### [Rails 8 + Keycloak Integration v2](https://medium.com/jungletronics/rails-8-keycloak-integration-v2-5401c3562362)
Adding Features to Your Bare-Metal OAuth2 Implementation

Welcome! 👋
This notebook walks you through the Keycloak middleware implementation built by J3, as outlined in the article linked below.
It serves as both a hands-on guide and a technical reference.

👉 Keycloak [Tutorial](https://medium.com/jungletronics/rails-8-keycloak-integration-v2-5401c3562362) on Medium

>Please refer to the [previous](https://github.com/giljr/my_jupyter_notebook_in_rails/blob/master/keycloak_3.ipynb) notebook to understand how to implement a Keycloak middleware from scratch.
>
>In this notebook, we’ll continue from where we left off.

Here is a flow graph (control flow diagram) describing the behavior of your Keycloak::Middleware in textual form.

#### Flow Graph – Keycloak::Middleware

```
[Start] 
  ↓
[Initialize Middleware with ENV vars & fetch JWKS]
  ↓
[call(env)]
  ↓
[Parse Rack::Request → get session & path]
  ↓
╔══════════════════════════════════════════════╗
║        ┌─────────────────────────────┐       ║
║  Path =│ "/login"                    │────┐  ║
║        └─────────────────────────────┘    │  ║
║              ↓                            │  ║
║     Save `return_to` in session           │  ║
║              ↓                            │  ║
║     [Redirect to Keycloak login URL] ◄────┘  ║
║                                              ║
║        ┌─────────────────────────────┐       ║
║  Path =│ "/auth/callback"            │────┐  ║
║        └─────────────────────────────┘    │  ║
║              ↓                            │  ║
║   Get authorization `code` from params    │  ║
║     ↓                                     │  ║
║ [exchange_code_for_token(code)]           │  ║
║     ↓                                     │  ║
║ [If access_token received:]               │  ║
║     ↓                                     │  ║
║ Decode token → extract roles              │  ║
║     ↓                                     │  ║
║ Redirect to: /admin | /secured | /        ◄──┘
╚══════════════════════════════════════════════╝
  ↓
[Check if path needs auth → /secured or /admin?]
  ↓
[Determine required_role based on path]
  ↓
[extract_token from Header or Session]
  ↓
[If no token → Redirect to /login]
  ↓
[decode_token(token) using JWKS]
  ↓
[If token invalid → return 401 Unauthorized]
  ↓
[Check if roles include required_role]
  ↓
[If not → return 403 Forbidden]
  ↓
[Add payload to env["keycloak.token"]]
  ↓
[Call @app.call(env)]
  ↓
[Response from downstream app]
  ↓
[End]
```


💡 Key Legend

    🔒 /login → triggers OAuth2 flow via Keycloak

    🔄 /auth/callback → receives authorization code, exchanges it for token, sets session, redirects

    🔐 /secured or /admin → protected paths, require specific roles

    🔎 Token → extracted from Authorization header or session

    ✅ Role check → validates user permissions

    ⛔ If no/invalid token or wrong role → 401 or 403

### To simulate and run the handle_callback method in a Jupyter notebook using the IRuby kernel, we can:

    1. Stub/mock the request, session, and any external functions like exchange_code_for_token and decode_token.

    2. Wrap it in a way that it prints useful outputs instead of returning a Rack response directly.

In [1]:
# Mock helper methods
def exchange_code_for_token(code)
  {
    "access_token" => "fake.jwt.token"
  }
end

def decode_token(token)
  {
    "realm_access" => {
      "roles" => ["user"] # Try changing to "admin" or an empty array to test routing logic
    }
  }
end

def unauthorized(message)
  [401, { "Content-Type" => "text/plain" }, [message]]
end

# Mock request object
class MockRequest
  attr_reader :params, :session

  def initialize(code)
    @params = { "code" => code }
    @session = {}
  end
end

