By using Keycloak, you can validate access tokens in different ways: online or offline.
This Passport strategy allows you to perform an online validation of an access token by doing instrospect.
npm install passport-keycloak-jwt-introspectimport keycloak from "passport-keycloak-jwt-introspect";
const KeycloakJwtIntrospectStrategy = keycloak.Strategy;
passport.use(
new KeycloakJwtIntrospectStrategy(
{
clientId: KEYCLOAK_CLIENT_ID,
clientSecret: KEYCLOAK_CLIENT_SECRET,
introspectUrl: KEYCLOAK_INTROSPECT_URL,
passReqToCallback: true,
},
function (req, keycloakData, done) {
// You should always check that the token is active!
if (!keycloakData.active) return done(null, false);
// You can use all info. in jwtPayload to make your validations and create your user
return done(null, jwtPayload);
},
),
);KEYCLOAK_INTROSPECT_URL_EXAMPLE: http://localhost:8080/realms/YOUR_REALM/protocol/openid-connect/token/introspect
Check out Keycloak Data Example JSON file to learn about all available attributes in the object.
Since this is a Bearer-like strategy, you don't have to use sessions. The token will be validated on every request.
We could create a function to use as middleware and validate every request:
export const checkAuth = (req: Request, res: Response, next: NextFunction) => {
passport.authenticate("keycloak-jwt-introspect", { session: false })(
req,
res,
next,
);
};Then, we can use it wherever we need to. For example, as a global middleware for our app:
app.use(checkAuth);Example usage cases and configuration are coming soon. Any help is appreciated, so feel free to contribute!
- Improve documentation
- Add more unit tests, specially to check different responses from keycloak
- Create usage examples
- Add repository badges
As I said, any help is appreciated. You can report any issue on the Issues page as well as making a pull request to improve any aspect of the project.