# Configuration automatique du client mobile Keycloak pour UnionFlow # Version simplifiée pour Windows PowerShell $KeycloakUrl = "http://localhost:8180" $Realm = "unionflow" $AdminUser = "admin" $AdminPassword = "admin" $ClientId = "unionflow-mobile" Write-Host "🔧 Configuration automatique du client mobile Keycloak..." -ForegroundColor Cyan Write-Host "📍 Keycloak URL: $KeycloakUrl" -ForegroundColor Gray Write-Host "🏛️ Realm: $Realm" -ForegroundColor Gray Write-Host "📱 Client ID: $ClientId" -ForegroundColor Gray Write-Host "" # Obtenir le token d'administration Write-Host "🔑 Obtention du token d'administration..." -ForegroundColor Yellow $tokenBody = @{ username = $AdminUser password = $AdminPassword grant_type = "password" client_id = "admin-cli" } try { $tokenResponse = Invoke-RestMethod -Uri "$KeycloakUrl/realms/master/protocol/openid-connect/token" -Method Post -Body $tokenBody -ContentType "application/x-www-form-urlencoded" $adminToken = $tokenResponse.access_token Write-Host "✅ Token d'administration obtenu" -ForegroundColor Green } catch { Write-Host "❌ Erreur: Impossible d'obtenir le token d'administration" -ForegroundColor Red Write-Host "Vérifiez les credentials Keycloak ($AdminUser/$AdminPassword)" -ForegroundColor Red Write-Host "Erreur: $($_.Exception.Message)" -ForegroundColor Red exit 1 } # Vérifier si le client existe déjà Write-Host "🔍 Vérification de l'existence du client $ClientId..." -ForegroundColor Yellow $headers = @{ Authorization = "Bearer $adminToken" } try { $clients = Invoke-RestMethod -Uri "$KeycloakUrl/admin/realms/$Realm/clients" -Method Get -Headers $headers $existingClient = $clients | Where-Object { $_.clientId -eq $ClientId } if ($existingClient) { Write-Host "⚠️ Client $ClientId existe déjà (ID: $($existingClient.id))" -ForegroundColor Yellow $clientUuid = $existingClient.id } else { Write-Host "ℹ️ Client $ClientId n'existe pas, création nécessaire" -ForegroundColor Blue # Créer le client mobile Write-Host "📱 Création du client mobile $ClientId..." -ForegroundColor Yellow $clientConfig = @{ clientId = $ClientId name = "UnionFlow Mobile App" description = "Application mobile UnionFlow avec authentification OIDC" enabled = $true clientAuthenticatorType = "client-secret" publicClient = $true standardFlowEnabled = $true implicitFlowEnabled = $false directAccessGrantsEnabled = $false serviceAccountsEnabled = $false authorizationServicesEnabled = $false rootUrl = "com.unionflow.mobile://" baseUrl = "com.unionflow.mobile://home" redirectUris = @( "com.unionflow.mobile://login-callback", "com.unionflow.mobile://login-callback/*" ) postLogoutRedirectUris = @( "com.unionflow.mobile://logout-callback", "com.unionflow.mobile://logout-callback/*" ) webOrigins = @("+") attributes = @{ "pkce.code.challenge.method" = "S256" "access.token.lifespan" = "900" "client.session.idle.timeout" = "1800" "client.session.max.lifespan" = "43200" } defaultClientScopes = @("openid", "profile", "email", "roles") optionalClientScopes = @() } $jsonHeaders = @{ Authorization = "Bearer $adminToken" "Content-Type" = "application/json" } $jsonBody = $clientConfig | ConvertTo-Json -Depth 10 try { Invoke-RestMethod -Uri "$KeycloakUrl/admin/realms/$Realm/clients" -Method Post -Headers $jsonHeaders -Body $jsonBody Write-Host "✅ Client mobile créé avec succès" -ForegroundColor Green # Récupérer l'ID du client créé Start-Sleep -Seconds 2 $clients = Invoke-RestMethod -Uri "$KeycloakUrl/admin/realms/$Realm/clients" -Method Get -Headers $headers $newClient = $clients | Where-Object { $_.clientId -eq $ClientId } if ($newClient) { $clientUuid = $newClient.id Write-Host "📋 Client UUID: $clientUuid" -ForegroundColor Gray } else { Write-Host "⚠️ Client créé mais UUID non