keycloak-api-manager 5.0.3 → 5.0.5

package/README.md

@@ -65,10 +65,16 @@ In Keycloak 26.x, management-permissions APIs used by group/user fine-grained te
 - `configure(credentials)`
 - `setConfig(overrides)`
 - `getToken()`
+- `login(credentials)`
+- `loginPKCE(credentials)`
 - `auth(credentials)`
 - `stop()`
 
-`auth(credentials)` is an OIDC token endpoint helper for login/token grant flows (user/client). It does not replace the internal admin session configured by `configure()`.
+`login(credentials)` is the preferred OIDC token endpoint helper for login/token grant flows (user/client).
+
+`loginPKCE(credentials)` is a specialized helper for Authorization Code + PKCE token exchange.
+
+`auth(credentials)` is kept as backward-compatible alias and does not replace the internal admin session configured by `configure()`.
 
 Configured handler namespaces:
 

package/docs/api/configuration.md

@@ -7,6 +7,8 @@ Core API methods for initializing and managing the Keycloak Admin Client connect
 - [configure()](#configure)
 - [setConfig()](#setconfig)
 - [getToken()](#gettoken)
+- [login()](#login)
+- [loginPKCE()](#loginpkce)
 - [auth()](#auth)
 - [stop()](#stop)
 
@@ -236,6 +238,23 @@ const response = await axios.get('https://keycloak.example.com/admin/realms/mast
 
 ## auth()
 
+Backward-compatible alias of `login()`.
+
+Use `login()` in new code for clearer intent.
+
+**Syntax:**
+```javascript
+await KeycloakManager.auth(credentials)
+```
+
+### Returns
+
+**Promise\<Object\>** - Same response as `login()`
+
+---
+
+## login()
+
 Request tokens from Keycloak via the OIDC token endpoint.
 
 This method is intended for application-level login/token flows (for users, service clients, or third-party integrations) using this package as a wrapper.
@@ -244,7 +263,7 @@ It does **not** reconfigure or replace the internal admin session created by `co
 
 **Syntax:**
 ```javascript
-await KeycloakManager.auth(credentials)
+await KeycloakManager.login(credentials)
 ```
 
 ### Parameters
@@ -287,7 +306,7 @@ await KeycloakManager.configure({
 });
 
 // Application login/token request for an end-user
-const tokenResponse = await KeycloakManager.auth({
+const tokenResponse = await KeycloakManager.login({
   grant_type: 'password',
   username: 'end-user',
   password: 'user-password',
@@ -300,7 +319,7 @@ console.log(tokenResponse.access_token);
 #### Client Credentials Login
 
 ```javascript
-const tokenResponse = await KeycloakManager.auth({
+const tokenResponse = await KeycloakManager.login({
   grant_type: 'client_credentials',
   client_id: 'my-public-api',
   client_secret: process.env.API_CLIENT_SECRET
@@ -312,7 +331,7 @@ console.log(tokenResponse.access_token);
 #### Refresh Token Flow
 
 ```javascript
-const refreshed = await KeycloakManager.auth({
+const refreshed = await KeycloakManager.login({
   grant_type: 'refresh_token',
   refresh_token: oldRefreshToken
 });
@@ -322,13 +341,67 @@ console.log(refreshed.access_token);
 
 ### Notes
 
-- `auth()` posts to `${baseUrl}/realms/${realmName}/protocol/openid-connect/token`.
-- `auth()` returns raw token endpoint payload and throws on non-2xx responses.
-- `auth()` does not change handler wiring, runtime config, or the internal admin refresh timer.
+- `login()` posts to `${baseUrl}/realms/${realmName}/protocol/openid-connect/token`.
+- `login()` returns raw token endpoint payload and throws on non-2xx responses.
+- `login()`/`auth()` do not change handler wiring, runtime config, or the internal admin refresh timer.
 - Runtime `clientId`/`clientSecret` are appended automatically if configured and not overridden in request payload.
 
