CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/npm-keycloak--keycloak-admin-client

A comprehensive TypeScript client library for interacting with Keycloak's Administration API.

Pending
Quality

Pending

Does it follow best practices?

Impact

Pending

No eval scenarios have been run

SecuritybySnyk

Pending

The risk profile of this skill

Overview
Eval results
Files

authentication-management.mddocs/

Authentication Management

Authentication flow configuration, execution management, and authenticator configuration.

Capabilities

Authentication Flows

Management of authentication flows that define the authentication process.

/**
 * Get all authentication flows in the realm
 * @returns Array of authentication flow representations
 */
getFlows(): Promise<AuthenticationFlowRepresentation[]>;

/**
 * Create a new authentication flow
 * @param flow - Flow configuration
 */
createFlow(flow: AuthenticationFlowRepresentation): Promise<void>;

/**
 * Get a specific authentication flow
 * @param params - Flow identifier
 * @returns Authentication flow representation
 */
getFlow(params: { flowId: string }): Promise<AuthenticationFlowRepresentation>;

/**
 * Update an existing authentication flow
 * @param params - Flow identifier
 * @param flow - Updated flow configuration
 */
updateFlow(params: { flowId: string }, flow: AuthenticationFlowRepresentation): Promise<void>;

/**
 * Delete an authentication flow
 * @param params - Flow identifier
 */
deleteFlow(params: { flowId: string }): Promise<void>;

/**
 * Copy an existing authentication flow
 * @param params - Source flow alias and new flow name
 */
copyFlow(params: { flowAlias: string; newName: string }): Promise<void>;

Usage Examples:

// List all authentication flows
const flows = await kcAdminClient.authenticationManagement.getFlows();
console.log("Authentication flows:", flows.map(f => f.alias));

// Create custom authentication flow
await kcAdminClient.authenticationManagement.createFlow({
  alias: "custom-browser-flow",
  description: "Custom browser authentication flow",
  providerId: "basic-flow",
  topLevel: true,
  builtIn: false,
});

// Copy existing flow
await kcAdminClient.authenticationManagement.copyFlow({
  flowAlias: "browser",
  newName: "custom-browser-with-otp",
});

// Get specific flow
const browserFlow = await kcAdminClient.authenticationManagement.getFlow({
  flowId: "browser-flow-id",
});

// Update flow description
await kcAdminClient.authenticationManagement.updateFlow(
  { flowId: "custom-flow-id" },
  {
    description: "Updated: Custom authentication flow with additional security",
  }
);

// Delete custom flow
await kcAdminClient.authenticationManagement.deleteFlow({
  flowId: "custom-flow-id",
});

Authentication Executions

Management of individual authentication steps within flows.

/**
 * Get executions for an authentication flow
 * @param params - Flow alias
 * @returns Array of execution info representations
 */
getExecutions(params: { flowAlias: string }): Promise<AuthenticationExecutionInfoRepresentation[]>;

/**
 * Add execution to an authentication flow
 * @param params - Flow alias
 * @param execution - Execution configuration
 */
addExecution(params: { flowAlias: string }, execution: AuthenticationExecutionRepresentation): Promise<void>;

/**
 * Update execution configuration
 * @param params - Execution identifier
 * @param execution - Updated execution configuration
 */
updateExecution(params: { executionId: string }, execution: AuthenticationExecutionInfoRepresentation): Promise<void>;

/**
 * Delete execution from flow
 * @param params - Execution identifier
 */
deleteExecution(params: { executionId: string }): Promise<void>;

/**
 * Move execution up in the flow order
 * @param params - Execution identifier
 */
raiseExecutionPriority(params: { executionId: string }): Promise<void>;

/**
 * Move execution down in the flow order
 * @param params - Execution identifier
 */
lowerExecutionPriority(params: { executionId: string }): Promise<void>;

Usage Examples:

// Get executions for browser flow
const executions = await kcAdminClient.authenticationManagement.getExecutions({
  flowAlias: "browser",
});

console.log("Browser flow executions:", executions.map(e => e.displayName));

// Add username/password execution
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "custom-browser-flow" },
  {
    provider: "auth-username-password-form",
    requirement: "REQUIRED",
  }
);

// Add OTP execution
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "custom-browser-flow" },
  {
    provider: "auth-otp-form",
    requirement: "OPTIONAL",
  }
);

// Update execution requirement
await kcAdminClient.authenticationManagement.updateExecution(
  { executionId: "execution-id" },
  {
    requirement: "REQUIRED",
  }
);

// Reorder executions
await kcAdminClient.authenticationManagement.raiseExecutionPriority({
  executionId: "otp-execution-id",
});

// Delete execution
await kcAdminClient.authenticationManagement.deleteExecution({
  executionId: "execution-to-delete",
});

Authenticator Configuration

Management of authenticator configurations and settings.

