 } END { print code }')
+if [[ "${status}" != "200" && "${status}" != "201" && "${status}" != "204" ]]; then
+  echo "❌ setUpTideRealm failed with HTTP ${status}" >&2
+  exit 1
+fi
+
+# toggle IGA
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/toggle-iga" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/x-www-form-urlencoded" \
+     --data-urlencode "isIGAEnabled=true" \
+  > /dev/null
+
+echo "✅ Tide realm + IGA done."
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Approve & commit change-sets
+# ─────────────────────────────────────────────────────────────────────────────
+approve_and_commit() {
+  local TYPE=$1
+  echo "🔄 Processing ${TYPE} change-sets..."
+  TOKEN="$(get_admin_token)"
+  curl -s -X GET "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/change-set/${TYPE}/requests" \
+       -H "Authorization: Bearer ${TOKEN}" \
+    | jq -c '.[]' | while read -r req; do
+        payload=$(jq -n \
+          --arg id  "$(jq -r .draftRecordId   <<< "${req}")" \
+          --arg cst "$(jq -r .changeSetType   <<< "${req}")" \
+          --arg at  "$(jq -r .actionType      <<< "${req}")" \
+          '{changeSetId:$id,changeSetType:$cst,actionType:$at}')
+
+        curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/change-set/sign" \
+             -H "Authorization: Bearer ${TOKEN}" \
+             -H "Content-Type: application/json" \
+             -d "${payload}" \
+          > /dev/null
+
+        curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tide-admin/change-set/commit" \
+             -H "Authorization: Bearer ${TOKEN}" \
+             -H "Content-Type: application/json" \
+             -d "${payload}" \
+          > /dev/null
+      done
+  echo "✅ ${TYPE^} change-sets done."
+}
+approve_and_commit clients
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 4: create admin user + assign role
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "👤 Creating admin user..."
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d '{"username":"admin","email":"admin@tidecloak.com","firstName":"admin","lastName":"user","enabled":true}' \
+  > /dev/null
+
+USER_ID=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users?username=admin" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  | jq -r '.[0].id')
+
+CLIENT_UUID=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/clients?clientId=${REALM_MGMT_CLIENT_ID}" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  | jq -r '.[0].id')
+
+ROLE_JSON=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/clients/${CLIENT_UUID}/roles/${ADMIN_ROLE_NAME}" \
+  -H "Authorization: Bearer ${TOKEN}")
+
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users/${USER_ID}/role-mappings/clients/${CLIENT_UUID}" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d "[${ROLE_JSON}]" \
+  > /dev/null
+
+echo "✅ Admin user & role done."
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 5: generate invite link + wait
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🔗 Generating invite link..."
+INVITE_LINK=$(curl -s -X POST \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/tideAdminResources/get-required-action-link?userId=${USER_ID}&lifespan=43200" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "Content-Type: application/json" \
+  -d '["link-tide-account-action"]')
+
+echo "🔗 Invite link: ${INVITE_LINK}"
+echo "→ Send this link to the user so they can link their account."
+
+MAX_TRIES=3
+attempt=1
+while true; do
+  echo -n "Checking link status (attempt ${attempt}/${MAX_TRIES})… "
+  ATTRS=$(curl -s -X GET \
+    "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/users?username=admin" \
+    -H "Authorization: Bearer ${TOKEN}")
+
+  KEY=$(jq -r '.[0].attributes.tideUserKey[0] // empty' <<< "${ATTRS}")
+  VUID=$(jq -r '.[0].attributes.vuid[0]        // empty' <<< "${ATTRS}")
+
+  if [[ -n "${KEY}" && -n "${VUID}" ]]; then
+    echo "✅ Linked!"
+    break
+  fi
+
+  if (( attempt >= MAX_TRIES )); then
+    echo "⚠️  Max retries reached (${MAX_TRIES}). Moving on."
+    break
+  fi
+
+  read -t 30 -p "Not linked yet; press ENTER to retry or wait 30s…" || true
+  echo
+  ((attempt++))
+done
+
+approve_and_commit users
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 6: update CustomAdminUIDomain
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "🌐 Updating CustomAdminUIDomain..."
+
+INST_JSON=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/identity-provider/instances/tide" \
+  -H "Authorization: Bearer ${TOKEN}")
+
+UPDATED_JSON=$(jq --arg d "${CLIENT_APP_URL}" '.config.CustomAdminUIDomain = $d' <<< "${INST_JSON}")
+
+curl -s -X PUT "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/identity-provider/instances/tide" \
+     -H "Authorization: Bearer ${TOKEN}" \
+     -H "Content-Type: application/json" \
+     -d "${UPDATED_JSON}" \
+  > /dev/null
+
+curl -s -X POST "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/vendorResources/sign-idp-settings" \
+     -H "Authorization: Bearer ${TOKEN}" \
+  > /dev/null
+
+echo "✅ CustomAdminUIDomain updated + signed."
+
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Step 7: fetch adapter config + cleanup
+# ─────────────────────────────────────────────────────────────────────────────
+TOKEN="$(get_admin_token)"
+echo "📥 Fetching adapter config…"
+CLIENT_UUID=$(curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/clients?clientId=${CLIENT_NAME}" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  | jq -r '.[0].id')
+
+curl -s -X GET \
+  "${TIDECLOAK_LOCAL_URL}/admin/realms/${REALM_NAME}/vendorResources/get-installations-provider?clientId=${CLIENT_UUID}&providerId=keycloak-oidc-keycloak-json" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  > "${ADAPTER_OUTPUT_PATH}"
+
+echo "✅ Adapter config saved to ${ADAPTER_OUTPUT_PATH}"
+rm -f "${PROJECT_ROOT}/.realm_name" "${TMP_REALM_JSON}"
+
+echo "🎉 All done!"

