From 7650f87054f26d10cdb2afa6cc7f205060c1376f Mon Sep 17 00:00:00 2001 From: chrislu Date: Tue, 26 Aug 2025 15:08:12 -0700 Subject: [PATCH] add back configure_audience_mapper --- test/s3/iam/setup_keycloak.sh | 39 ++++++++++++++++++++++++++++ test/s3/iam/setup_keycloak_docker.sh | 16 ++++++++++++ 2 files changed, 55 insertions(+) diff --git a/test/s3/iam/setup_keycloak.sh b/test/s3/iam/setup_keycloak.sh index 0f59e165b..603cb2a73 100644 --- a/test/s3/iam/setup_keycloak.sh +++ b/test/s3/iam/setup_keycloak.sh @@ -262,6 +262,44 @@ configure_role_mapper() { fi } +configure_audience_mapper() { + echo -e "${YELLOW}🔧 Configuring audience mapper for client '${CLIENT_ID}'...${NC}" + + # Get client's internal ID + local internal_id + internal_id=$(kcadm get clients -r "${REALM_NAME}" -q clientId="${CLIENT_ID}" | jq -r '.[0].id // empty') + + if [[ -z "${internal_id}" ]]; then + echo -e "${RED}❌ Could not find client ${CLIENT_ID} to configure audience mapper${NC}" + return 1 + fi + + # Check if an audience mapper already exists for this client + local existing_mapper + existing_mapper=$(kcadm get "clients/${internal_id}/protocol-mappers/models" -r "${REALM_NAME}" | jq -r '.[] | select(.name=="audience-mapper" and .protocolMapper=="oidc-audience-mapper") | .id // empty') + + if [[ -n "${existing_mapper}" ]]; then + echo -e "${GREEN}✅ Audience mapper already exists${NC}" + else + echo -e "${YELLOW}📝 Creating audience mapper...${NC}" + + # Create protocol mapper for audience + kcadm create "clients/${internal_id}/protocol-mappers/models" -r "${REALM_NAME}" \ + -s name="audience-mapper" \ + -s protocol="openid-connect" \ + -s protocolMapper="oidc-audience-mapper" \ + -s consentRequired=false \ + -s 'config."included.client.audience"='"${CLIENT_ID}" \ + -s 'config."id.token.claim"=false' \ + -s 'config."access.token.claim"=true' >/dev/null || { + echo -e "${RED}❌ Failed to create audience mapper${NC}" + return 1 + } + + echo -e "${GREEN}✅ Audience mapper created${NC}" + fi +} + main() { command -v docker >/dev/null || { echo -e "${RED}❌ Docker is required${NC}"; exit 1; } command -v jq >/dev/null || { echo -e "${RED}❌ jq is required${NC}"; exit 1; } @@ -273,6 +311,7 @@ main() { ensure_realm ensure_client configure_role_mapper + configure_audience_mapper ensure_role "${ROLE_ADMIN}" ensure_role "${ROLE_READONLY}" ensure_role "${ROLE_WRITEONLY}" diff --git a/test/s3/iam/setup_keycloak_docker.sh b/test/s3/iam/setup_keycloak_docker.sh index 6ec1485b8..294347b2b 100755 --- a/test/s3/iam/setup_keycloak_docker.sh +++ b/test/s3/iam/setup_keycloak_docker.sh @@ -97,6 +97,22 @@ MAPPER_CONFIG='{ kcadm create clients/"$CLIENT_UUID"/protocol-mappers/models -r "$REALM_NAME" -b "$MAPPER_CONFIG" 2>/dev/null || echo "✅ Role mapper already exists" echo "✅ Realm roles mapper configured" +# Configure audience mapper to ensure JWT tokens have correct audience claim +echo "🔧 Configuring audience mapper for client '$CLIENT_ID'..." +AUDIENCE_MAPPER_CONFIG='{ + "protocol": "openid-connect", + "protocolMapper": "oidc-audience-mapper", + "name": "audience-mapper", + "config": { + "included.client.audience": "'$CLIENT_ID'", + "id.token.claim": "false", + "access.token.claim": "true" + } +}' + +kcadm create clients/"$CLIENT_UUID"/protocol-mappers/models -r "$REALM_NAME" -b "$AUDIENCE_MAPPER_CONFIG" 2>/dev/null || echo "✅ Audience mapper already exists" +echo "✅ Audience mapper configured" + # Create realm roles echo "📝 Creating realm roles..." for role in "s3-admin" "s3-read-only" "s3-write-only" "s3-read-write"; do