/**
 * Get authenticator providers available in the realm
 * @returns Array of authenticator provider representations
 */
getAuthenticatorProviders(): Promise<AuthenticatorConfigInfoRepresentation[]>;

/**
 * Get authenticator configurations
 * @returns Array of authenticator configurations
 */
getAuthenticatorConfigs(): Promise<AuthenticatorConfigRepresentation[]>;

/**
 * Create authenticator configuration
 * @param config - Configuration settings
 * @returns Created configuration representation
 */
createAuthenticatorConfig(config: AuthenticatorConfigRepresentation): Promise<AuthenticatorConfigRepresentation>;

/**
 * Get specific authenticator configuration
 * @param params - Configuration identifier
 * @returns Authenticator configuration
 */
getAuthenticatorConfig(params: { configId: string }): Promise<AuthenticatorConfigRepresentation>;

/**
 * Update authenticator configuration
 * @param params - Configuration identifier
 * @param config - Updated configuration
 */
updateAuthenticatorConfig(params: {
  configId: string;
}, config: AuthenticatorConfigRepresentation): Promise<void>;

/**
 * Delete authenticator configuration
 * @param params - Configuration identifier
 */
deleteAuthenticatorConfig(params: { configId: string }): Promise<void>;

Usage Examples:

// Get available authenticator providers
const providers = await kcAdminClient.authenticationManagement.getAuthenticatorProviders();
console.log("Available authenticators:", providers.map(p => p.displayName));

// Create OTP authenticator configuration
const otpConfig = await kcAdminClient.authenticationManagement.createAuthenticatorConfig({
  alias: "mobile-otp-config",
  config: {
    "otp.policy.type": "totp",
    "otp.policy.algorithm": "HmacSHA1",
    "otp.policy.initialCounter": "0",
    "otp.policy.digits": "6",
    "otp.policy.lookAheadWindow": "1",
    "otp.policy.period": "30",
  },
});

// Get all authenticator configurations
const configs = await kcAdminClient.authenticationManagement.getAuthenticatorConfigs();
console.log("Authenticator configs:", configs.map(c => c.alias));

// Update configuration
await kcAdminClient.authenticationManagement.updateAuthenticatorConfig(
  { configId: otpConfig.id! },
  {
    alias: "updated-mobile-otp-config",
    config: {
      "otp.policy.digits": "8", // Change to 8 digits
      "otp.policy.period": "60", // Change to 60 seconds
    },
  }
);

// Delete configuration
await kcAdminClient.authenticationManagement.deleteAuthenticatorConfig({
  configId: "config-to-delete",
});

Required Actions

Management of required actions that users must complete.

/**
 * Get all required actions in the realm
 * @returns Array of required action provider representations
 */
getRequiredActions(): Promise<RequiredActionProviderRepresentation[]>;

/**
 * Get specific required action
 * @param params - Required action alias
 * @returns Required action provider representation
 */
getRequiredAction(params: { alias: string }): Promise<RequiredActionProviderRepresentation>;

/**
 * Update required action configuration
 * @param params - Required action alias
 * @param requiredAction - Updated configuration
 */
updateRequiredAction(params: {
  alias: string;
}, requiredAction: RequiredActionProviderRepresentation): Promise<void>;

/**
 * Register new required action
 * @param requiredAction - Required action configuration
 */
registerRequiredAction(requiredAction: RequiredActionProviderRepresentation): Promise<void>;

/**
 * Delete required action
 * @param params - Required action alias
 */
unregisterRequiredAction(params: { alias: string }): Promise<void>;

Usage Examples:

// Get all required actions
const requiredActions = await kcAdminClient.authenticationManagement.getRequiredActions();
console.log("Required actions:", requiredActions.map(ra => ra.alias));

// Enable terms and conditions required action
await kcAdminClient.authenticationManagement.updateRequiredAction(
  { alias: "TERMS_AND_CONDITIONS" },
  {
    enabled: true,
    defaultAction: false,
    priority: 20,
    config: {
      "terms.text": "Please accept our terms and conditions to continue.",
    },
  }
);

// Configure password update action
await kcAdminClient.authenticationManagement.updateRequiredAction(
  { alias: "UPDATE_PASSWORD" },
  {
    enabled: true,
    defaultAction: false,
    priority: 30,
  }
);

// Register custom required action
await kcAdminClient.authenticationManagement.registerRequiredAction({
  alias: "custom-verification",
  name: "Custom Verification",
  providerId: "custom-verification-provider",
  enabled: true,
  defaultAction: false,
  priority: 40,
  config: {
    "verification.method": "email",
    "verification.timeout": "300",
  },
});

Types

/**
 * Authentication flow representation
 */
interface AuthenticationFlowRepresentation {
  /** Flow unique identifier */
  id?: string;
  /** Flow alias (unique name) */
  alias?: string;
  /** Flow description */
  description?: string;
  /** Provider ID for flow type */
  providerId?: string;
  /** Whether this is a top-level flow */
  topLevel?: boolean;
  /** Whether this is a built-in flow */
  builtIn?: boolean;
  /** Authentication executions in this flow */
  authenticationExecutions?: AuthenticationExecutionExportRepresentation[];
}

