ef-keycloak-connect 1.8.4-patch-4.0 → 1.8.6-patch-1.0

package/README.md

@@ -41,6 +41,7 @@ This adapter is extended from keycloak-connect and have functionalities of both
   - assignRoleToUser
   - authenticateFinesse
   - createRealmAsTenant
+  - dynamics365Sso
   
 ```
 ### Example
@@ -445,6 +446,9 @@ It takes 5 arguments:
  - finesse_server_url: The url of finesse server (In case of normal keycloak auth, send this parameter as **' '**)
  - user_roles: The array containing user_roles, it will be used to assign roles to finesse user while synching it with Keycloak (for normal auth send it as [ ]).
  - finesse_token: acess token for finesse SSO authentication (It will be passed if Finesse SSO instance is connected, in case of non SSO will pass empty string **' '** as argument)
+
+
+
  
  ##### Example of SSO Finesse Auth:
  
@@ -455,6 +459,15 @@ It takes 5 arguments:
       
       authenticateFinesse('johndoe', '12345', `https://${finesse_server_url}:${port}`, ['agent','supervisor'], '')
 
+### dynamics365Sso( userRoles, validationToken, dynamics365Url )
+
+This function sync microsoft dynamics 365 user in keycloak, it first authenticates user from dynamics365, then check for its existance in keycloak. If it exists in keycloak then generates an access_token along with role mapping and team mapping and return it to user. If user doesn't exist then it creates a user, assign it roles and team and return the access_token along with role mapping/team mapping for newly created user.
+
+It takes 3 arguments: 
+ - userRoles: The array containing user roles, it will be used to assign roles to dynamics365 user while synching it with Keycloak e.g **['agent']**.
+ - validationToken: acess token for dynamics365 user validation and to get user details.
+ - dynamics365Url: The url of dynamics365 server e.g **'https://{fqdn}/api/data/v9.0'**
+
 ### generateAccessTokenFromRefreshToken(refreshToken)
 
 This function generates a new access_token by using the refreshToken received in parameter.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ef-keycloak-connect",
-  "version": "1.8.4-patch-4.0",
+  "version": "1.8.6-patch-1.0",
   "description": "Node JS keycloak adapter for authentication and authorization.",
   "main": "index.js",
   "scripts": {

package/services/dynamics365Service.js

@@ -0,0 +1,109 @@
+const parseXMLString = require( 'xml2js' ).parseString;
+const https = require( 'https' );
+
+let requestController = require( "../controller/requestController.js" );
+
+class Dynamics365Service {
+
+
+    async authenticateUserViaDynamics365( validationToken, dynamics365Url ) {
+
+        return new Promise( async ( resolve, reject ) => {
+
+            let URL = dynamics365Url + '/WhoAmI'
+
+
+            let config = {
+                method: 'get',
+                'Content-Type': 'application/json',
+                'Accept': 'application/json',
+                'OData-MaxVersion': '4.0',
+                'OData-Version': '4.0',
+                url: URL,
+                headers: {
+                    'Authorization': `Bearer ${validationToken}`
+                },
+                //disable ssl
+                httpsAgent: new https.Agent( { rejectUnauthorized: false } )
+            };
+
+            try {
+
+                let whoAmIResponse = await requestController.httpRequest( config, false );
+
+                let userId = whoAmIResponse?.data?.UserId;
+
+                try {
+
+                    let URL1 = `${dynamics365Url}/systemusers(${userId})?$select=fullname,firstname,middlename,lastname,internalemailaddress,title,isdisabled,businessunitid,mobilephone,createdon,modifiedon`
+                    config.url = URL1;
+                    config.maxBodyLength = 'Infinity';
+
+                    let userObjectResponse = await requestController.httpRequest( config, true );
+                    let userObject = userObjectResponse?.data;
+
+
+                    resolve( {
+                        'data': userObject,
+                        'status': userObjectResponse?.status
+                    } );
+
+                }
+                catch ( er ) {
+
+                    if ( er.code == "ENOTFOUND" ) {
+
+                        reject( {
+                            error_message: "Dynamics365 Authentication Error: An error occurred while getting the user data from Dynamics365.",
