Nest Keycloak Connect
An adapter for keycloak-nodejs-connect.
Features
- Protect your resources using Keycloak's Authorization Services.
- Simply add
@Resource
,@Scopes
, or@Roles
in your controllers and you're good to go. - Compatible with Fastify platform.
Installation
Yarn
yarn add nest-keycloak-connect keycloak-connect
NPM
npm install nest-keycloak-connect keycloak-connect --save
Getting Started
Register the module in app.module.ts
import { Module } from '@nestjs/common';
import { APP_GUARD } from '@nestjs/core';
import {
KeycloakConnectModule,
ResourceGuard,
RoleGuard,
AuthGuard,
PolicyEnforcementMode,
TokenValidation
} from 'nest-keycloak-connect';
@Module({
imports: [
KeycloakConnectModule.register({
authServerUrl: 'http://localhost:8080/auth',
realm: 'master',
clientId: 'my-nestjs-app',
secret: 'secret',
// optional if you want to retrieve JWT from cookie
cookieKey: 'KEYCLOAK_JWT',
// optional loglevels. default is verbose
logLevels: ['warn'],
// optional useNestLogger, uses the logger from app.useLogger() implementation
useNestLogger: false,
// optional, already defaults to permissive
policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
// optional, already defaults to online validation
tokenValidation: TokenValidation.ONLINE,
}),
],
providers: [
// These are in order, see https://docs.nestjs.com/guards#binding-guards
// for more information
// This adds a global level authentication guard, you can also have it scoped
// if you like.
//
// Will throw a 401 unauthorized when it is unable to
// verify the JWT token or Bearer header is missing.
{
provide: APP_GUARD,
useClass: AuthGuard,
},
// This adds a global level resource guard, which is permissive by default (can be configured).
//
// Only controllers annotated with `@Resource` and methods with `@Scopes`
// are handled by this guard.
//
// NOTE: This guard is not necessary if you are using role-based authorization exclusively.
// You can use role guard exclusively for that.
//
{
provide: APP_GUARD,
useClass: ResourceGuard,
},
// This adds a global level role guard, can only be used in conjunction with resource guard
// when enforcement policy is PERMISSIVE, unless you only use role guard exclusively.
// This adds a global level role guard, which is permissive.
//
// Used by controller methods annotated with `@Roles` (matching can be configured)
{
provide: APP_GUARD,
useClass: RoleGuard,
},
],
})
export class AppModule {}
You can also register by just providing the keycloak.json
path:
KeycloakConnectModule.register(`./keycloak.json`, {
cookieKey: 'KEYCLOAK_JWT',
logLevels: ['verbose'],
useNestLogger: false,
policyEnforcement: PolicyEnforcementMode.ENFORCING,
tokenValidation: TokenValidation.NONE,
})
In your controllers, simply do:
import { Resource, Roles, Scopes, AllowAnyRole, Public, RoleMatchingMode } from 'nest-keycloak-connect';
import { Controller, Get, Delete, Put, Post, Param } from '@nestjs/common';
import { Product } from './product';
import { ProductService } from './product.service';
@Controller()
@Resource(Product.name)
export class ProductController {
constructor(private service: ProductService) {}
@Get()
@Public() // Can also use `@Unprotected`
async findAll() {
return await this.service.findAll();
}
@Get()
@Roles({ roles: ['admin', 'other'] })
async findAllBarcodes() {
return await this.service.findAllBarcodes();
}
@Get(':code')
@Scopes('View')
async findByCode(@Param('code') code: string) {
return await this.service.findByCode(code);
}
@Post()
@Scopes('Create')
async create(@Body() product: Product) {
return await this.service.create(product);
}
@Delete(':code')
@Scopes('Delete')
@Roles({ roles: ['admin', 'realm:sysadmin'], mode: RoleMatchingMode.ALL })
async deleteByCode(@Param('code') code: string) {
return await this.service.deleteByCode(code);
}
@Put(':code')
@Scopes('Edit')
async update(@Param('code') code: string, @Body() product: Product) {
return await this.service.update(code, product);
}
}
Example app
An example application is provided in the source code with both Keycloak Realm and Postman requests for you to experiment with.