Undefined access token

[abelncm]

After calling const keycloak = new Keycloak( { ... } ) with my configurations (i believe secret should be inside credentials - credentials: {secret: ....} )

In my case my ApolloServer is like this

const apolloServer = new ApolloServer({ async context({ connection, req }) { const context = { ...contextFromOptions };

    // For a GraphQL subscription WebSocket request, there is no `req`
    if (connection) return context;

  await createDataLoaders(context);

  context.kauth = new KeycloakContext({ req });

  console.log(context.kauth.accessToken);

  return context;
},
debug: options.debug || false,
formatError: getErrorFormatter(),
schema,
subscriptions,
introspection: config.GRAPHQL_INTROSPECTION_ENABLED,
playground: config.GRAPHQL_PLAYGROUND_ENABLED

});

I put a ocnsole log to view accessToken in context but it's returning undefined. how can i debug and know that request is being made and view the keycloak response?

[wtrocki]

The access token will not be available in the context method - it will be available in resolvers like demoed in the example applications. The context method is used to create object and it is not used to authenticate or have info about user.

It might happen that request is missing access token. This usually happens when we forget to add keycloak middleware/protect graphql route.

Also it is worth to include version of the keycloak adapter that is being used. Some issues with old adapters might happen (we also did not tested version 11 of the adapter)

[wtrocki]

Added more info

[abelncm]

Ok, but i'm still getting not authenticated (i used @Auth so it's working) but I am authenticated though! How can i debug this?

[wtrocki]

This is probably due to misconfigured keycloak.

The way I would start is to try to run sample app (or README.md example). Understand what is happening there and inspect keycloak realm (server and client side clients created in keycloak.

If you succeed with that you can move the same patterns to your app.

[abelncm]

What version of keycloak adapter do you recommend? I'm using the latest

I don't think the configuration is wrong, because i can authenticate with the normal keycloak-connect procedure, but that only works for blocking endpoints.

Also do you use session? var memoryStore = new session.MemoryStore(); _keycloak = new Keycloak({ store: memoryStore }, keycloakConfig);

[abelncm]

i am using a bearer only client with a secret. i put a console log in your directiveResolvers i can see the authorization header (header.authorization) from context.kauth coming in ok.

Why would i have accessToken undefined in context.kauth if it is in context.kauth.headers.authorization?

[wtrocki]

Why you need those values in context?

[abelncm]

i'm just inspecting the context.kauth to better understand why it's not authenticated even with the token there

[wtrocki]

Is your client supplying token and it is logged into keycloak using the same realm? Please check our readme and sample app.

We are not able to help you with your problem unless we will be able to replicate it using example app. if you have any use case that is not documented please fork repo and modify example app so I can assist.

We are not able to assist with problem with your own codebase unless it is something that has steps to replicate on our side.

[wtrocki]

I will check sample app with the latest keycloak library..It might be that they broke something

[abelncm]

You can reproduce using this index.js

const express = require("express");

const { ApolloServer, gql } = require('apollo-server-express');

const Keycloak = require('keycloak-connect');

const { KeycloakContext, KeycloakTypeDefs, KeycloakSchemaDirectives } = require('keycloak-connect-graphql');

// A schema is a collection of type definitions (hence "typeDefs")
// that together define the "shape" of queries that are executed against
// your data.
const typeDefs = gql`
  # Comments in GraphQL strings (such as this one) start with the hash (#) symbol.

  # This "Book" type defines the queryable fields for every book in our data source.
  type Book {
    title: String
    author: String
  }

  # The "Query" type is special: it lists all of the available queries that
  # clients can execute, along with the return type for each. In this
  # case, the "books" query returns an array of zero or more Books (defined above).
  type Query {
    books: [Book] @auth
  }
`;

const books = [
  {
    title: 'Harry Potter and the Chamber of Secrets',
    author: 'J.K. Rowling',
  },
  {
    title: 'Jurassic Park',
    author: 'Michael Crichton',
  },
];

// Resolvers define the technique for fetching the types defined in the
// schema. This resolver retrieves books from the "books" array above.
const resolvers = {
  Query: {
    books: () => books,
  },
};

const app = express();
const keycloak = new Keycloak('keycloak.json');

app.use('/graphql', keycloak.middleware());

const server = new ApolloServer({
  typeDefs: [KeycloakTypeDefs, typeDefs], // 1. Add the Keycloak Type Defs
  schemaDirectives: KeycloakSchemaDirectives, // 2. Add the KeycloakSchemaDirectives
  resolvers,
  context: ({ req }) => {
    return {
      kauth: new KeycloakContext({ req }) // 3. add the KeycloakContext to `kauth`
    }
  }
});

server.applyMiddleware({ app });

app.listen(4000, () =>
  console.log(`🚀 Server ready at http://localhost:4000${server.graphqlPath}`)
);

and in your keycloak.json file with the following structure (for bearer-only client):

