├── .env.example ├── .eslintrc.json ├── .gitignore ├── README.md ├── docker-compose.yaml ├── next.config.js ├── package-lock.json ├── package.json ├── postcss.config.js ├── public ├── next.svg └── vercel.svg ├── src ├── app │ ├── Providers.tsx │ ├── api │ │ └── auth │ │ │ ├── [...nextauth] │ │ │ └── route.ts │ │ │ └── federated-logout │ │ │ └── route.ts │ ├── auth │ │ ├── signin │ │ │ └── page.tsx │ │ └── signout │ │ │ └── page.tsx │ ├── favicon.ico │ ├── globals.css │ ├── layout.tsx │ ├── page.tsx │ ├── private │ │ └── page.tsx │ └── public │ │ └── page.tsx ├── components │ ├── Login.tsx │ ├── Logout.tsx │ └── SessionGuard.tsx ├── middleware.ts └── utils │ ├── federatedLogout.ts │ └── time.ts ├── tailwind.config.js ├── tsconfig.json └── types ├── next-auth.d.ts └── node-env.d.ts /.env.example: -------------------------------------------------------------------------------- 1 | KEYCLOAK_CLIENT_ID="nextjs" 2 | KEYCLOAK_CLIENT_SECRET="" 3 | KEYCLOAK_ISSUER="http://localhost:8080/realms/" 4 | NEXTAUTH_URL="http://localhost:3000" 5 | NEXTAUTH_SECRET="random secret" -------------------------------------------------------------------------------- /.eslintrc.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": "next/core-web-vitals" 3 | } 4 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # See https://help.github.com/articles/ignoring-files/ for more about ignoring files. 2 | 3 | # dependencies 4 | /node_modules 5 | /.pnp 6 | .pnp.js 7 | 8 | # testing 9 | /coverage 10 | 11 | # next.js 12 | /.next/ 13 | /out/ 14 | 15 | # production 16 | /build 17 | 18 | # misc 19 | .DS_Store 20 | *.pem 21 | 22 | # debug 23 | npm-debug.log* 24 | yarn-debug.log* 25 | yarn-error.log* 26 | 27 | # local env files 28 | .env*.local 29 | 30 | # vercel 31 | .vercel 32 | 33 | # typescript 34 | *.tsbuildinfo 35 | next-env.d.ts 36 | 37 | # postgres data 38 | postgres_db -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Blog 2 | This repository is a part of a blog which explains how to use keycloak as a authentication broker for a NextJS v13 application. Please go through this [blog](https://medium.com/@harshbhandariv/secure-nextjs-v13-application-with-keycloak-6f68406bb3b5) 3 | 4 | 5 | ## Getting Started 6 | 7 | ### Run keycloak with a postgres database 8 | ```bash 9 | docker compose up -d 10 | ``` 11 | > Please note that the above method cannot be used for production. 12 | 13 | ### Run the development server 14 | 15 | ```bash 16 | NODE_OPTIONS='--dns-result-order=ipv4first' npm run dev 17 | ``` 18 | 19 | ### To build the project 20 | ```bash 21 | npm run build 22 | ``` 23 | 24 | Open [http://localhost:3000](http://localhost:3000) with your browser to see the result. 25 | 26 | ### To start the nextjs server(production mode) 27 | ```bash 28 | NODE_OPTIONS='--dns-result-order=ipv4first' npm start 29 | ``` 30 | > Make sure to setup the environment variables. 31 | -------------------------------------------------------------------------------- /docker-compose.yaml: -------------------------------------------------------------------------------- 1 | version: "3.9" 2 | services: 3 | postgres: 4 | image: postgres:15.4 5 | volumes: 6 | - ./postgres_db:/var/lib/postgresql/data 7 | environment: 8 | POSTGRES_PASSWORD: postgres 9 | POSTGRES_DB: keycloak 10 | ports: 11 | - 5432:5432 12 | keycloak: 13 | depends_on: 14 | - postgres 15 | image: quay.io/keycloak/keycloak:22.0.4 16 | environment: 17 | KEYCLOAK_ADMIN: admin 18 | KEYCLOAK_ADMIN_PASSWORD: admin 19 | KC_DB: postgres 20 | KC_DB_URL_HOST: postgres 21 | KC_DB_URL_PORT: 5432 22 | KC_DB_USERNAME: postgres 23 | KC_DB_PASSWORD: postgres 24 | command: start-dev 25 | ports: 26 | - 8080:8080 27 | -------------------------------------------------------------------------------- /next.