 ---
 
+## loginPKCE()
+
+Perform Authorization Code + PKCE token exchange.
+
+This helper is intended for the callback step after user login on Keycloak, where your backend receives an authorization `code` and exchanges it with `code_verifier`.
+
+**Syntax:**
+```javascript
+await KeycloakManager.loginPKCE(credentials)
+```
+
+### Parameters
+
+#### credentials (Object) ⚠️ Required
+
+| Property | Type | Required | Description |
+|----------|------|----------|-------------|
+| `code` | string | ⚠️ Yes | Authorization code returned by Keycloak |
+| `redirect_uri` | string | ⚠️ Yes* | Redirect URI used in authorize request |
+| `redirectUri` | string | ⚠️ Yes* | CamelCase alias of `redirect_uri` |
+| `code_verifier` | string | ⚠️ Yes* | PKCE code verifier |
+| `codeVerifier` | string | ⚠️ Yes* | CamelCase alias of `code_verifier` |
+| `client_id` | string | 📋 Optional | Overrides runtime `clientId` |
+| `clientId` | string | 📋 Optional | CamelCase alias of `client_id` |
+| `client_secret` | string | 📋 Optional | Overrides runtime `clientSecret` |
+| `clientSecret` | string | 📋 Optional | CamelCase alias of `client_secret` |
+| `scope` | string | 📋 Optional | Additional scope string |
+
+`*` required with either snake_case or camelCase form.
+
+### Returns
+
+**Promise\<Object\>** - Token payload returned by Keycloak (`access_token`, `refresh_token`, `id_token`, `expires_in`, ...)
+
+### Example
+
+```javascript
+const tokenResponse = await KeycloakManager.loginPKCE({
+  code: authorizationCode,
+  redirectUri: 'https://my-app.example.com/auth/callback',
+  codeVerifier: pkceCodeVerifier
+});
+
+console.log(tokenResponse.access_token);
+```
+
+### Notes
+
+- `loginPKCE()` forces `grant_type=authorization_code`.
+- If `client_id/client_secret` are omitted, runtime values from `configure()` are used.
+- `loginPKCE()` does not generate authorize URLs, `state`, or PKCE challenge; it only performs token exchange.
+
+---
+
 ## stop()
 
 Stop the automatic token refresh timer and cleanup resources. Call this when shutting down your application.

package/docs/api-reference.md

@@ -76,7 +76,9 @@ KeycloakManager.stop();
 | `configure()` | Authentication and setup | Core |
 | `setConfig()` | Runtime configuration | Core |
 | `getToken()` | Get current access token | Core |
-| `auth()` | OIDC token grant/login endpoint wrapper | Core |
+| `login()` | Preferred OIDC token grant/login endpoint wrapper | Core |
+| `loginPKCE()` | Authorization Code + PKCE token exchange helper | Core |
+| `auth()` | Backward-compatible alias of `login()` | Core |
 | `stop()` | Stop token refresh timer | Core |
 | `realms` | Realm management | realmsHandler |
 | `users` | User management | usersHandler |

package/docs/architecture.md

@@ -14,10 +14,11 @@ This package exposes a single runtime (`index.js`) that initializes one Keycloak
    - Updates realm/baseUrl/request options at runtime.
    - Keeps active session/token management in place.
 
-3. `auth(credentials)`
+3. `login(credentials)`
    - Direct token endpoint call for explicit OIDC login/token flows.
    - Intended for application-level third-party authentication use-cases.
    - Does not mutate the internal admin client session established by `configure()`.
+   - `auth(credentials)` remains available as backward-compatible alias.
 
 4. `stop()`
    - Stops refresh timer for clean process termination.

package/index.js

@@ -138,7 +138,7 @@ exports.stop = function stop() {
     clearRefreshTimer();
 };
 
-exports.auth = async function auth(credentials = {}) {
+async function requestOidcToken(credentials = {}) {
     assertConfigured();
 
     const body = new URLSearchParams();
@@ -148,10 +148,10 @@ exports.auth = async function auth(credentials = {}) {
         }
     });
 
-    if (runtimeConfig.clientId) {
+    if (runtimeConfig.clientId && !body.has('client_id')) {
         body.append('client_id', runtimeConfig.clientId);
     }
-    if (runtimeConfig.clientSecret) {
+    if (runtimeConfig.clientSecret && !body.has('client_secret')) {
         body.append('client_secret', runtimeConfig.clientSecret);
     }
 
