Keycloak with Node.js — (Basic Configuration)
This comprehensive article will delve into Keycloak, covering topics from fundamental concepts to advanced expertise, specifically focusing on integration with Node.js.
What is keycloak?
Keycloak, an open-source tool licensed under the Apache License 2.0, serves as a robust solution for Identity and Access Management Furthermore, it functions as an upstream project for Red Hat SSO, making it a suitable choice for enterprise-focused requirements.
The range of supported platforms is contingent upon the chosen protocol, with Keycloak currently accommodating three distinct protocols, as outlined in the documentation. Keycloak, initiated in September 2014, has reached version 15.0.2 as of October 9, 2021. The development and maintenance of Keycloak are carried out by individuals associated with Red Hat, and they welcome contributions from new collaborators.
This article will guide you through the configuration of Keycloak, providing insights into essential components such as Realms, Clients, Users, and JWT. The tutorial spans from basic configurations to advanced levels, fostering a comprehensive understanding of the entire process.
Lets Start…..
Step 1: Download Keycloak
Step 2: Once keycloak is downloaded go to the downloaded location for example: \keycloak-23.0.1\bin and open the command prompt and type kc you will see the following commands to start keycloak server
Step 3: Type kc Start-dev for development purposes you will see following snapshot
Step 4: Click “Administration Console” and login screen will appear type “ Userid: Admin, Password: Admin and you will be login and keycloak landing page will appear as follows:
Step 5: Create a New Realm
What is the realm?
In Keycloak, a Realm is a self-contained security space where users, applications, and various components are managed and organized. It serves as an isolated environment that defines the boundaries for authentication and authorization. Realms enable administrators to establish specific security policies, manage user credentials, and configure authentication flows independently. Each realm has its own set of users, roles, clients, and identity providers, ensuring a segregated and secure space for identity and access management within Keycloak.
Step 6. Once the realm is created go to the token tab and set the lifespan of your JWT token or leave it on the default setting
Step 7: Click on clients on the left-hand side and create a new client
Step 8: Create client configuration as in the following snapshot
There are two types of clients
Public Client: These clients are considered public because they can’t keep their credentials confidential. Web and mobile applications fall into this category. Public clients are not capable of securely storing client secrets.
Confidential Client: Confidential clients can keep their credentials confidential. Typically, server-side applications, like a web server or a backend service, are classified as confidential clients.
These types are used to authenticate token , In Keycloak, a “Client Authenticator” is a component responsible for authenticating clients during the process of obtaining access tokens or other credentials. It ensures that the client attempting to access protected resources is legitimate and has the necessary permissions. Keycloak supports various client authentication methods, and the choice of authenticator depends on the characteristics of the client and the security requirements of the system.
Following are the methods to Authenticate Tokens
- Client ID and Secret: This is a basic form of client authentication where a client provides its unique identifier (client ID) and a secret known only to the client and the authorization server.
- Signed JWT: Similar to the Client JWT, but the JWT is also signed with the client’s secret. This provides an additional layer of security.
- Private Key JWT: In this method, the client signs a JWT using its private key and includes the signed JWT as part of the authentication request. The authorization server can verify the signature using the client’s public key.
- X509 Certificate: This method involves using Transport Layer Security (TLS) client certificates to authenticate the client. The access token is bound to the client’s certificate, providing an additional layer of security.
- Client Secret JWT: In this method, the client sends a JWT signed with its secret as a means of authentication. It combines aspects of the Client JWT and the Client Secret Post methods.
Step9: Create a User in Keycloak
1. Define Username: demo-user
2. Define Credentials: Admin@123
3. After setting the password Set Temporary build to off
Step: 10: To get the access token go to Realm Settings > OpenIdEndpointConfiguration or type the following URL http://localhost:8080/realms/apps/.well-known/openid-configuration
Now use the following Curl command according to your configuration
curl — location ‘http://localhost:8080/realms/apps/protocol/openid-connect/token' \
— header ‘Content-Type: application/x-www-form-urlencoded’ \
— data-urlencode ‘grant_type=password’ \
— data-urlencode ‘client_id=app-gateway’ \
— data-urlencode ‘username=demo-user’ \
— data-urlencode ‘password=Admin123’ \
— data-urlencode ‘client_secret=vMvlIVWob1HYxvAoiuJCBwRSQpmMLRSd’
Now you will get access and refresh the token
Step:11 Create Node Application you can follow the instructions from this link
https://medium.com/@adnanrahic/hello-world-app-with-node-js-and-express-c1eb7cfa8a30
Once node.js is configured install the following packages
- keycloak-connect
- express-session
Step 12: Open the keycloak again go to the client and follow the following steps
Copy everything from the following snapshot and Paste in your node.js app
In my case, I have configured the node.js app to https but it is not required to configure keycloak. Your basic app should be as follows which contains middleware also.
Step 13: Now Run the application “Node index.js”
Step 14: Generate the token (See Step 10) and call the endpoint
Following is the diagram to show how keycloak token authentication works
