Skip to content

Keycloak

  1. Access Keycloak Admin Console:

  2. Open the Keycloak Admin Console in your web browser. This is usually found at a URL like http://localhost:8080/auth/admin/ .

  3. Create a Realm (if necessary):

  4. If you don't already have a realm for your application, create one. Click on 'Add Realm' and give it a name.

  5. Create a Client:

  6. Within your realm, click on 'Clients' and then 'Create'.
  7. Enter a client ID and select 'openid-connect' as the Client Protocol.
  8. Set 'Client Authentication' to 'On'.
  9. In 'Valid Redirect URIs', enter http://localhost:3080/oauth/openid/callback or the appropriate URI for your application.

image

image

image

  1. Configure Client:
  2. After creating the client, you will be redirected to its settings page.
  3. Note the 'Client ID' and 'Secret' from the 'Credentials' tab โ€“ you'll need these for your application.

image

  1. Add Roles (Optional): If you want to restrict access to users with specific roles, you can define roles in Keycloak and assign them to users.
  2. Go to the 'Roles' tab in your client or realm (depending on where you want to define the roles).
  3. Create a new role that matches the value you have in OPENID_REQUIRED_ROLE .

image

  1. Assign Roles to Users (Optional):
  2. Go to 'Users', select a user, and go to the 'Role Mappings' tab.
  3. Assign the appropriate role (that matches OPENID_REQUIRED_ROLE ) to the user.

image

  1. Get path of roles list inside token (Optional):
  2. Decode your jwtToken from OpenID provider and determine path for roles list inside access token. For example, if you are using Keycloak, the path is realm_access.roles .
  3. Put this path in OPENID_REQUIRED_ROLE_PARAMETER_PATH variable in .env file.
  4. By parameter OPENID_REQUIRED_ROLE_TOKEN_KIND you can specify which token kind you want to use. Possible values are access and id .

8 Update Your Project's Configuration: - Open the .env file in your project folder and add the following variables: 

OPENID_ISSUER=http://localhost:8080/auth/realms/[YourRealmName]
OPENID_CLIENT_ID=[YourClientID]
OPENID_CLIENT_SECRET=[YourClientSecret]
OPENID_CALLBACK_URL=http://localhost:3080/oauth/openid/callback
OPENID_SCOPE="openid profile email"
OPENID_REQUIRED_ROLE=[YourRequiredRole]
OPENID_REQUIRED_ROLE_TOKEN_KIND=(access|id)
OPENID_REQUIRED_ROLE_PARAMETER_PATH="realm_access.roles"