@@ -175,4 +175,53 @@ exports.auth = async function auth(credentials = {}) {
     }
 
     return payload;
+}
+
+exports.auth = async function auth(credentials = {}) {
+    return requestOidcToken(credentials);
+};
+
+exports.login = async function login(credentials = {}) {
+    return requestOidcToken(credentials);
+};
+
+exports.loginPKCE = async function loginPKCE(credentials = {}) {
+    const {
+        code,
+        redirect_uri,
+        redirectUri,
+        code_verifier,
+        codeVerifier,
+        client_id,
+        clientId,
+        client_secret,
+        clientSecret,
+        ...rest
+    } = credentials;
+
+    const resolvedCode = code;
+    const resolvedRedirectUri = redirect_uri || redirectUri;
+    const resolvedCodeVerifier = code_verifier || codeVerifier;
+    const resolvedClientId = client_id || clientId;
+    const resolvedClientSecret = client_secret || clientSecret;
+
+    if (!resolvedCode) {
+        throw new Error('loginPKCE requires "code".');
+    }
+    if (!resolvedRedirectUri) {
+        throw new Error('loginPKCE requires "redirect_uri" (or "redirectUri").');
+    }
+    if (!resolvedCodeVerifier) {
+        throw new Error('loginPKCE requires "code_verifier" (or "codeVerifier").');
+    }
+
+    return requestOidcToken({
+        grant_type: 'authorization_code',
+        code: resolvedCode,
+        redirect_uri: resolvedRedirectUri,
+        code_verifier: resolvedCodeVerifier,
+        ...(resolvedClientId ? { client_id: resolvedClientId } : {}),
+        ...(resolvedClientSecret ? { client_secret: resolvedClientSecret } : {}),
+        ...rest
+    });
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keycloak-api-manager",
-  "version": "5.0.3",
+  "version": "5.0.5",
   "description": "Enhanced Node.js wrapper for Keycloak Admin REST API. Professional alternative to @keycloak/keycloak-admin-client with advanced features, bug fixes, automatic token refresh, Organizations API support, fine-grained permissions, and comprehensive resource management. Battle-tested with 113+ integration tests.",
   "main": "index.js",
   "scripts": {

package/test/specs/clientCredentials.test.js

@@ -76,4 +76,70 @@ describe('Authentication - client_credentials grant', function () {
     expect(token).to.have.property('accessToken');
     expect(token.accessToken).to.be.a('string').and.to.have.length.greaterThan(0);
   });
+
+  it('supports login() for direct token grant', async function () {
+    if (!testClientId || !testClientSecret) {
+      this.skip();
+      return;
+    }
+
+    keycloakManager.setConfig({ realmName: TEST_REALM });
+
+    const tokenPayload = await keycloakManager.login({
+      grant_type: 'client_credentials',
+      client_id: testClientId,
+      client_secret: testClientSecret,
+    });
+
+    expect(tokenPayload).to.have.property('access_token');
+    expect(tokenPayload.access_token).to.be.a('string').and.to.have.length.greaterThan(0);
+    expect(tokenPayload).to.have.property('token_type');
+  });
+
+  it('validates loginPKCE required parameters', async function () {
+    try {
+      await keycloakManager.loginPKCE({});
+      throw new Error('Expected loginPKCE to fail when code is missing');
+    } catch (error) {
+      expect(error.message).to.include('requires "code"');
+    }
+
+    try {
+      await keycloakManager.loginPKCE({ code: 'dummy-code' });
+      throw new Error('Expected loginPKCE to fail when redirect_uri is missing');
+    } catch (error) {
+      expect(error.message).to.include('requires "redirect_uri"');
+    }
+
+    try {
+      await keycloakManager.loginPKCE({
+        code: 'dummy-code',
+        redirect_uri: 'https://example.local/callback',
+      });
+      throw new Error('Expected loginPKCE to fail when code_verifier is missing');
+    } catch (error) {
+      expect(error.message).to.include('requires "code_verifier"');
+    }
+  });
+
+  it('attempts PKCE token exchange and returns OIDC error for invalid code', async function () {
+    if (!testClientId || !testClientSecret) {
+      this.skip();
+      return;
+    }
+
+    try {
+      await keycloakManager.loginPKCE({
+        code: 'invalid-authorization-code',
+        redirect_uri: 'https://example.local/callback',
+        code_verifier: 'plain-verifier-for-test-only',
+        client_id: testClientId,
+        client_secret: testClientSecret,
+      });
+      throw new Error('Expected loginPKCE to fail with invalid authorization code');
+    } catch (error) {
+      expect(error).to.be.instanceOf(Error);
+      expect(error.message).to.be.a('string').and.to.have.length.greaterThan(0);
+    }
+  });
 });