Keycloak
- Access Keycloak Admin Console:
- Open the Keycloak Admin Console in your web browser. This is usually
found at a URL like
http://localhost:8080/auth/admin/
.
- Create a Realm (if necessary):
- If you donât already have a realm for your application, create one. Click on âAdd Realmâ and give it a name.
- Create a Client:
- Within your realm, click on âClientsâ and then âCreateâ.
- Enter a client ID and select âopenid-connectâ as the Client Protocol.
- Set âClient Authenticationâ to âOnâ.
- In âValid Redirect URIsâ, enter
http://localhost:3080/oauth/openid/callback
or the appropriate URI for your application.
- Configure Client:
- After creating the client, you will be redirected to its settings page.
- Note the âClient IDâ and âSecretâ from the âCredentialsâ tab â youâll need these for your application.
- Add Roles (Optional): If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users.
- Go to the âRolesâ tab in your client or realm (depending on where you want to define the roles).
- Create a new role that matches the value you have in
OPENID_REQUIRED_ROLE
.
- Assign Roles to Users (Optional):
- Go to âUsersâ, select a user, and go to the âRole Mappingsâ tab.
- Assign the appropriate role (that matches
OPENID_REQUIRED_ROLE
) to the user.
- Get path of roles list inside token (Optional):
- Decode your jwtToken from OpenID provider and determine path for roles list inside access token. For example, if you are
using Keycloak, the path is
realm_access.roles
. - Put this path in
OPENID_REQUIRED_ROLE_PARAMETER_PATH
variable in.env
file. - By parameter
OPENID_REQUIRED_ROLE_TOKEN_KIND
you can specify which token kind you want to use. Possible values areaccess
andid
.
- Update Your Projectâs Configuration:
- Open the
.env
file in your project folder and add the following variables:.envOPENID_ISSUER=http://localhost:8080/realms/[YourRealmName] OPENID_CLIENT_ID=[YourClientID] OPENID_CLIENT_SECRET=[YourClientSecret] OPENID_SESSION_SECRET=[JustGenerateARandomSessionSecret] OPENID_CALLBACK_URL=/oauth/openid/callback OPENID_SCOPE="openid profile email" OPENID_REQUIRED_ROLE=[YourRequiredRole] OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id) # that means, `access` or `id` OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles"