From 8262084cbf4cb53adeb8e90186568015687b44df Mon Sep 17 00:00:00 2001 From: ElderMatt Date: Mon, 10 Jul 2023 12:07:04 +0200 Subject: [PATCH] feat: changed ttl for keycloak access token (#81) * feat: changed ttl for keycloak access token * feat: added ttl to env and update readme --- README.md | 11 +++++++++++ src/tasks/keycloak/keycloak.ts | 6 ++++++ src/validators.ts | 4 ++++ 3 files changed, 21 insertions(+) diff --git a/README.md b/README.md index 1c64cbb6..97591103 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,18 @@ This readme is aimed at development. If you wish to contribute please read our D ## Development Make sure your expected environment variables exist in a mandatory `.env` file (see `.env.sample`). +# +**Important** +When using `npm i` and you get the errors `Unauthorized` and `Permission denied` on the installation regarding getting packages from redkubes +> Example: `npm ERR! 403 403 Forbidden - GET https://npm.pkg.github.com/redkubes/@redkubes%2fgitea-client-node - Permission denied` +This can be fixed by adding the following line to the `.npmrc` file. +`//npm.pkg.github.com/:_authToken=PERSONAL_ACCESS_TOKEN_HERE` + +To create a personal access token, go to GitHub -> settings -> developer settings -> personal access token -> give read permission on packages and create the token + +**Remember not to push this token** +# Then start a proxy to the api you wish to target: - drone: `k -n team-admin port-forward svc/drone 8081:80 &` diff --git a/src/tasks/keycloak/keycloak.ts b/src/tasks/keycloak/keycloak.ts index f48ec84e..bf1cf4b6 100644 --- a/src/tasks/keycloak/keycloak.ts +++ b/src/tasks/keycloak/keycloak.ts @@ -32,6 +32,7 @@ import { KEYCLOAK_ADMIN, KEYCLOAK_ADMIN_PASSWORD, KEYCLOAK_REALM, + KEYCLOAK_TOKEN_TTL, } from '../../validators' import { keycloakRealm } from './config' import { @@ -55,6 +56,7 @@ const env = cleanEnv({ KEYCLOAK_ADDRESS, KEYCLOAK_ADDRESS_INTERNAL, KEYCLOAK_REALM, + KEYCLOAK_TOKEN_TTL, FEAT_EXTERNAL_IDP, }) @@ -102,6 +104,10 @@ async function main(): Promise { // Create realm 'otomi' const realmConf = createRealm(keycloakRealm) + realmConf.ssoSessionIdleTimeout = env.KEYCLOAK_TOKEN_TTL + realmConf.ssoSessionMaxLifespan = env.KEYCLOAK_TOKEN_TTL + realmConf.accessTokenLifespan = env.KEYCLOAK_TOKEN_TTL + realmConf.accessTokenLifespanForImplicitFlow = env.KEYCLOAK_TOKEN_TTL // the api does not offer a list method, and trying to get by id throws an error // which we wan to discard, so we run the next command with an empty errors array const existingRealm = (await doApiCall([], `Getting realm ${keycloakRealm}`, () => diff --git a/src/validators.ts b/src/validators.ts index 172177ad..85d8f342 100644 --- a/src/validators.ts +++ b/src/validators.ts @@ -55,6 +55,10 @@ export const KEYCLOAK_CLIENT_ID = str({ desc: 'Default Keycloak Client', default export const KEYCLOAK_CLIENT_SECRET = str({ desc: 'The keycloak client secret' }) export const KEYCLOAK_REALM = str({ desc: 'The Keycloak Realm', default: 'master' }) export const KEYCLOAK_THEME_LOGIN = str({ desc: 'The Keycloak login theme', default: 'default' }) +export const KEYCLOAK_TOKEN_TTL = num({ + desc: 'The Keycloak access token TTL in seconds, 28800 seconds = 8 hours', + default: 28800, +}) export const NODE_EXTRA_CA_CERTS = str({ default: undefined }) export const NODE_TLS_REJECT_UNAUTHORIZED = bool({ default: true }) export const OIDC_CLIENT_SECRET = str({ desc: 'The OIDC client secret used by keycloak to access the IDP' })