chore(deps): Bump openid-client from 5.7.0 to 6.6.2 (#270)

* chore(release): 3.14.0 (#272)

* chore: release branch [ci skip]

* chore(release): 3.14.0

* chore(deps): Bump openid-client from 5.7.0 to 6.6.2

Bumps [openid-client](https://github.com/panva/openid-client) from 5.7.0 to 6.6.2.
- [Release notes](https://github.com/panva/openid-client/releases)
- [Changelog](https://github.com/panva/openid-client/blob/main/CHANGELOG.md)
- [Commits](panva/openid-client@v5.7.0...v6.6.2)

---
updated-dependencies:
- dependency-name: openid-client
  dependency-version: 6.6.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix: update Keycloak connection to use new openid-client methods

* fix: update Keycloak connection to use new openid-client methods

* fix: correct issuer URL format in Keycloak token request

* fix: update Keycloak token request to use direct fetch instead of openid-client methods

* fix: package-lock

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Ani Argjiri <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: svcAPLBot <[email protected]>
Co-authored-by: Cas Lubbers <[email protected]>
Co-authored-by: ElderMatt <[email protected]>

Author: 5 people

package-lock.json

@@ -23,7 +23,7 @@
     "generate-password": "^1.7.1",
     "js-yaml": "4.1.0",
     "lodash": "4.17.21",
-    "openid-client": "5.7.0",
+    "openid-client": "6.6.2",
     "tsx": "^4.20.5"
   },
   "description": "Tasks needed by the APL Container Platform to glue all the pieces together.",

package.json

@@ -18,7 +18,7 @@ import {
   UsersApi,
 } from '@linode/keycloak-client-node'
 import { forEach, omit } from 'lodash'
-import { custom, Issuer, TokenSet } from 'openid-client'
+import { type TokenEndpointResponse } from 'openid-client'
 import { keycloakRealm } from '../../tasks/keycloak/config'
 import { extractError } from '../../tasks/keycloak/errors'
 import {
@@ -51,7 +51,7 @@ import {
 
 interface KeycloakConnection {
   basePath: string
-  token: TokenSet
+  token: TokenEndpointResponse
 }
 
 interface KeycloakApi {
@@ -335,20 +335,30 @@ async function keycloakConfigMapChanges(api: KeycloakApi) {
 
 async function createKeycloakConnection(): Promise<KeycloakConnection> {
   const basePath = env.KEYCLOAK_HOSTNAME_URL
-  let token: TokenSet
+  let token: TokenEndpointResponse
   try {
-    custom.setHttpOptionsDefaults({ headers: { host: env.KEYCLOAK_HOSTNAME_URL.replace('https://', '') } })
-    const keycloakIssuer = await Issuer.discover(`${basePath}/realms/${env.KEYCLOAK_REALM}/`)
-    const clientOptions: any = {
-      client_id: 'admin-cli',
-      client_secret: 'unused',
-    }
-    const openIdConnectClient = new keycloakIssuer.Client(clientOptions)
-    token = await openIdConnectClient.grant({
-      grant_type: 'password',
-      username: env.KEYCLOAK_ADMIN,
-      password: env.KEYCLOAK_ADMIN_PASSWORD,
+    // Use master realm for admin authentication
+    const tokenUrl = `${basePath}/realms/master/protocol/openid-connect/token`
+    
+    const response = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded',
+      },
+      body: new URLSearchParams({
+        grant_type: 'password',
+        client_id: 'admin-cli',
+        username: env.KEYCLOAK_ADMIN,
+        password: env.KEYCLOAK_ADMIN_PASSWORD,
+      }),
     })
+
+    if (!response.ok) {
+      throw new Error(`Token request failed: ${response.status} ${response.statusText}`)
+    }
+
+    token = await response.json() as TokenEndpointResponse
+    
     return { token, basePath } as KeycloakConnection
   } catch (error) {
     throw extractError('creating Keycloak connection', error)