Hi,
If you are using your node app just to expose APIs that your SPA will
consume, you should flag your node-ap as "bearer-only" (in the keycloak
config) , this will return a 401 if you user is not authenticated (and not
attempt the redirect 302).
This also means that your SPA must obtain the token by using the Keycloak
Javascript library.
Sebi
On Fri, May 3, 2019 at 9:45 AM Radovan Kuka <kuka.radovan(a)gmail.com> wrote:
Hello all,
I am new to keycloak and I tryed to use keycloak-connect to protect routes
on my server. From my SPA, I make a fetch call to the server route that
uses protect middleware. In case of unauthenticated user, keycloak-connect
returns redirect to login page (302 with location header). Problem is that,
original request was fetch and 302 causes that, browser will call GET
request for keycloak login page. This will not cause full browser redirect
to that login page. Wouldn't it be better to send 401 Unauthorized and let
browser to handle redirect itself? Or am I doing something wrong?
This is related part in my code.
const keycloakConfig = {
authServerUrl: application.SERVER_URL,
clientId: application.CLIENT_ID,
realm: application.REALM,
public: true
};
const keycloak = new Keycloak({ cookies: true }, keycloakConfig);
app.use(
keycloak.middleware({
logout: '/logout'
})
);
// Use routes
app.use('/api/v1/', keycloak.protect(), api);
Thank you for any help.
Radovan
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user