+                            error_detail: {
+                                status: 408,
+                                reason: `Dynamics365 server not accessible against URL: ${dynamics365Url}`
+                            }
+                        } )
+
+                    } else if ( er.response ) {
+
+                        reject( {
+                            error_message: "Dynamics365 Authentication Error: An error occurred while getting the user data from Dynamics365.",
+                            error_detail: {
+                                status: er.response.status,
+                                reason: er.response.statusText
+                            }
+                        } )
+
+                    }
+
+                }
+
+            }
+            catch ( er ) {
+
+                if ( er.code == "ENOTFOUND" ) {
+
+                    reject( {
+                        error_message: "Dynamics365 Authentication Error: An error occurred while validating user in Dynamics365.",
+                        error_detail: {
+                            status: 408,
+                            reason: `Finesse server not accessible against URL: ${dynamics365Url}`
+                        }
+                    } )
+
+                } else if ( er.response ) {
+
+                    reject( {
+                        error_message: "Dynamics365 Authentication Error: An error occurred while validating user in Dynamics365.",
+                        error_detail: {
+                            status: er.response.status,
+                            reason: er.response.statusText
+                        }
+                    } )
+
+                }
+
+            }
+
+        } );
+    }
+}
+
+module.exports = Dynamics365Service;

package/services/keycloak/README.md

@@ -0,0 +1,13 @@
+Keycloak Service Modules
+
+This folder holds cohesive helpers used by `services/keycloakService.js`.
+
+- `utils.js`: Small validation helpers (e.g., `validateUser`, `isValidPhoneNumber`).
+- `monitoring.js`: Polls Keycloak Admin Events to detect user creations; returns a `stop()` function.
+- `twofa.js`: Implements 2FA helpers: QR code generation and SMS OTP via Twilio Verify.
+
+Notes
+
+- These modules are pure helpers; the public API remains on `KeycloakService` to preserve compatibility.
+- Modules receive the `KeycloakService` instance when they need access to tokens, config, or Twilio client.
+

package/services/keycloak/monitoring.js

@@ -0,0 +1,122 @@
+/**
+ * Keycloak Admin Events monitoring utilities.
+ * Encapsulates internal state so multiple monitors don't interfere.
+ */
+
+const requestController = require('../../controller/requestController');
+
+function createState() {
+  return {
+    previousEvents: [],
+    isFirstRun: true,
+  };
+}
+
+function parseUserData(representation) {
+  try {
+    return JSON.parse(representation);
+  } catch (_) {
+    return null;
+  }
+}
+
+function computeNewEvents(state, events) {
+  const incoming = Array.isArray(events) ? events : [];
+  if (state.isFirstRun) {
+    state.previousEvents = incoming.slice().sort((a, b) => b.time - a.time);
+    state.isFirstRun = false;
+    return state.previousEvents;
+  }
+  if (incoming.length > 0 && state.previousEvents.length > 0) {
+    const lastStoredEventTime = state.previousEvents.reduce((max, e) => Math.max(max, e.time), 0);
+    const genuinelyNew = incoming.filter((e) => e.time > lastStoredEventTime);
+    if (genuinelyNew.length > 0) {
+      const sortedNew = genuinelyNew.slice().sort((a, b) => b.time - a.time);
+      state.previousEvents = sortedNew;
+      return sortedNew;
+    }
+  }
+  return [];
+}
+
+async function fetchAdminEvents(baseUrl, realm, adminToken) {
+  const url = `${baseUrl}admin/realms/${realm}/admin-events`;
+  const config = {
+    method: 'get',
+    url,
+    headers: {
+      Authorization: `Bearer ${adminToken}`,
+      Accept: 'application/json',
+      'cache-control': 'no-cache',
+    },
+    params: {
+      operationTypes: 'CREATE',
+      resourceTypes: 'USER',
+    },
+  };
+
+  const response = await requestController.httpRequest(config, false);
+  return response.data;
+}
+
+/**
+ * Start polling admin events; returns a function to stop.