package/template-js-app/jsconfig.json

@@ -0,0 +1,9 @@
+{
+  "compilerOptions": {
+    "baseUrl": ".",
+    "paths": {
+      "@/*": ["*"]
+    }
+  },
+  "include": ["next-env.d.ts", "**/*.js", "**/*.jsx"]
+}

package/template-js-app/middleware.js

@@ -0,0 +1,31 @@
+// an example nextJS middleware router that does server-side validation on all traffic to secure pages
+import { NextResponse } from "next/server";
+import { createTideCloakMiddleware } from "@tidecloak/nextjs/server";
+import tcConfig from "./tidecloak.json";
+
+// Developer should list all secure pages and their respective allowed roles
+export default createTideCloakMiddleware({
+  config: tcConfig,
+  protectedRoutes:{
+    "/protected": ["offline_access"]
+  },
+  onFailure: (ctx, req) => {
+    console.debug("Token verification failed");
+    return NextResponse.json(
+      { error: 'Access forbidden: invalid token' },
+      { status: 403 }
+    )
+  },
+  onSuccess: (ctx, req) => {
+    return NextResponse.next();
+  },
+  onError: (ctx, req) => {
+    console.error("[Middleware] ", err);
+    return NextResponse.redirect(new URL("/auth/redirect", req.url));
+  }
+})
+
+//Which routes the middleware should run on:
+export const config = {
+  matcher: ["/protected/:path*"],
+};

package/template-js-app/next.config.js

@@ -0,0 +1,5 @@
+/** @type {import('next').NextConfig} */
+const nextConfig = {
+    
+}
+module.exports = nextConfig

package/template-js-app/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "my-app",
+  "version": "0.1.0",
+  "private": true,
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "init": "bash init/tcinit.sh"
+  },
+  "dependencies": {
+    "next": "14.x",
+    "react": "18.x",
+    "react-dom": "18.x",
+    "@tidecloak/nextjs": "^0.9.11"
+  }
+}

package/template-js-app/public/silent-check-sso.html

@@ -0,0 +1 @@
+<html><body><script>parent.postMessage(location.href, location.origin)</script></body></html>

package/template-js-app/tidecloak.json

@@ -0,0 +1 @@
+{}

package/template-ts-app/app/api/protected/route.ts

@@ -0,0 +1,38 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { verifyTideCloakToken } from '@tidecloak/nextjs/server'
+import tcConfig from '../../../tidecloak.json'
+
+const ALLOWED_ROLE = 'offline_access'
+
+export async function GET(request: NextRequest): Promise<NextResponse> {
+  const authHeader = request.headers.get('authorization')
+  if (!authHeader?.startsWith('Bearer ')) {
+    return NextResponse.json(
+      { error: 'Unauthorized: Missing or invalid token' },
+      { status: 401 }
+    )
+  }
+
+  const token = authHeader.split(' ')[1]
+
+  try {
+    const user = await verifyTideCloakToken(tcConfig, token, [ALLOWED_ROLE])
+
+    if (!user) {
+      return NextResponse.json(
+        { error: 'Forbidden: Invalid token or insufficient role' },
+        { status: 403 }
+      )
+    }
+    return NextResponse.json(
+      { vuid: user.vuid, userkey: user.tideuserkey },
+      { status: 200 }
+    )
+  } catch (err) {
+    console.error('Token verification failed:', err)
+    return NextResponse.json(
+      { error: 'Internal Server Error' },
+      { status: 500 }
+    )
+  }
+}

package/template-ts-app/app/auth/redirect/page.tsx

@@ -0,0 +1,46 @@
+'use client'
+
+import { useEffect } from 'react';
+import { useRouter } from 'next/navigation';
+import { useTideCloak } from '@tidecloak/nextjs';
+
+export default function RedirectPage() {
+  const { authenticated, isInitializing, logout } = useTideCloak()
+  const router = useRouter()
+
+  // Handles redirect when middleware detects token expiry
+  useEffect(() => {
+    const doLogOut = async () => {
+      logout();
+    }
+
+    const params = new URLSearchParams(window.location.search);
+    const auth = params.get("auth");
+
+    if (auth === "failed") {
+      sessionStorage.setItem("tokenExpired", "true");
+      doLogOut();
+    }
+  }, [])
+
+  useEffect(() => {
+    if (!isInitializing) {
+      router.push(authenticated ? '/home' : '/')
+    }
+  }, [authenticated, isInitializing, router])
+
+  return (
+    <div style={containerStyle}>
+      <p>Waiting for authentication...</p>
+    </div>
+  )
+}
+
+const containerStyle: React.CSSProperties = {
+  minHeight: '100vh',
+  display: 'flex',
+  alignItems: 'center',
+  justifyContent: 'center',
+  fontSize: '1rem',
+  color: '#555',
+}