@continuoussecuritytooling/keycloak-reporter

Keycloak Reporter

Keycloak user and client reporting tool for automated regular access checks.

Usage

npm i @continuoussecuritytooling/keycloak-reporter --location=global
kc-reporter help

For listing clients:

kc-reporter listClients <Keycloak_Root_URL> <Client_ID> <Client_Secret> --format=csv

The output looks for CSV, like that:

"client","id","description","realm","enabled","public","allowedOrigins"
"account","d192964b-189e-499b-ada4-b82b37b9cc50",,"master",true,false,"[]"
"account-console","f8ca4598-0335-445c-992e-fed749ff464a",,"master",true,true,"[]"
"admin-cli","615cbe43-0747-4273-8bc4-b7897a27ce39",,"master",true,true,"[]"
"broker","3e3a17c4-37d4-4a66-bb59-0ddd1b0fa4f6",,"master",true,false,"[]"
"keycloak-reporter","363bd6ed-e0fc-48f6-b896-27d9b16be42a","","master",true,false,"["""",""+""]"
"master-realm","5d822cd2-2583-4d45-ae33-c85ebd6099fa",,"master",true,false,"[]"
"nodejs-test-realm","6b6c26e7-175a-45df-a919-de51ca4f4523",,"master",true,false,"[]"
"security-admin-console","239fca1d-e027-4d3b-9814-3b517272cb80",,"master",true,true,"[""+""]"
"tokenRealmTest-realm","10f8398f-44a5-4f4b-9efb-6a0c4b79af66",,"master",true,false,"[]"
"account","bdf23b22-5abb-4823-aa76-9d21216d7143",,"nodejs-test",true,false,"[]"
"account-console","7eb727fb-18d2-482b-8e34-8982a4efffc3",,"nodejs-test",true,true,"[]"
"admin-cli","99aeb26e-222d-4195-a5e8-f2f94db12b83",,"nodejs-test",true,true,"[]"
"broker","6f3a7144-872e-415b-ab9a-d5a66a3f2951",,"nodejs-test",true,false,"[]"
"confidential-client","d0650a93-8fe2-4524-8020-4531b6276230",,"nodejs-test",true,false,"[""http://localhost/confidential-client""]"
"public-client","c2bd2473-f46c-4c51-af36-b40bef9bb644",,"nodejs-test",true,true,"[]"
"realm-management","49fd4151-3d49-4d10-968b-841123831399",,"nodejs-test",true,false,"[]"
"security-admin-console","ed86e5ed-ced1-435c-b62b-632fe545359c",,"nodejs-test",true,true,"[""+""]"
"account","0a57c891-1d38-4782-badf-a68140a8cf76",,"tokenRealmTest",true,true,"[]"
"account-console","977ac593-4fc7-4a69-94f4-d5e88cd563e9",,"tokenRealmTest",true,true,"[]"
"admin-cli","50ada8d5-bd5e-4182-b6c5-dd4ec5c280b6",,"tokenRealmTest",true,true,"[]"
"broker","91ea3c53-9583-40f6-b3ef-e7bfa28a8385",,"tokenRealmTest",true,false,"[]"
"customer-portal","491ff0ea-51e1-41df-8ee2-2865537da924",,"tokenRealmTest",true,false,"[]"
"realm-management","8dec327b-c120-436d-a27a-bed9494962cd",,"tokenRealmTest",true,false,"[]"
"security-admin-console","a136d00b-119b-4fda-a203-2b946add9b4b",,"tokenRealmTest",true,true,"[""+""]"

Valid commands are:

• listClients
• listUsers

Advanced

Helm

To install the Helm Chart use the OCI Package Registry:

helm install keycloak-reporter oci://ghcr.io/cloudtooling/helm-charts

NOTE Keep in mind, that you need a client/service account in keycloak with the appropriate rights. You can use this template to deploy with keycloak-config-cli a service account.

Config file

You can also provider a config file via env var CONFIG_FILE and then just provide the commands, e.g.:

CONFIG_FILE==$(pwd)/e2e/fixtures/config.json kc-reporter listClients

Post to Slack or Teams

When using this command:

kc-reporter listUsers <Keycloak_Root_URL> <Client_ID> <Client_Secret> --format=json --output=webhook --webhookType=slack --webhookUrl=$WEBHOOK_TESTING_SLACK

the following entry in slack will be created:

And for Teams:

kc-reporter listUsers <Keycloak_Root_URL> <Client_ID> <Client_Secret> --format=json --output=webhook --webhookType=teams --webhookUrl=$WEBHOOK_TESTING_TEAMS

the following entry in slack will be created:

Changelog

0.8.8 (2024-02-05)

Bug Fixes

• deps: update dependency @keycloak/keycloak-admin-client to v23.0.5 (d85eb6a)
• deps: update dependency @keycloak/keycloak-admin-client to v23.0.6 (23b1248)
• deps: update dependency npm to v10.4.0 (1b6058d)
• Helm: Correcting mapping issues for labels (0fe2873)
• Helm: Correcting resource limits (1cb51b9)
• Security: Correcting chart security findings (3a4bc67)

Features

• Chart: Allowing labels and annotations to be added (f0f350b)