/authentication-demo

Primary LanguageTypeScriptApache License 2.0Apache-2.0

Authentication demo for Keycloak

What to see here

This is an example project to show different capabilities of OpenID Connect standards.

Watch the Network console with filtering for only Fetch/XHR and Doc type requests.

  1. Loading information about the server: .well-known/openid-configuration` based on the issuer
    http://localhost:8080/realms/test plus /.well-known/openid-configuration

  2. Check if a user is logged in
    .../auth?redirect_uri=...&prompt=none......?error=login_required...

  3. Log in the user
    .../auth?redirect_uri=...&prompt=login......session_state=...code=...

  4. Use PAR instead of the URI (can be enforced von Keycloak side)
    POST query parameters to ext/par/request, =…​&prompt=login…​` => `…​session_state=…​code=…​+`

  5. Get tokens
    POST with everything to server endpoint, then open `+…​/auth?request_uri=…​ → ID-Token, Access Token, Refresh Token, …​

  6. OpenID Connect Session Management to check if the user is still logged in
    IFrame .../login-status-iframe.html + session_state + JavaScript sendMessage() / receiveMessage() ⇒ Check if the user is still logged in using a cookie

  7. Inspect the ID token

  8. Use the access token to retrieve information from the user info endpoint (as an example of a protected resource)

  9. Refresh the access token when necessary

  10. Logout
    .../logout?post_logout_redirect_uri=...&id_token_hint=...&client_id=... ⇒ Redirect to client URL

  11. Re-authenticate when already logged in
    .../auth?redirect_uri=...&prompt=login......session_state=...code=...

  12. Enforce second factor authentication (can also be enforced in Keycloak client configuration)
    .../auth?...acr_values=2... ⇒ level shown in the token

  13. Application Initiated Actions (non-standard)

    • Update Profile
      .../auth?redirect_uri=...&kc_action=UPDATE_PROFILE......session_state=...code=...

    • Update Password
      .../auth?redirect_uri=...&kc_action=UPDATE_PASSWORD......session_state=...code=...

  14. Account Console (non-standard)
    .../account?referrer=...&referrer_uri=...

  15. Add extra scope address to get address data
    .../auth?...&scope=openid+email+address... ⇒ scopes in token

  16. Create additional fields for scope address
    Go to realm test
    Client scopes → address → Mappers → street, locality, region, postal_code, country, formatted
    Realm settings → User profile → Create attribute formatted
    Enabled and required when scope address is requested
    Who can edit: Admins and Users
    Input Type: text area

  17. Register a new user
    Go to realm test → Realm settings → Login → enable User registration
    See server info change with new prompt value create
    .../auth?redirect_uri=...&prompt=create......session_state=...code=...

How to run it

  1. Go to folder keycloak and startup Keycloak

  2. Go to folder openid-vue and start up the single page application