keycloak-hapi
v4.0.0
Published
Integration of Keycloak Authorization Server with HapiJS
Downloads
199
Readme
keycloak-hapi
This repository consist of a HapiJS auth plugin which delegates authorization concerns to the Keycloak server.
Features
This package:
Defines a
keycloak
Hapijs auth scheme so that it can be used as follows:server.auth.strategy('keycloak', 'keycloak'); server.auth.default('keycloak'); server.route({ method: ['GET'], path: '/restricted', handler(request, reply) { return `Hello, ${request.auth.credentials.name}!`; // this will return user's full name. }, options: { auth: { access: { scope: ['view-reports', 'manage-reports'] // Optionally, these are required Keycloak roles for this endpoint. } } } });
Exposes 3 endpoints intended to be used with frontend web apps:
- Login endpoint (
/sso/login
) which handles OAuth2.0's Authorization Code redirection flow. - Logout endpoint (
/sso/logout
) which handles sign out procedure. - Principal endpoint (
/api/principal
) which gives access to resource owner's data (such as its name, access token, ID token, change password URL, logout URL etc.)
- Login endpoint (
Install
$ npm install keycloak-hapi --save
Usage
const server = new Hapi.Server();
try {
/*
* The package uses yar for session management so this bit is required
* if you're writing a frontend web app (bearerOnly = false).
*/
await server.register({
plugin: require('@hapi/yar'),
options: {
storeBlank: false,
name: 'kc_session',
maxCookieSize: 0,
cookieOptions: {
password: 'the-password-must-be-at-least-32-characters-long',
isSecure: false // use true for production (https).
}
}
});
await server.register({
plugin: require('keycloak-hapi'),
options: {
serverUrl: 'http://localhost:8080/auth',
realm: 'master',
clientId: 'my-app',
clientSecret: '6a0dd495-09bc-4ed1-87a2-3367bb75b05d',
bearerOnly: false // set it to true if you're writing a resource server (REST API).
}
});
server.auth.strategy('keycloak', 'keycloak');
server.auth.default('keycloak');
} catch(err) {
console.error(err);
}
await server.start();
Configuration
The following plugin options
are available to be set:
Parameter | Description | Default
--- | --- | ---
serverUrl
| The base URL of the Keycloak server. All other Keycloak pages and REST service endpoints are derived from this. It is usually of the form https://host:port/auth. This is REQUIRED. |
realm
| Name of the realm. This is REQUIRED. |
clientId
| The client-id of the application. Each application has a client-id that is used to identify the application. This is REQUIRED. |
clientSecret
| The client secret of the application. Each application that uses OAuth's Authorization Code flow has one assigned. This is REQUIRED. |
bearerOnly
| A value indicating whether a bearer-only authorization should be performed. Set it to true
only if you're writing a backend (a REST API) | false
realmPublicKey
| PEM format of the realm public key. You can obtain this from the administration console. This is OPTIONAL and will be fetched directly from the server when not defined. | undefined
minTimeBetweenJwksRequests
| Amount of time, in seconds, specifying minimum interval between two requests to Keycloak to retrieve new public keys. | 10
loginUrl
| An URL of the endpoint responsible for obtaining OAuth2.0's Authorization Code grant. It is exposed only if bearerOnly
is set to false. | /sso/login
logoutUrl
| An URL the endpoint responsible for handling logout procedure. It is exposed only if bearerOnly
is set to false. | /sso/logout
apilogoutUrl
| An URL the endpoint responsible for handling logout procedure via a non-browser invocation (without redirects). | /api/logout
principalUrl
| An URL of the endpoint exposing resource owner's data (such as its name, ID token, access token etc.). Use null
in order not to expose this endpoint at all. | /api/principal
registerUrl
| An URL the endpoint responsible for handling registration. It is exposed only if bearerOnly
is set to false. | /sso/register
principalConversion
| A function which alters principal representation exposed by principalUrl
endpoint before it's sent in a response. Define this function if you don't want for example an access token to be exposed. | undefined
(no conversion)
principalNameAttribute
| An access/ID token attribute which will be used as the principal name (user name). It will fallback to sub token attribute in case the principalNameAttribute is not present. Possible values are sub, preferred_username, email, name. | name
corsOrigin
| CORS for the loginUrl
and logoutUrl
endpoints. In production, only Keycloak server's FQDN should be defined here. | ['*']
shouldRedirectUnauthenticated
| A function used for not authenticated users. It takes a request
as a parameter and should return: - false
- if the endpoint should reply with an HTTP 401 right away. - true
- if the user should be redirected to the Keycloak login page. By default, 401
will be returned when bearerOnly
is set to true
, route auth mode is set to optional
or try
, if we're accessing /api/*
route or request was AJAX (it contains header x-requested-with
set to XMLHttpRequest
). |
basePath
| A base path to use if app is running behind a reverse proxy. This path will be inserted in redirect URIs. It could be useful when proxy changes the base path. | undefined
baseUrl
| A base URL to use if app is running behind a reverse proxy where we can't rely on x-forwarded-host
and x-forwarded-proto
headers. When set, request headers and basePath
(if set) are ignored. Note that server.realm.modifiers.route.prefix
is appended to baseUrl
when base URL is calculated. This URL will be inserted in redirect URIs. | undefined
Examples
See https://github.com/novomatic-tech/keycloak-examples/tree/master/app-web-nodejs
Yar compatibility
This package requires the @hapi/yar library at least in version 10.1.1
.