# Main method
def handle_callback(request)
  code = request.params["code"]
  puts "----------------------------------------------" if code
  puts "Received authorization code: #{code}" if code
  session = request.session
  return unauthorized("Missing authorization code") unless code

  token_response = exchange_code_for_token(code)
  puts "----------------------------------------------" if code
  puts "Token response: #{token_response.inspect}" if token_response
  puts "----------------------------------------------" if code

  if token_response && token_response["access_token"]
    session[:access_token] = token_response["access_token"]

    payload = decode_token(token_response["access_token"])
    roles = payload.dig("realm_access", "roles") || []

    # Decide redirection path based on role
    redirect_path =
      if roles.include?("admin")
        "/admin"
      elsif roles.include?("user")
        "/secured"
      else
        "/"
      end

    [302, { "Location" => redirect_path }, []]
  else
    unauthorized("Token exchange failed")
  end
end

# Simulate a request
mock_request = MockRequest.new("abc123")
response = handle_callback(mock_request)

puts "\nFinal response:"
pp response
puts "\nSession contents:"
pp mock_request.session


----------------------------------------------
Received authorization code: abc123
----------------------------------------------
Token response: {"access_token"=>"fake.jwt.token"}
----------------------------------------------

Final response:
[302, {"Location"=>"/secured"}, []]

Session contents:
{:access_token=>"fake.jwt.token"}


{:access_token=>"fake.jwt.token"}

### 🔎  What This Simulates:

    params["code"] simulates the OAuth2 callback from Keycloak.

    exchange_code_for_token is mocked to return a fake token.

    decode_token fakes decoding a JWT and extracting roles.

    The method finally redirects based on role (/admin, /secured, or /).

### A more realistic Keycloak OAuth2 callback
Great! Since we want to simulate a more realistic Keycloak OAuth2 callback handling in a Jupyter Notebook (IRuby) environment with actual token decoding, let’s build it step by step:

In [2]:
# Run this in a cell to install JWT gem (used for decoding)
system("gem install jwt")
require "jwt"


true

In [3]:
require "jwt"
require "json"

# Secret or public key (simulate for decoding)
# In a real case, this would come from Keycloak's JWKS endpoint
# We'll simulate with HS256 and a shared secret here
JWT_SECRET = "my$ecretK3ycloak" # Only for simulation!

def exchange_code_for_token(code)
  # Simulate token generation
  payload = {
    sub: "user123",
    email: "user@example.com",
    realm_access: {
      roles: ["user"]  # Try ["admin"] to simulate other flow
    },
    exp: Time.now.to_i + 3600
  }

  token = JWT.encode(payload, JWT_SECRET, "HS256")
  { "access_token" => token }
end

def decode_token(token)
  decoded, = JWT.decode(token, JWT_SECRET, true, { algorithm: "HS256" })
  decoded
rescue JWT::DecodeError => e
  puts "JWT decode error: #{e.message}"
  nil
end

def unauthorized(message)
  [401, { "Content-Type" => "text/plain" }, [message]]
end


:unauthorized

In [4]:
class MockRequest
  attr_reader :params, :session

  def initialize(code = nil)
    @params = { "code" => code }
    @session = {}
  end
end


:initialize

In [5]:
def handle_callback(request)
  code = request.params["code"]
  puts "----------------------------------------------" if code
  puts "Received authorization code: #{code}" if code
  session = request.session
  return unauthorized("Missing authorization code") unless code

  token_response = exchange_code_for_token(code)
  puts "----------------------------------------------" if token_response
  puts "Token response: #{token_response.inspect}" if token_response
  puts "----------------------------------------------" if token_response

  if token_response && token_response["access_token"]
    session[:access_token] = token_response["access_token"]

    payload = decode_token(token_response["access_token"])
    roles = payload.dig("realm_access", "roles") || []

    # Decide redirection path based on role
    redirect_path =
      if roles.include?("admin")
        "/admin"
      elsif roles.include?("user")
        "/secured"
      else
        "/"
      end

    puts "Redirecting to: #{redirect_path}"
    [302, { "Location" => redirect_path }, []]
  else
    unauthorized("Token exchange failed")
  end
end


:handle_callback

In [6]:
# Simulate request with code
request = MockRequest.new("fake-code-from-keycloak")
response = handle_callback(request)

puts "\n👉 Final Rack-style response:"
pp response

puts "\n📦 Session data:"
pp request.session

puts "\n🔓 Decoded JWT payload:"
pp decode_token(request.session[:access_token])