/**
 * Authentication execution representation
 */
interface AuthenticationExecutionRepresentation {
  /** Authenticator provider */
  provider?: string;
  /** Execution requirement */
  requirement?: "REQUIRED" | "ALTERNATIVE" | "DISABLED" | "CONDITIONAL";
  /** Priority order */
  priority?: number;
  /** Whether this is a user setup allowed */
  userSetupAllowed?: boolean;
  /** Whether authentication execution is configurable */
  configurable?: boolean;
  /** Parent flow ID */
  parentFlow?: string;
}

/**
 * Authentication execution info representation
 */
interface AuthenticationExecutionInfoRepresentation {
  /** Execution ID */
  id?: string;
  /** Execution requirement */
  requirement?: "REQUIRED" | "ALTERNATIVE" | "DISABLED" | "CONDITIONAL";
  /** Display name */
  displayName?: string;
  /** Alias */
  alias?: string;
  /** Description */
  description?: string;
  /** Required actions */
  requirementChoices?: string[];
  /** Whether configurable */
  configurable?: boolean;
  /** Provider ID */
  providerId?: string;
  /** Authentication config */
  authenticationConfig?: string;
  /** Flow ID */
  flowId?: string;
  /** Priority level */
  level?: number;
  /** Index */
  index?: number;
}

/**
 * Authenticator configuration representation
 */
interface AuthenticatorConfigRepresentation {
  /** Configuration ID */
  id?: string;
  /** Configuration alias */
  alias?: string;
  /** Configuration settings */
  config?: Record<string, string>;
}

/**
 * Authenticator config info representation
 */
interface AuthenticatorConfigInfoRepresentation {
  /** Provider name */
  name?: string;
  /** Display name */
  displayName?: string;
  /** Provider ID */
  providerId?: string;
  /** Description */
  description?: string;
  /** Help text */
  helpText?: string;
  /** Configuration properties */
  properties?: ConfigPropertyRepresentation[];
}

/**
 * Required action provider representation
 */
interface RequiredActionProviderRepresentation {
  /** Action alias */
  alias?: string;
  /** Action name */
  name?: string;
  /** Provider ID */
  providerId?: string;
  /** Whether enabled */
  enabled?: boolean;
  /** Whether default action */
  defaultAction?: boolean;
  /** Priority */
  priority?: number;
  /** Configuration */
  config?: Record<string, string>;
}

/**
 * Configuration property representation
 */
interface ConfigPropertyRepresentation {
  /** Property name */
  name?: string;
  /** Property label */
  label?: string;
  /** Help text */
  helpText?: string;
  /** Property type */
  type?: string;
  /** Default value */
  defaultValue?: any;
  /** Available options */
  options?: string[];
  /** Whether secret */
  secret?: boolean;
}

Authentication Flow Patterns

Common patterns for authentication flow configuration:

// Pattern 1: Custom MFA flow
await kcAdminClient.authenticationManagement.createFlow({
  alias: "mfa-flow",
  description: "Multi-factor authentication flow",
  providerId: "basic-flow",
  topLevel: true,
});

// Add username/password step
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "mfa-flow" },
  {
    provider: "auth-username-password-form",
    requirement: "REQUIRED",
  }
);

// Add OTP step
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "mfa-flow" },
  {
    provider: "auth-otp-form", 
    requirement: "REQUIRED",
  }
);

// Pattern 2: Social + Username/Password alternative
await kcAdminClient.authenticationManagement.createFlow({
  alias: "social-or-local",
  description: "Social login or local authentication",
  providerId: "basic-flow",
  topLevel: true,
});

// Create identity provider redirector subflow
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "social-or-local" },
  {
    provider: "identity-provider-redirector",
    requirement: "ALTERNATIVE",
  }
);

// Add username/password as alternative
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "social-or-local" },
  {
    provider: "auth-username-password-form",
    requirement: "ALTERNATIVE",
  }
);

// Pattern 3: Conditional OTP flow
await kcAdminClient.authenticationManagement.createFlow({
  alias: "conditional-otp",
  description: "OTP required based on conditions",
  providerId: "basic-flow",
  topLevel: true,
});

// Add conditional OTP execution
await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "conditional-otp" },
  {
    provider: "conditional-user-configured",
    requirement: "REQUIRED",
  }
);

await kcAdminClient.authenticationManagement.addExecution(
  { flowAlias: "conditional-otp" },
  {
    provider: "auth-otp-form",
    requirement: "REQUIRED",
  }
);

docs

attack-detection.md

authentication-management.md

cache-management.md

client-configuration.md

client-management.md

client-policies.md

client-scopes.md

components.md

group-management.md

identity-providers.md

index.md

organization-management.md

realm-management.md

role-management.md

server-info.md

user-management.md

user-storage-provider.md

utility-functions.md

whoami.md

tile.json