{
  "realm": "yourrealm",
  "bearer-only": true,
  "auth-server-url": "http://yourkeycloakip/auth",
  "ssl-required": "none",
  "resource": "your-resource",
  "verify-token-audience": true,
  "use-resource-role-mappings": true,
  "confidential-port": 0,
  "credentials": {
    "secret": "your-keycloak-client-secret"
  }
}

in your playground http://localhost:4000/graphql use this to query the book (note that i used @auth in query books)

{
  books {
    title
  }
}

it should give "User not Authenticated"

[wtrocki]

You are missing middleware/protect method from keycloak. Without that context will not have Auth data. please check readme or sample apps.

[wtrocki]

See https://github.com/aerogear/keycloak-connect-graphql/blob/master/examples/lib/common.js

[abelncm]

Hi, I applied the following modifications, but still I'm getting "User not authenticated". (I removed credentials.secret in keycloak.json since it's in the code)

const fs = require('fs');
const path = require('path');
const express = require("express");
const session = require('express-session');

const { ApolloServer, gql } = require('apollo-server-express');

const Keycloak = require('keycloak-connect');

const { KeycloakContext, KeycloakTypeDefs, KeycloakSchemaDirectives } = require('keycloak-connect-graphql');

// A schema is a collection of type definitions (hence "typeDefs")
// that together define the "shape" of queries that are executed against
// your data.
const typeDefs = gql`
  # Comments in GraphQL strings (such as this one) start with the hash (#) symbol.

  # This "Book" type defines the queryable fields for every book in our data source.
  type Book {
    title: String
    author: String
  }

  # The "Query" type is special: it lists all of the available queries that
  # clients can execute, along with the return type for each. In this
  # case, the "books" query returns an array of zero or more Books (defined above).
  type Query {
    books: [Book] @auth
  }
`;

const books = [
  {
    title: 'Harry Potter and the Chamber of Secrets',
    author: 'J.K. Rowling',
  },
  {
    title: 'Jurassic Park',
    author: 'Michael Crichton',
  },
];

// Resolvers define the technique for fetching the types defined in the
// schema. This resolver retrieves books from the "books" array above.
const resolvers = {
  Query: {
    books: () => books,
  },
};

const app = express();

const keycloakConfig = JSON.parse(fs.readFileSync(path.resolve(__dirname, 'keycloak.json')));
const memoryStore = new session.MemoryStore();

  app.use(session({
    secret: process.env.SESSION_SECRET_STRING || 'my-keycloak-secret-added-here',
    resave: false,
    saveUninitialized: true,
    store: memoryStore
  }));

const keycloak = new Keycloak({store: memoryStore}, keycloakConfig);

// Install general keycloak middleware
app.use(keycloak.middleware({admin: '/graphql'  }));
app.use('/graphql', keycloak.middleware());

const server = new ApolloServer({
  typeDefs: [KeycloakTypeDefs, typeDefs], // 1. Add the Keycloak Type Defs
  schemaDirectives: KeycloakSchemaDirectives, // 2. Add the KeycloakSchemaDirectives
  resolvers,
  context: ({ req }) => {
    return {
      kauth: new KeycloakContext({ req }) // 3. add the KeycloakContext to `kauth`
    }
  }
});

server.applyMiddleware({ app });

app.listen(4000, () =>
  console.log(`🚀 Server ready at http://localhost:4000${server.graphqlPath}`)
);

[davidschrooten]

Having similar problem, after keycloak in kubernetes crashed and restoring a backup in a newer keycloak I suddenly am having same problem. Middleware are all properly defined.

[abelncm]

Actually it's all working good. Only thing is you have to use a public client from keycloak and all is good.

[wtrocki]

@davidq2q Let's create separate issue

[proftom]

Actually it's all working good. Only thing is you have to use a public client from keycloak and all is good.

what do you mean "use a public client from keycloak"?

[proftom]

The access token will not be available in the context method - it will be available in resolvers like demoed in the example applications. The context method is used to create object and it is not used to authenticate or have info about user.

It might happen that request is missing access token. This usually happens when we forget to add keycloak middleware/protect graphql route.

@wtrocki are you saying that context.kauth.accessToken should not contain the Bearer access token? What is the point of context.kauth.accessToken, when and how sets it?

[wtrocki]

what do you mean "use a public client from keycloak"?

Keycloak have two client types. Bearer and Public. Bearer client is used only for backends to check token - it doesn't provide login logic/session etc.

are you saying that context.kauth.accessToken should not contain the Bearer access token?

That would be part of the keycloak node.js library logic. All we do here is export this logic to graphql layer.