Closed apiel closed 3 years ago
jaredhanson
commented
3 years ago Could you provide a link to more information regarding this "bearer only mode" of Keycloak? This library implements support for the standard browser-based authorization code flow, hence the use of redirects. I'm not familiar with this mode of Keycloak, but it sounds like a different flow. If that's the case, the functionality may belong in a separate strategy?
apiel
commented
3 years ago https://www.keycloak.org/docs/latest/securing_apps/
bearer-only This should be set to true for services. If enabled the adapter will not attempt to authenticate users, but only verify bearer tokens. This is OPTIONAL. The default value is false.
It validate the token through the keycloak server, still using oauth for it. The service itself it not aware about the validation key for the JWT token and need to make a request to the keycloak server to validate it.
jaredhanson
commented
3 years ago From an initial read, it seems like it might be more appropriate to use passport-http-bearer rather than this strategy. The token received via that strategy can be validated with Keycloak, and it doesn't involve the redirects of user-based authorization code flows.
Does that work for you?
apiel
commented
3 years ago I am not sure how i can validate my JWT with passport-http-bearer, the documentation is not very clear.
On our service, we are using 2 realms, one for internal API call and one for external API call. Both are using keycloak for authentication. The external one, we are using passport-oauth2 as the user need to authenticate with his credential. For the internal realm, for the moment we are using keycloak-connect and skip passport, cause so far we didn't found proper solution using passport in bearer-only mode. Would be great to use passport for all our keycloak implementation instead of different solution. So far, passport-oauth2 seem to be the closest options to get it working for both options.
jmikrut
commented
2 years ago Hey @jaredhanson — I have the same need as @apiel here. Your passport-oauth2 plugin does a lot of work that we want to leverage, including how it generates a PEMKey and then verifies the incoming token. I know what you are saying when you state that we should maybe look at passport-http-bearer instead of this strategy, but that would require that we verify tokens manually, therefore duplicating a lot of this strategy's magic in the first place.
Would it not be fairly trivial to just have an option to disable the redirection that takes place in this strategy? Because it seems like it would be fairly plug-and-play for us if we were able to do that.
Use case: we have a lot of endpoints that should be able to be accessed if you are authenticated or not, and they return results that are dependent on the authenticated user. None of our endpoints should redirect. So it's clear that we need a BearerStrategy, although a good one that comes packaged with token verification out of the box does not exist.
Would love to know your thoughts!
Inoir
commented
2 years ago https://github.com/hgranlund/passport-keycloak-bearer good example how you can do it with keycloak. works pretty well with newest version still.
jmikrut
commented
2 years ago @Inoir — thank you!!! We ended up building something extremely similar. I appreciate you sharing this as it validates what we did quite a bit.
I am using your library to authenticate to keycloak. When I try to implement the bearer only mode, I don't find any solution. Bearer only mode mean that the user can check if he is authenticated but not initiate an authentication through the login form. We use this mode on our APIs. When I look at the code of your library, you are calling
self.redirect(location);(line 285) if the user is not authenticated. Would be great to be able to deactivate this redirect on demand or to be able to overload it.So instead to call directly
self.redirect(location);, you would callself.doRedirect(location);and then you would have