Closed itsam closed 1 month ago
itsam
commented
5 months ago On second thought, do I really need the scoped token to be sent back to the frontend... maybe just for each request, node.js app exchange the token, received authorization and just inform the frontend with either request is granted or not... I really looking forward to learn on your approach on this. Best
itsam
commented
5 months ago on third thought :) reading https://www.keycloak.org/docs/latest/securing_apps/#exchange-vulnerabilities it seems that probably my thinking is not valid as public clients are not allowed to exchange tokens... So now what? How the public client gets authorization services?
Another idea migth be to have my backend node js to create two instances of keycloak-connect. One for the public client (same as front-end uses) and a second one for the trusted client. But how to check e.g. RBAC? Is it possible for keycloak to share roles/ groups etc between two clients?
garronej
commented
5 months ago Hey @itsam,
To my understanding 1) would be the way to go.
You would create another Keycloak client for your backend. This other client would use a client secret.
I think this would be a scenario akin to this: https://docs.onyxia.sh/admin-doc/readme/data-s3
garronej
commented
4 months ago @itsam Hello!
I wanted to let you know that I've added your testimony to the homepage: https://oidc-spa.dev Let me know if you want me to change anything.
Also, I just fixed a bug that occured when users press back button on the login page. You might want to update oidc-spa to the latest version.
Best,
itsam
commented
4 months ago @garronej wow! Very good job. I really like the landing page. The testimony is fine Thanks also for the heads up! I am updating. 🚀 I wish you to sky rocket oidc-spa, and I will try to spread as well.
garronej
commented
4 months ago Lovely! Thanks a lot.
I'll still keep it confidential for a little longer to battle test it a little bit longer then I will share on reddid.
Thanks a lot for the support!
Hello, can you please elaborate or give ideas on your approach for the following concern.
I have a frontend react app using of course oidc-spa and a backend app in node.js using express.js and keycloak-connect to serve my REST API to my frontend react app.
My frontend authenticates to a keycloak client using
and gets a bearer token.
The above works because my keycloak client authentication is disabled (otherwise a client secret would be necessary and of course client-secret should be used in front-end apps). This is normal as frontend should only use public clients.
My backend node.js uses the same keycloak public client (so no client-secret is used as well)
an express middleware checks if bearer token is valid for every request and then serves the REST API.
The above works just fine. What i need though is to take advantage of keycloak's authorization functionality and to do that I need client authentication to be enabled.
My thought and this is where I am asking for advice/ideas/suggestions is:
1) Create a different client (https://www.keycloak.org/docs/23.0.7/authorization_services/#_resource_server_create_client) let's name it
my-resource-serveras explained in keycloak documentation and set all roles permissions policies, whatever. 2) In my backend app expose an endpoint to allow my frontend to exchange its token (as received from oidc-spa) with a scoped token taken from backend usingmy-resource-serverand using access token scoped for a different audience or resource to finally check permissions for the user.Is the above steps correct? If yes, then is oidc-spa able to do a) Bearer token forwarding: So, after obtaining the bearer token from my public keycloak client, oidc-spa to forward this token with HTTP request headers to an endpoint to a backend app in order to get a new scoped token back? b) Refresh token automatically (which it does) but then forward token to be exchanged for the scoped one?
Thank you in advance and apologies for the long text.