+ * @param {object} svc - Instance of KeycloakService
+ * @param {{pollingInterval?:number}} opts
+ * @param {(evt:any)=>void} callback
+ */
+async function startUserMonitoring(svc, { pollingInterval }, callback) {
+  if (!svc.keycloakConfig['auth-server-url'] || !svc.keycloakConfig['realm']) {
+    throw {
+      error_message: 'Configuration Error: baseUrl and realm are required in config.',
+      error_detail: 'Missing required configuration parameters',
+    };
+  }
+
+  const state = createState();
+  const intervalMs = pollingInterval || 5000;
+
+  const timer = setInterval(async () => {
+    try {
+      const adminTok = await svc.getAccessToken(
+        svc.keycloakConfig['USERNAME_ADMIN'],
+        svc.keycloakConfig['PASSWORD_ADMIN']
+      );
+      const events = await fetchAdminEvents(
+        svc.keycloakConfig['auth-server-url'],
+        svc.keycloakConfig['realm'],
+        adminTok.access_token
+      );
+      const newEvents = computeNewEvents(state, events);
+      newEvents.forEach((event) => {
+        const userData = parseUserData(event.representation);
+        if (userData) {
+          callback({
+            time: event.time,
+            realmId: event.realmId,
+            authDetails: event.authDetails,
+            operationType: event.operationType,
+            resourceType: event.resourceType,
+            resourcePath: event.resourcePath,
+            representation: userData,
+          });
+        }
+      });
+    } catch (err) {
+      // Swallow errors during polling to keep monitor running
+      // eslint-disable-next-line no-console
+      console.error('Error in monitoring loop:', err);
+    }
+  }, intervalMs);
+
+  return () => {
+    clearInterval(timer);
+    return { message: 'Monitoring stopped successfully' };
+  };
+}
+
+module.exports = {
+  startUserMonitoring,
+  parseUserData,
+};
+

package/services/keycloak/twofa.js

@@ -0,0 +1,125 @@
+const qrcode = require('qrcode');
+const speakeasy = require('speakeasy');
+
+/**
+ * Generate OTP secret and QR image for a username
+ */
+async function getQRCode(username) {
+  const secret = speakeasy.generateSecret({ name: username, symbols: false });
+  let image;
+  try {
+    image = await qrcode.toDataURL(secret.otpauth_url + '&issuer=EFCX');
+  } catch (_) {
+    return false;
+  }
+  return { secret: secret.base32, image };
+}
+
+/**
+ * Update Keycloak user attributes (thin wrapper around svc.updateUserAttributes)
+ */
+async function updateUserAttributes(svc, adminToken, userId, attributesToUpdate) {
+  return svc.updateUserAttributes(adminToken, userId, attributesToUpdate);
+}
+
+/**
+ * Register/Bind phone number and send OTP via SMS
+ */
+async function registerPhoneNumber(svc, username, phoneNumber) {
+  if (!svc.isValidPhoneNumber(phoneNumber)) {
+    return Promise.reject({ error: 400, error_message: 'Invalid phone number' });
+  }
+
+  const userObjectToBeReturned = { username };
+
+  const adminData = await svc.getAccessToken(
+    svc.keycloakConfig.USERNAME_ADMIN,
+    svc.keycloakConfig.PASSWORD_ADMIN
+  );
+  const adminToken = adminData.access_token;
+
+  const userObject = await svc.getUserDetails(adminToken, username);
+  if (!userObject.attributes) {
+    userObject.attributes = {};
+  }
+
+  if (userObject.attributes) {
+    const userObjectAttributes = userObject.attributes;
