From 375957b67523d71affbce45f052073140ff98a6d Mon Sep 17 00:00:00 2001
From: Ingo Strauch <ingo.strauch@otto.de>
Date: Wed, 18 Sep 2024 14:51:54 +0200
Subject: [PATCH 1/5] Update to most current minor version of keycloak

---
 build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle.kts b/build.gradle.kts
index 734cedd07..94d6bd78a 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -69,7 +69,7 @@ repositories {
 }
 
 tasks {
-    val keycloakVersion = "25.0.0"
+    val keycloakVersion = "25.0.5"
 
     named("build") {
         dependsOn("buildDocker", ":docsbuild:buildDocs")

From ca02b29a876c1a7a74f106b8fc22f3bb6f5f06d2 Mon Sep 17 00:00:00 2001
From: Ingo Strauch <ingo.strauch@otto.de>
Date: Wed, 18 Sep 2024 14:53:31 +0200
Subject: [PATCH 2/5] Add possibility to update clientAuthenticatorType

---
 .../changeControl/actions/client/UpdateClientAction.kt |  3 ++-
 .../43_update_client_clientauthenticatortype.yml       | 10 ++++++++++
 src/test/resources/keycloak-changelog.yml              |  1 +
 3 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 src/test/resources/changesets/43_update_client_clientauthenticatortype.yml

diff --git a/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt b/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
index 1672bc2e0..2176f58f2 100644
--- a/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
+++ b/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
@@ -15,6 +15,7 @@ class UpdateClientAction(
     private val surrogateAuthRequired: Boolean? = null,
     private val enabled: Boolean? = null,
     private val alwaysDisplayInConsole: Boolean? = null,
+    private val clientAuthenticatorType: String? = null,
     private val attributes: Map<String, String>? = null,
     private val protocol: String? = null,
     private val redirectUris: List<String>? = null,
@@ -45,7 +46,7 @@ class UpdateClientAction(
         surrogateAuthRequired ?: oldClient.surrogateAuthRequired,
         enabled ?: oldClient.enabled,
         alwaysDisplayInConsole ?: oldClient.alwaysDisplayInConsole,
-        oldClient.clientAuthenticatorType,
+        clientAuthenticatorType ?: oldClient.clientAuthenticatorType,
         redirectUris ?: oldClient.redirectUris,
         webOrigins ?: oldClient.webOrigins,
         notBefore ?: oldClient.notBefore,
diff --git a/src/test/resources/changesets/43_update_client_clientauthenticatortype.yml b/src/test/resources/changesets/43_update_client_clientauthenticatortype.yml
new file mode 100644
index 000000000..f3b17ae2e
--- /dev/null
+++ b/src/test/resources/changesets/43_update_client_clientauthenticatortype.yml
@@ -0,0 +1,10 @@
+id: update_client_clientauthenticatortype
+author: klg71
+realm: integ-test
+changes:
+  - addSimpleClient:
+      clientId: testClientJwtAuth
+  - updateClient:
+      clientId: testClientJwtAuth
+      publicClient: false
+      clientAuthenticatorType: client-jwt
diff --git a/src/test/resources/keycloak-changelog.yml b/src/test/resources/keycloak-changelog.yml
index ca2802eba..5bc34f379 100644
--- a/src/test/resources/keycloak-changelog.yml
+++ b/src/test/resources/keycloak-changelog.yml
@@ -38,3 +38,4 @@ includes:
 - path: changesets/40_add_identity_provider_mappers.yml
 - path: changesets/41_delete_identity_provider_mappers.yml
 - path: changesets/42_register_required_action.yml
+- path: changesets/43_update_client_clientauthenticatortype.yml

From e8d9380aed93f5a438c22cb60a2fd2454f06730f Mon Sep 17 00:00:00 2001
From: Ingo Strauch <ingo.strauch@otto.de>
Date: Thu, 19 Sep 2024 10:50:24 +0200
Subject: [PATCH 3/5] Add new action to doc

---
 docsbuild/content/migrations/client.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docsbuild/content/migrations/client.md b/docsbuild/content/migrations/client.md
index 5bdc04215..c0d1546d0 100644
--- a/docsbuild/content/migrations/client.md
+++ b/docsbuild/content/migrations/client.md
@@ -73,6 +73,7 @@ Update a client
 - surrogateAuthRequired: Boolean, optional, default=no change
 - enabled: Boolean, optional, default=no change
 - alwaysDisplayInConsole: Boolean, optional, default=no change
+- clientAuthenticatorType: String, optional, default=no change
 - attributes: Map<String, String>, optional, default=no change
 - protocol: String, optional, default=no change
 - redirectUris: List< String>, optional, default=no change

From db6891825c55fdfaa40a35fe738bcbc30f650da8 Mon Sep 17 00:00:00 2001
From: Ingo Strauch <ingo.strauch@otto.de>
Date: Thu, 19 Sep 2024 13:07:52 +0200
Subject: [PATCH 4/5] Explicitly set management port

Default management port is 9000 and when that is already in use, the keycloak log just contains "Address already in use: bind". One could easily confuse that with a conflict of the http port. If both are set explicitly it's clearer that two ports can cause the conflict.
---
 build.gradle.kts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle.kts b/build.gradle.kts
index 94d6bd78a..a0169178f 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -154,7 +154,7 @@ tasks {
     register("execWindowsKeycloak") {
         doLast {
             ProcessBuilder(
-                "cmd", "/c", "kc.bat", "start-dev", "--http-port=18080", "--hostname-strict=false","--http-relative-path=/auth","--log-level=info", ">",
+                "cmd", "/c", "kc.bat", "start-dev", "--http-port=18080", "--http-management-port=18081", "--hostname-strict=false","--http-relative-path=/auth","--log-level=info", ">",
                 "output.txt"
             ).run {
                 directory(File("keycloak/keycloak-$keycloakVersion/bin"))

From 83295933c0af4c9530221a6b1e0bb344e54a5774 Mon Sep 17 00:00:00 2001
From: Ingo Strauch <ingo.strauch@otto.de>
Date: Thu, 19 Sep 2024 13:09:59 +0200
Subject: [PATCH 5/5] Add check that clientAuthenticatorType has a valid value

---
 .../actions/client/UpdateClientAction.kt           | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt b/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
index 2176f58f2..2a3ef0add 100644
--- a/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
+++ b/src/main/kotlin/de/klg71/keycloakmigration/changeControl/actions/client/UpdateClientAction.kt
@@ -35,6 +35,13 @@ class UpdateClientAction(
     private val fullScopeAllowed: Boolean? = null,
     private val nodeReRegistrationTimeout: Int ?= null) : Action(realm) {
 
+    companion object {
+      @JvmStatic
+      val supportedClientAuthenticatorTypes = listOf(
+          "client-jwt", "client-secret", "client-secret-jwt", "client-x509"
+      )
+    }
+
     private lateinit var oldClient: Client
 
     @Suppress("ComplexMethod")
@@ -74,6 +81,13 @@ class UpdateClientAction(
     )
 
     override fun execute() {
+        if (clientAuthenticatorType != null && clientAuthenticatorType !in supportedClientAuthenticatorTypes) {
+            throw MigrationException(
+                "Client authenticator type '$clientAuthenticatorType' is not supported. " +
+                "Use one of: ${supportedClientAuthenticatorTypes.joinToString(", ")}"
+            )
+        }
+
         if (!client.existsClient(clientId, realm())) {
             throw MigrationException("Client with id: $clientId does not exist in realm: $realm!")
         }