[keycloak-user] Authz with nodejs
Corentin Dupont
corentin.dupont at gmail.com
Thu Nov 9 11:06:13 EST 2017
OK problem solved: I forgot to check "Full Scope Allowed" in the client...
On Tue, Nov 7, 2017 at 10:03 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:
> Hi guys,
> I created a REST API that I would like to protect with keycloak.
> However, I don't find any example/tutorial on Internet that suits.
>
> At the moment I use keycloak-nodejs-connect:
> https://github.com/keycloak/keycloak-nodejs-connect/blob/mas
> ter/example/index.js
>
> This is the basic example given:
>
> var Keycloak = require('keycloak-connect');
> var express = require('express');
> var session = require('express-session');
>
> var app = express();
> var server = app.listen(3000, function () {});
> var memoryStore = new session.MemoryStore();
>
> app.use(session({
> secret: 'mySecret',
> resave: false,
> saveUninitialized: true,
> store: memoryStore,
> }));
>
> var keycloak = new Keycloak({
> store: memoryStore
> });
>
> app.use(keycloak.middleware({
> logout: '/logout',
> admin: '/'
> }));
>
> app.get('/login', keycloak.protect(), function (req, res) {
> res.render('index', {
> result: JSON.stringify(JSON.parse(req.session['keycloak-token']),
> null, 4),
> event: '1. Authentication\n2. Login'
> });
> });
>
> But that doesn't corresponds to my need: in a REST API I have no login or
> logout and no memory.
> I think the user should always make requests with a bearer token. Based on
> that token I can identify the user and get his roles.
> Then I could use keycloak.protect('realm:myendpoint') to protect each of
> my endpoints. If the user have got that role, he is authorized.
> Did I understood correctly the flow?
> Is there some example or REST API with authz, using nodeJS?
>
> Thanks a lot!!!
> Corentin
>
More information about the keycloak-user
mailing list