----------------------------------------------
Received authorization code: fake-code-from-keycloak
----------------------------------------------
Token response: {"access_token"=>"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVzZXIiXX0sImV4cCI6MTc1MDQzODQ3N30.34oM1DFBPGHE_211n-GgUEZ8HlapKI6v_Dq0RdJbY6k"}
----------------------------------------------
Redirecting to: /secured

👉 Final Rack-style response:
[302, {"Location"=>"/secured"}, []]

📦 Session data:
{:access_token=>
  "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZW1haWwiOiJ1c2VyQGV4YW1wbGUuY29tIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVzZXIiXX0sImV4cCI6MTc1MDQzODQ3N30.34oM1DFBPGHE_211n-GgUEZ8HlapKI6v_Dq0RdJbY6k"}

🔓 Decoded JWT payload:
{"sub"=>"user123",
 "email"=>"user@example.com",
 "realm_access"=>{"roles"=>["user"]},
 "exp"=>1750438477}


{"sub"=>"user123", "email"=>"user@example.com", "realm_access"=>{"roles"=>["user"]}, "exp"=>1750438477}

✅ What You’ve Simulated

    A Keycloak-like authorization code callback.

    A fake token exchange returning a JWT.

    Real decoding of the JWT using the jwt gem.

    Logic to redirect based on roles: /admin, /secured, or /.

💡 Note: You can inspect the actual token at [jwt.io](https://jwt.io/). Just paste it in and explore the decoded content!

```
Decoded Header:
{
  "alg": "HS256"
}

Decoded Payload:
{
  "sub": "user123",
  "email": "user@example.com",
  "realm_access": {
    "roles": [
      "user"
    ]
  },
  "exp": 1750436890
}
```


In [7]:
require "net/http"
require "uri"
require "json"

def fetch_jwks(uri_str)
  uri = URI.parse(uri_str)
  response = Net::HTTP.get(uri)
  JSON.parse(response)
end

# Fixed Keycloak URL
keycloak_host = "localhost:8080"
realm_name = "quickstart"
jwks_uri = "http://#{keycloak_host}/realms/#{realm_name}/protocol/openid-connect/certs"

jwks = fetch_jwks(jwks_uri)

puts "JWKS keys:"
pp jwks["keys"]


JWKS keys:
[{"kid"=>"LEqg3v00nXwOCsjbsCPpPi3JNj6SxVIJuSGuOay60dI",
  "kty"=>"RSA",
  "alg"=>"RS256",
  "use"=>"sig",
  "n"=>
   "0mXaqcg4RrQqozP4Hu_iVQRZDOqX-qDalDBbXiJ3a216B399InhGWdMbfICrgnH0lY-lkHM8cxXjfZjqikuCsXWdECTjuSmZLHwS0h5MRJ1kO7HP67soRV4v3vFqryH07-u8x198pPqiN2TPLouiCq47SfDP32gaBbsVfZtjQjIKO20IfvwFy3vX_Zd9iF6JK_muJzpXbFpWnkez3ZpJovJlCCxbFGsOyeeeNSBreJDW9HxmG6Nq6FWm_PphTBfomkSP0b2FhElI2TYL272_YEYBdK_Rje1TAZM6ugL96qNw8pcm3jvIgRNkrL2riaRNtRr7I7At_AAg0E2gDQLPiQ",
  "e"=>"AQAB",
  "x5c"=>
   ["MIICozCCAYsCBgGXVk57pDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApxdWlja3N0YXJ0MB4XDTI1MDYwOTIwMDYxM1oXDTM1MDYwOTIwMDc1M1owFTETMBEGA1UEAwwKcXVpY2tzdGFydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJl2qnIOEa0KqMz+B7v4lUEWQzql/qg2pQwW14id2ttegd/fSJ4RlnTG3yAq4Jx9JWPpZBzPHMV432Y6opLgrF1nRAk47kpmSx8EtIeTESdZDuxz+u7KEVeL97xaq8h9O/rvMdffKT6ojdkzy6LogquO0nwz99oGgW7FX2bY0IyCjttCH78Bct71/2XfYheiSv5ric6V2xaVp5Hs92aSaLyZQgsWxRrDsnnnjUga3iQ1vR8ZhujauhVpvz6YUwX6JpEj9G9hYRJSNk2C9u9v2BGAXSv0Y3tUwGTOroC/eqjcPKXJt47

