hgranlund / passport-keycloak-bearer Goto Github PK

Hi,

I'm not too familiar with keycloak and passport, but I'm trying to get a basic example up and running and I can't seem to get authenticated.

Here is my simple index.js file :

const express = require('express');
const app = express();
const passport = require('passport');
const KeycloakBearerStrategy = require('passport-keycloak-bearer');

app.use(passport.initialize());
app.use(passport.session());

passport.use(new KeycloakBearerStrategy({
  realm: "master",
  url: "http://myKeycloakServer.com:4008/auth",
  loggingLevel: "debug"
}, (jwtPayload, done) => {
  // const user = doSomethingWithUser(jwtPayload);
  console.log('jwtPayload: \n',jwtPayload);
  return done(null, jwtPayload);
}));

app.get('/', (req, res) => {
  res.send("Server is up!");
});

app.get('/kc-test', passport.authenticate('keycloak', { session: false }), (req, res) => {
  res.send('success');
} )

app.listen(3000);

My client config is here

I'm trying to access my api using the bearer token I get from this curl request

curl -X POST 'http://myKeycloakServer.com:4008/auth/realms/master/protocol/openid-connect/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'grant_type=password'
--data-urlencode 'client_id=mytestclient'
--data-urlencode 'client_secret=mytestclientssecret'
--data-urlencode 'username=mytestuser'
--data-urlencode 'password=mytestpassword'

I get this 401 unauthorized when making a simple get request to my api's /kc-test route.

My console for my API spits this out :

16:28:34.961 DEBUG KeycloakBearerStrategy - Strategy created
16:28:38.568 DEBUG KeycloakBearerStrategy - Got token with kid: 7DZcDdPpmQINrfvwVp-spJHxle8548ppRMWDeqJjWs8

My Keycloak Admin Console events shows this :

What am I doing wrong? I'm able to successfully retrieve a token, but using it still results in 401 unauthorized. I would really appreciate your help :)

Hey folks!

Currently we've manually wired our service up to keycloak, because we need to do some bookkeeping work after a user is redirected. The flow goes something like this:

• User registers, redirect_uri contains a state query param
• After creating a password through Keycloak, they log in and are redirected to above uri
• We decode the state query param, and use it to do some bookkeeping (i.e., call some endpoints, send some welcome emails)

Best I can tell this is not that uncommon of a workflow for this kind of authentication. What we'd need to get rid of our custom work, and be most useful for others I think, would be to give access to the request object in the callback.

I'd be willing to implement this, would you be open to a MR with this feature?

Thanks ❤️

Hi! I've been downloaded your library since i'm implementing it with a NestJS application.
Actually i'm implementing it as passport strategy inside my application but i don't know why when i try to use the ES6 library import style i got an undefined instead the Strategy class.

import KeycloakBearerStrategy from "passport-keycloak-bearer";

console.log(KeycloakBearerStrategy);

11:19:00 PM - Found 0 errors. Watching for file changes.
undefined <--- KeycloakBearerStrategy

i've installed it and double checked since it's in my node_modules (i've also tried to import it from the node_modules manually and still doesn't work any tips?

I've double checked it and it seems that the ES6 module import style doesn't work (import {} from "") with the require function it worked. Any idea why?

Hi,
Do you have the keycloak configuration needed to use with ?
Any pictures could be great
Thanks

Hi, I'm doing a simple case where I want to secure my API with a bearer token using Keycloak, but I want to secure a particular client and I don't see anything related to the client in the configuration. Is my usecase possible with this library?

Hi there. I have a similar set up than the example and the closed issues. My Keycloak serveer is working and the strategy is getting created. But when I try to authenticate, nothingg happens, the access is denied and no debug messages are printed.

Wrong: this.signed = ${headerPart}.${contentPat}

Correct: this.signed = ${headerPart}.${contentPart}

Do you have a basic example of this working? I'm trying to use this strategy with Hasura like this https://github.com/hasura/graphql-engine/blob/master/community/boilerplates/auth-servers/passportjs-jwt-roles/config/passport.js