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('next').NextConfig} */ 2 | const nextConfig = {} 3 | 4 | module.exports = nextConfig 5 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "nextjs-keycloak", 3 | "version": "0.1.0", 4 | "private": true, 5 | "scripts": { 6 | "dev": "next dev", 7 | "build": "next build", 8 | "start": "next start", 9 | "lint": "next lint" 10 | }, 11 | "dependencies": { 12 | "@types/node": "20.8.7", 13 | "@types/react": "18.2.31", 14 | "@types/react-dom": "18.2.14", 15 | "autoprefixer": "10.4.16", 16 | "eslint": "8.52.0", 17 | "eslint-config-next": "13.5.6", 18 | "next": "13.5.6", 19 | "next-auth": "^4.24.3", 20 | "postcss": "8.4.31", 21 | "react": "18.2.0", 22 | "react-dom": "18.2.0", 23 | "tailwindcss": "3.3.3", 24 | "typescript": "5.2.2" 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /postcss.config.js: -------------------------------------------------------------------------------- 1 | module.exports = { 2 | plugins: { 3 | tailwindcss: {}, 4 | autoprefixer: {}, 5 | }, 6 | } 7 | -------------------------------------------------------------------------------- /public/next.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /public/vercel.svg: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/app/Providers.tsx: -------------------------------------------------------------------------------- 1 | 'use client' 2 | 3 | import { SessionProvider } from "next-auth/react" 4 | import { ReactNode } from "react" 5 | import { minutesInSeconds } from "../utils/time" 6 | 7 | export function Providers({ children }: { children: ReactNode }) { 8 | return ( 9 | 10 | {children} 11 | 12 | ) 13 | } 14 | -------------------------------------------------------------------------------- /src/app/api/auth/[...nextauth]/route.ts: -------------------------------------------------------------------------------- 1 | import { AuthOptions, TokenSet } from "next-auth"; 2 | import { JWT } from "next-auth/jwt"; 3 | import NextAuth from "next-auth/next"; 4 | import KeycloakProvider from "next-auth/providers/keycloak" 5 | 6 | function requestRefreshOfAccessToken(token: JWT) { 7 | return fetch(`${process.env.KEYCLOAK_ISSUER}/protocol/openid-connect/token`, { 8 | headers: { "Content-Type": "application/x-www-form-urlencoded" }, 9 | body: new URLSearchParams({ 10 | client_id: process.env.KEYCLOAK_CLIENT_ID, 11 | client_secret: process.env.KEYCLOAK_CLIENT_SECRET, 12 | grant_type: "refresh_token", 13 | refresh_token: token.refreshToken!, 14 | }), 15 | method: "POST", 16 | cache: "no-store" 17 | }); 18 | } 19 | 20 | export const authOptions: AuthOptions = { 21 | providers: [ 22 | KeycloakProvider({ 23 | clientId: process.env.KEYCLOAK_CLIENT_ID, 24 | clientSecret: process.env.KEYCLOAK_CLIENT_SECRET, 25 | issuer: process.env.KEYCLOAK_ISSUER 26 | }) 27 | ], 28 | pages: { 29 | signIn: '/auth/signin', 30 | signOut: '/auth/signout', 31 | }, 32 | session: { 33 | strategy: "jwt", 34 | maxAge: 60 * 30 35 | }, 36 | callbacks: { 37 | async jwt({ token, account }) { 38 | if (account) { 39 | token.idToken = account.id_token 40 | token.accessToken = account.access_token 41 | token.refreshToken = account.refresh_token 42 | token.expiresAt = account.expires_at 43 | return token 44 | } 45 | if (Date.now() < (token.expiresAt! * 1000 - 60 * 1000)) { 46 | return token 47 | } else { 48 | try { 49 | const response = await requestRefreshOfAccessToken(token) 50 | 51 | const tokens: TokenSet = await response.json() 52 | 53 | if (!response.ok) throw tokens 54 | 55 | const updatedToken: JWT = { 56 | ...token, // Keep the previous token properties 57 | idToken: tokens.id_token, 58 | accessToken: tokens.access_token, 59 | expiresAt: Math.floor(Date.now() / 1000 + (tokens.expires_in as number)), 60 | refreshToken: tokens.refresh_token ?? token.refreshToken, 61 | } 62 | return updatedToken 63 | } catch (error) { 64 | console.error("Error refreshing access token", error) 65 | return { ...token, error: "RefreshAccessTokenError" } 66 | } 67 | } 68 | }, 69 | async session({ session, token }) { 70 | session.accessToken = token.accessToken 71 | session.error = token.error 72 | return session 73 | } 74 | } 75 | } 76 | 77 | const handler = NextAuth(authOptions); 78 | 79 | export { handler as GET, handler as POST } 80 | -------------------------------------------------------------------------------- /src/app/api/auth/federated-logout/route.ts: -------------------------------------------------------------------------------- 1 | import { JWT, getToken } from 'next-auth/jwt' 2 | import { NextRequest, NextResponse } from 'next/server' 3 | 4 | function logoutParams(token: JWT): Record { 5 | return { 6 | id_token_hint: token.idToken as string, 7 | post_logout_redirect_uri: process.env.NEXTAUTH_URL, 8 | }; 9 | } 10 | 11 | function handleEmptyToken() { 12 | const response = { error: "No session present" }; 13 | const responseHeaders = { status: 400 }; 14 | return NextResponse.json(response, responseHeaders); 15 | } 16 | 17 | function sendEndSessionEndpointToURL(token: JWT) { 18 | const endSessionEndPoint = new URL( 19 | `${process.env.KEYCLOAK_ISSUER}/protocol/openid-connect/logout` 20 | ); 21 | const params: Record = logoutParams(token); 22 | const endSessionParams = new URLSearchParams(params); 23 | const response = { url: `${endSessionEndPoint.href}/?${endSessionParams}` }; 24 | return NextResponse.json(response); 25 | } 26 | 27 | export async function GET(req: NextRequest) { 28 | try { 29 | const token = await getToken({ req }) 30 | if (token) { 31 | return sendEndSessionEndpointToURL(token); 32 | } 33 | return handleEmptyToken(); 34 | } catch (error) { 35 | console.error(error); 36 | const response = { 37 | error: "Unable to logout from the session", 38 | }; 39 | const responseHeaders = { 40 | status: 500, 41 | }; 42 | return NextResponse.json(response, responseHeaders); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/app/auth/signin/page.tsx: -------------------------------------------------------------------------------- 1 | import { authOptions } from "@/app/api/auth/[...nextauth]/route"; 2 | import Login from "@/components/Login"; 3 | import { getServerSession } from "next-auth"; 4 | import { redirect, useParams } from "next/navigation"; 5 | 6 | const signinErrors: Record = { 7 | default: "Unable to sign in.", 8 | signin: "Try signing in with a different account.", 9 | oauthsignin: "Try signing in with a different account.", 10 | oauthcallbackerror: "Try signing in with a different account.", 11 | oauthcreateaccount: "Try signing in with a different account.", 12 | emailcreateaccount: "Try signing in with a different account.", 13 | callback: "Try signing in with a different account.", 14 | oauthaccountnotlinked: 15 | "To confirm your identity, sign in with the same account you used originally.", 16 | sessionrequired: "Please sign in to access this page.", 17 | } 18 | 19 | interface SignInPageProp { 20 | params: object 21 | searchParams: { 22 | callbackUrl: string 23 | error: string 24 | } 25 | } 26 | 27 | export default async function Signin({ searchParams: { callbackUrl, error } }: SignInPageProp) { 28 | const session = await getServerSession(authOptions); 29 | if (session) { 30 | redirect(callbackUrl || "/") 31 | } 32 | return ( 33 |
34 | {error &&
35 | {signinErrors[error.toLowerCase()]} 36 |
} 37 | 38 |
39 | ) 40 | } 41 | -------------------------------------------------------------------------------- /src/app/auth/signout/page.tsx: -------------------------------------------------------------------------------- 1 | import { authOptions } from "@/app/api/auth/[...nextauth]/route"; 2 | import Logout from "@/components/Logout"; 3 | import { getServerSession } from "next-auth"; 4 | import { redirect } from "next/navigation"; 5 | 6 | export default async function SignoutPage() { 7 | const session = await getServerSession(authOptions); 8 | if (session) { 9 | return ( 10 |
11 |
Signout
12 |
Are you sure you want to sign out?
