Hi Bruno I've been banging my head against a brick wall for while now and wondering if you can rescue me since you're a contributor. I currently have a loopback app that I'm trying to protect with Keycloak and my server/boot/root.js contains: module.exports = function (server) { var session = require('express-session'); var Keycloak = require('keycloak-connect'); var keycloak = new Keycloak(); var memoryStore = new session.MemoryStore(); server.use(session({ secret: '3249d976-7c6c-481d-83e6-c8012904f00a', resave: false, saveUninitialized: true, store: memoryStore, })) var keycloak = new Keycloak({ store: memoryStore }); server.use(keycloak.middleware({})); server.get('/*', keycloak.protect(), function (req, resp) { resp.send('hello'); }) }; I've tried to follow the example as closely as possible but when I hit any API I get into a redirect loop and the request fails. I've also tried swapping the server.use(session line with server.use(keycloak but then see: Cannot read property 'keycloak-token' of undefined Is there something I'm doing wrong? Thanks in advance! Cheers, Elston