+    const newAttributes = {};
+    if (Object.keys(userObjectAttributes).length > 0) {
+      for (const key in userObjectAttributes) {
+        newAttributes[key] = userObjectAttributes[key][0];
+      }
+    }
+    newAttributes.is2FARegistered = false;
+    newAttributes.twoFAChannel = 'sms';
+    newAttributes.phoneNumber = '+' + phoneNumber;
+
+    try {
+      await svc.updateUserAttributes(adminToken, userObject.id, newAttributes);
+      await svc.sendOTPviaSMS('+' + phoneNumber);
+    } catch (error) {
+      const err = await svc.errorService.handleError(error);
+      return Promise.reject({
+        error_message: 'Error occurred while registering phone number.',
+        error_detail: err,
+      });
+    }
+  } else {
+    return Promise.reject({ error: 400, error_message: 'Error occurred while fetching user attributes.' });
+  }
+
+  userObjectToBeReturned.is2FARegistered = false;
+  userObjectToBeReturned.twoFAChannel = 'sms';
+  userObjectToBeReturned.phoneNumber = '+' + phoneNumber;
+  userObjectToBeReturned.message = 'OTP required';
+
+  return userObjectToBeReturned;
+}
+
+/**
+ * Send OTP via Twilio Verify
+ */
+async function sendOTPviaSMS(svc, phoneNumber) {
+  if (!svc.twilioClient || !svc.keycloakConfig.TWILIO_VERIFY_SID) {
+    return Promise.reject({
+      error: 500,
+      error_message: 'Twilio is not configured. Please set TWILIO_SID, TWILIO_AUTH_TOKEN and TWILIO_VERIFY_SID.',
+    });
+  }
+
+  if (phoneNumber.startsWith('+')) {
+    phoneNumber = phoneNumber.slice(1);
+    if (!svc.isValidPhoneNumber(phoneNumber)) {
+      return Promise.reject({ error: 400, error_message: 'Invalid phone number' });
+    }
+    phoneNumber = '+' + phoneNumber;
+  } else {
+    if (!svc.isValidPhoneNumber(phoneNumber)) {
+      return Promise.reject({ error: 400, error_message: 'Invalid phone number' });
+    }
+    phoneNumber = '+' + phoneNumber;
+  }
+
+  try {
+    await svc.twilioClient.verify.v2
+      .services(svc.keycloakConfig.TWILIO_VERIFY_SID)
+      .verifications.create({ to: phoneNumber, channel: 'sms' });
+  } catch (_) {
+    return Promise.reject({
+      error: 400,
+      error_message:
+        'Error occured while sending OTP via SMS. This may be because of some issue with Twilio Service.',
+    });
+  }
+
+  return 'OTP sent successfully.';
+}
+
+module.exports = {
+  getQRCode,
+  updateUserAttributes,
+  registerPhoneNumber,
+  sendOTPviaSMS,
+};
+

package/services/keycloak/utils.js

@@ -0,0 +1,30 @@
+const Joi = require('joi');
+
+/**
+ * Validate EF user payload for authentication flows
+ * @param {{username:string,password:string,token:string,userRoles?:string[]}} userData
+ * @returns {{error?:any,value?:any}}
+ */
+function validateUser(userData) {
+  const schema = Joi.object({
+    username: Joi.string().min(1).max(255).required(),
+    password: Joi.string().min(1).max(255).required(),
+    token: Joi.string().required(),
+    userRoles: Joi.array().items(Joi.string()).allow(null),
+  });
+  return schema.validate(userData);
+}
+
+/**
+ * Basic E.164-ish numeric validation (7–15 digits)
+ * Accepts only digits; callers should handle leading '+' separately
+ */
+function isValidPhoneNumber(phoneNumber) {
+  return /^\d{7,15}$/.test(phoneNumber);
+}
+
+module.exports = {
+  validateUser,
+  isValidPhoneNumber
+};
+