13 |
14 | 15 |
16 |
17 | ) 18 | } 19 | return redirect("/api/auth/signin") 20 | } 21 | -------------------------------------------------------------------------------- /src/app/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/harshbhandarivs/nextjs-keycloak/81e4e5c128282b05efabe47d10906e995384ad6f/src/app/favicon.ico -------------------------------------------------------------------------------- /src/app/globals.css: -------------------------------------------------------------------------------- 1 | @tailwind base; 2 | @tailwind components; 3 | @tailwind utilities; 4 | 5 | :root { 6 | --foreground-rgb: 0, 0, 0; 7 | --background-start-rgb: 214, 219, 220; 8 | --background-end-rgb: 255, 255, 255; 9 | } 10 | 11 | @media (prefers-color-scheme: dark) { 12 | :root { 13 | --foreground-rgb: 255, 255, 255; 14 | --background-start-rgb: 0, 0, 0; 15 | --background-end-rgb: 0, 0, 0; 16 | } 17 | } 18 | 19 | body { 20 | color: rgb(var(--foreground-rgb)); 21 | background: linear-gradient( 22 | to bottom, 23 | transparent, 24 | rgb(var(--background-end-rgb)) 25 | ) 26 | rgb(var(--background-start-rgb)); 27 | } 28 | -------------------------------------------------------------------------------- /src/app/layout.tsx: -------------------------------------------------------------------------------- 1 | import './globals.css' 2 | import type { Metadata } from 'next' 3 | import { Inter } from 'next/font/google' 4 | import { Providers } from './Providers' 5 | import SessionGuard from '@/components/SessionGuard' 6 | 7 | const inter = Inter({ subsets: ['latin'] }) 8 | 9 | export const metadata: Metadata = { 10 | title: 'Create Next App', 11 | description: 'Generated by create next app', 12 | } 13 | 14 | export default function RootLayout({ 15 | children, 16 | }: { 17 | children: React.ReactNode 18 | }) { 19 | return ( 20 | 21 | 22 | 23 | 24 | {children} 25 | 26 | 27 | 28 | 29 | ) 30 | } 31 | -------------------------------------------------------------------------------- /src/app/page.tsx: -------------------------------------------------------------------------------- 1 | import { getServerSession } from 'next-auth' 2 | import { authOptions } from './api/auth/[...nextauth]/route' 3 | import Login from '../components/Login' 4 | import Logout from '../components/Logout' 5 | 6 | export default async function Home() { 7 | const session = await getServerSession(authOptions) 8 | if (session) { 9 | return
10 |
Your name is {session.user?.name}
11 |
12 | 13 |
14 |
15 | } 16 | return ( 17 |
18 | 19 |
20 | ) 21 | } 22 | -------------------------------------------------------------------------------- /src/app/private/page.tsx: -------------------------------------------------------------------------------- 1 | import { getServerSession } from 'next-auth'; 2 | import Logout from '@/components/Logout'; 3 | import { authOptions } from '@/app/api/auth/[...nextauth]/route'; 4 | 5 | export default async function Private() { 6 | const session = await getServerSession(authOptions) 7 | if (session) { 8 | return
9 |
You are accessing a private page
10 |
Your name is {session.user?.name}
11 |
12 | 13 |
14 |
15 | } 16 | } 17 | -------------------------------------------------------------------------------- /src/app/public/page.tsx: -------------------------------------------------------------------------------- 1 | import { getServerSession } from 'next-auth'; 2 | import { authOptions } from '../api/auth/[...nextauth]/route'; 3 | import Logout from '@/components/Logout'; 4 | import Login from '@/components/Login'; 5 | 6 | export default async function Public() { 7 | const session = await getServerSession(authOptions) 8 | if (session) { 9 | return
10 |
You are accessing a public page
11 |
Your name is {session.user?.name}
12 |
13 | 14 |
15 |
16 | } 17 | return ( 18 |
19 |
You are accessing a public page
20 |
21 | 22 |
23 |