trouvé" -ForegroundColor Yellow exit 1 } } catch { Write-Host "❌ Erreur lors de la création du client: $($_.Exception.Message)" -ForegroundColor Red exit 1 } } } catch { Write-Host "❌ Erreur lors de la vérification du client: $($_.Exception.Message)" -ForegroundColor Red exit 1 } # Configurer les mappers de rôles Write-Host "🎭 Configuration des mappers de rôles..." -ForegroundColor Yellow $mapperHeaders = @{ Authorization = "Bearer $adminToken" "Content-Type" = "application/json" } # Mapper pour l'audience $audienceMapper = @{ name = "audience-mapper" protocol = "openid-connect" protocolMapper = "oidc-audience-mapper" config = @{ "included.client.audience" = "unionflow-server" "access.token.claim" = "true" } } # Mapper pour les rôles client $rolesMapper = @{ name = "client-roles-mapper" protocol = "openid-connect" protocolMapper = "oidc-usermodel-client-role-mapper" config = @{ "client.id" = "unionflow-server" "claim.name" = "resource_access.unionflow-server.roles" "access.token.claim" = "true" "id.token.claim" = "false" "userinfo.token.claim" = "false" "multivalued" = "true" } } try { # Ajouter le mapper d'audience $audienceJson = $audienceMapper | ConvertTo-Json -Depth 10 Invoke-RestMethod -Uri "$KeycloakUrl/admin/realms/$Realm/clients/$clientUuid/protocol-mappers/models" -Method Post -Headers $mapperHeaders -Body $audienceJson # Ajouter le mapper de rôles $rolesJson = $rolesMapper | ConvertTo-Json -Depth 10 Invoke-RestMethod -Uri "$KeycloakUrl/admin/realms/$Realm/clients/$clientUuid/protocol-mappers/models" -Method Post -Headers $mapperHeaders -Body $rolesJson Write-Host "✅ Mappers de rôles configurés" -ForegroundColor Green } catch { Write-Host "⚠️ Erreur lors de la configuration des mappers (peuvent déjà exister): $($_.Exception.Message)" -ForegroundColor Yellow } # Tester la configuration Write-Host "🧪 Test de la configuration..." -ForegroundColor Yellow $authUrl = "$KeycloakUrl/realms/$Realm/protocol/openid-connect/auth" $tokenUrl = "$KeycloakUrl/realms/$Realm/protocol/openid-connect/token" Write-Host "📍 URL d'autorisation: $authUrl" -ForegroundColor Gray Write-Host "📍 URL de token: $tokenUrl" -ForegroundColor Gray try { $testUrl = $authUrl + "?client_id=" + $ClientId + "&response_type=code&redirect_uri=com.unionflow.mobile://login-callback" $response = Invoke-WebRequest -Uri $testUrl -Method Get -UseBasicParsing if ($response.StatusCode -eq 200 -or $response.StatusCode -eq 302) { Write-Host "✅ Endpoint d'autorisation accessible" -ForegroundColor Green } else { Write-Host "⚠️ Endpoint d'autorisation: HTTP $($response.StatusCode)" -ForegroundColor Yellow } } catch { Write-Host "⚠️ Test d'endpoint (normal si pas de session): $($_.Exception.Message)" -ForegroundColor Yellow } Write-Host "✅ Configuration testée" -ForegroundColor Green Write-Host "" Write-Host "🎉 Configuration terminée avec succès !" -ForegroundColor Green Write-Host "" Write-Host "📋 Résumé de la configuration:" -ForegroundColor Cyan Write-Host " • Client ID: $ClientId" -ForegroundColor Gray Write-Host " • Client UUID: $clientUuid" -ForegroundColor Gray Write-Host " • Type: Public (PKCE activé)" -ForegroundColor Gray Write-Host " • Redirect URI: com.unionflow.mobile://login-callback" -ForegroundColor Gray Write-Host " • Logout URI: com.unionflow.mobile://logout-callback" -ForegroundColor Gray Write-Host "" Write-Host "🔗 URLs importantes:" -ForegroundColor Cyan Write-Host " • Authorization: $authUrl" -ForegroundColor Gray Write-Host " • Token: $tokenUrl" -ForegroundColor Gray Write-Host " • Logout: $KeycloakUrl/realms/$Realm/protocol/openid-connect/logout" -ForegroundColor Gray Write-Host "" Write-Host "✅ L'application mobile peut maintenant s'authentifier avec Keycloak !" -ForegroundColor Green