[{"kid"=>"LEqg3v00nXwOCsjbsCPpPi3JNj6SxVIJuSGuOay60dI", "kty"=>"RSA", "alg"=>"RS256", "use"=>"sig", "n"=>"0mXaqcg4RrQqozP4Hu_iVQRZDOqX-qDalDBbXiJ3a216B399InhGWdMbfICrgnH0lY-lkHM8cxXjfZjqikuCsXWdECTjuSmZLHwS0h5MRJ1kO7HP67soRV4v3vFqryH07-u8x198pPqiN2TPLouiCq47SfDP32gaBbsVfZtjQjIKO20IfvwFy3vX_Zd9iF6JK_muJzpXbFpWnkez3ZpJovJlCCxbFGsOyeeeNSBreJDW9HxmG6Nq6FWm_PphTBfomkSP0b2FhElI2TYL272_YEYBdK_Rje1TAZM6ugL96qNw8pcm3jvIgRNkrL2riaRNtRr7I7At_AAg0E2gDQLPiQ", "e"=>"AQAB", "x5c"=>["MIICozCCAYsCBgGXVk57pDANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApxdWlja3N0YXJ0MB4XDTI1MDYwOTIwMDYxM1oXDTM1MDYwOTIwMDc1M1owFTETMBEGA1UEAwwKcXVpY2tzdGFydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJl2qnIOEa0KqMz+B7v4lUEWQzql/qg2pQwW14id2ttegd/fSJ4RlnTG3yAq4Jx9JWPpZBzPHMV432Y6opLgrF1nRAk47kpmSx8EtIeTESdZDuxz+u7KEVeL97xaq8h9O/rvMdffKT6ojdkzy6LogquO0nwz99oGgW7FX2bY0IyCjttCH78Bct71/2XfYheiSv5ric6V2xaVp5Hs92aSaLyZQgsWxRrDsnnnjUga3iQ1vR8ZhujauhVpvz6YUwX6JpEj9G9hYRJSNk2C9u9v2BGAXSv0Y3tUwGTOroC/eqjcPKXJt47yIETZKy9q4mkTbUa+yOwLfwAINBNoA0

### Here's a succinct interpretation of the JWKS output you provided:

✅ There are two RSA keys in this JWKS (JSON Web Key Set):

🔐 1. Signature Key (use: sig)

    kid: LEqg3v00nXwOCsjbsCPpPi3JNj6SxVIJuSGuOay60dI

    Purpose: Used to verify RS256-signed ID/access tokens.

    Algorithm: RS256

    Key Type: RSA

    Modulus (n) and Exponent (e): Together define the RSA public key.

    x5c: X.509 certificate chain, base64 DER-encoded. Can be used to construct a PEM-formatted public key.

    x5t / x5t#S256: Thumbprints for key matching and caching.

✅ This is the key you should use to decode and verify JWTs issued by Keycloak.

🔐 2. Encryption Key (use: enc)

    kid: 3EU8lkdp3L9oqNSQGNhkQbtrXP62PqztdnKWAUZKUtY

    Purpose: Used to encrypt tokens or messages (e.g., encrypted ID tokens or JWE).

    Algorithm: RSA-OAEP

    Do not use this to verify signatures.

🧠 Summary:

    Use the key with "use": "sig" and "alg": "RS256" to verify JWT tokens from Keycloak.

    Ignore the "enc" key unless you're specifically dealing with encrypted payloads (e.g., JWE tokens).

    Match the kid in your JWT header with the JWKS to pick the correct key.

In [8]:
puts("✅ That’s it! Thanks for reading. Your support means a lot — feel free to share this with your colleagues!")

✅ That’s it! Thanks for reading. Your support means a lot — feel free to share this with your colleagues!