24 | ) 25 | } 26 | -------------------------------------------------------------------------------- /src/components/Login.tsx: -------------------------------------------------------------------------------- 1 | "use client" 2 | import { signIn } from "next-auth/react"; 3 | 4 | export default function Login() { 5 | return 10 | } 11 | -------------------------------------------------------------------------------- /src/components/Logout.tsx: -------------------------------------------------------------------------------- 1 | "use client" 2 | import federatedLogout from "@/utils/federatedLogout"; 3 | 4 | export default function Logout() { 5 | return 10 | } 11 | -------------------------------------------------------------------------------- /src/components/SessionGuard.tsx: -------------------------------------------------------------------------------- 1 | "use client"; 2 | import { signIn, useSession } from "next-auth/react"; 3 | import { ReactNode, useEffect } from "react"; 4 | 5 | export default function SessionGuard({ children }: { children: ReactNode }) { 6 | const { data } = useSession(); 7 | useEffect(() => { 8 | if (data?.error === "RefreshAccessTokenError") { 9 | signIn("keycloak"); 10 | } 11 | }, [data]); 12 | 13 | return <>{children}; 14 | } 15 | -------------------------------------------------------------------------------- /src/middleware.ts: -------------------------------------------------------------------------------- 1 | export { default } from "next-auth/middleware" 2 | 3 | export const config = { 4 | matcher: ["/private"] 5 | } -------------------------------------------------------------------------------- /src/utils/federatedLogout.ts: -------------------------------------------------------------------------------- 1 | import { signOut } from "next-auth/react"; 2 | 3 | export default async function federatedLogout() { 4 | try { 5 | const response = await fetch("/api/auth/federated-logout"); 6 | const data = await response.json(); 7 | if (response.ok) { 8 | await signOut({ redirect: false }); 9 | window.location.href = data.url; 10 | return; 11 | } 12 | throw new Error(data.error); 13 | } catch (error) { 14 | console.log(error) 15 | alert(error); 16 | await signOut({ redirect: false }); 17 | window.location.href = "/"; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /src/utils/time.ts: -------------------------------------------------------------------------------- 1 | export function minutesInSeconds(minute: number): number { 2 | return minute * 60 3 | }; -------------------------------------------------------------------------------- /tailwind.config.js: -------------------------------------------------------------------------------- 1 | /** @type {import('tailwindcss').Config} */ 2 | module.exports = { 3 | content: [ 4 | './src/pages/**/*.{js,ts,jsx,tsx,mdx}', 5 | './src/components/**/*.{js,ts,jsx,tsx,mdx}', 6 | './src/app/**/*.{js,ts,jsx,tsx,mdx}', 7 | ], 8 | theme: { 9 | extend: { 10 | backgroundImage: { 11 | 'gradient-radial': 'radial-gradient(var(--tw-gradient-stops))', 12 | 'gradient-conic': 13 | 'conic-gradient(from 180deg at 50% 50%, var(--tw-gradient-stops))', 14 | }, 15 | }, 16 | }, 17 | plugins: [], 18 | } 19 | -------------------------------------------------------------------------------- /tsconfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "compilerOptions": { 3 | "target": "es5", 4 | "lib": ["dom", "dom.iterable", "esnext"], 5 | "allowJs": true, 6 | "skipLibCheck": true, 7 | "strict": true, 8 | "forceConsistentCasingInFileNames": true, 9 | "noEmit": true, 10 | "esModuleInterop": true, 11 | "module": "esnext", 12 | "moduleResolution": "bundler", 13 | "resolveJsonModule": true, 14 | "isolatedModules": true, 15 | "jsx": "preserve", 16 | "incremental": true, 17 | "plugins": [ 18 | { 19 | "name": "next" 20 | } 21 | ], 22 | "paths": { 23 | "@/*": ["./src/*"] 24 | } 25 | }, 26 | "include": ["next-env.d.ts", "**/*.ts", "**/*.tsx", ".next/types/**/*.ts"], 27 | "exclude": ["node_modules"] 28 | } 29 | -------------------------------------------------------------------------------- /types/next-auth.d.ts: -------------------------------------------------------------------------------- 1 | import NextAuth from "next-auth"; 2 | import { JWT } from "next-auth/jwt" 3 | 4 | declare module "next-auth/jwt" { 5 | interface JWT { 6 | idToken?: string 7 | accessToken?: string 8 | refreshToken?: string 9 | expiresAt?: number 10 | error?: string 11 | } 12 | } 13 | 14 | declare module "next-auth" { 15 | interface Session { 16 | accessToken?: string; 17 | error?: string; 18 | } 19 | } -------------------------------------------------------------------------------- /types/node-env.d.ts: -------------------------------------------------------------------------------- 1 | declare namespace NodeJS { 2 | export interface ProcessEnv { 3 | NEXTAUTH_URL: string 4 | NEXTAUTH_SECRET: string 5 | KEYCLOAK_CLIENT_ID: string 6 | KEYCLOAK_CLIENT_SECRET: string 7 | KEYCLOAK_ISSUER: string 8 | } 9 | } --------------------------------------------------------------------------------