{"id":17129,"library":"keycloak-connect","title":"Keycloak Node.js Connect Adapter","description":"The `keycloak-connect` package provides a Node.js Connect-friendly middleware for integrating applications with Keycloak, an open-source identity and access management solution. It simplifies implementing authentication and authorization using Keycloak for modern applications and services. The current stable version is 26.1.1. However, this package is officially deprecated by the Keycloak project, with plans for removal in the future, and users are advised to seek alternative integration strategies. Key differentiators included its direct integration with the Connect/Express ecosystem, providing session management and protection for routes, but its deprecation signals a shift away from this specific adapter approach in favor of more generic OIDC client libraries. While it offered a streamlined setup for Keycloak, its maintenance and future are uncertain due to the deprecation notice.","status":"deprecated","version":"26.1.1","language":"javascript","source_language":"en","source_url":"https://github.com/keycloak/keycloak-nodejs-connect","tags":["javascript","sso","keycloak","oauth","oauth2.0","authentication","typescript"],"install":[{"cmd":"npm install keycloak-connect","lang":"bash","label":"npm"},{"cmd":"yarn add keycloak-connect","lang":"bash","label":"yarn"},{"cmd":"pnpm add keycloak-connect","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The primary `Keycloak` class is typically imported as a default export, not named. Ensure your `tsconfig.json` or build tool handles default ESM imports correctly, especially if using CommonJS-style imports in a hybrid project.","wrong":"import { Keycloak } from 'keycloak-connect';","symbol":"Keycloak","correct":"import Keycloak from 'keycloak-connect';"},{"note":"The `middleware` method must be invoked to return the actual middleware function. Simply referencing `keycloak.middleware` will not work as expected and lead to runtime errors or incorrect behavior.","wrong":"const Keycloak = require('keycloak-connect');\nconst keycloak = new Keycloak({});\napp.use(keycloak.middleware);","symbol":"Keycloak.middleware","correct":"import Keycloak from 'keycloak-connect';\nconst keycloak = new Keycloak({});\napp.use(keycloak.middleware());"},{"note":"When using TypeScript, it's good practice to import types using `import type` for clarity and to ensure they are stripped during compilation, preventing potential runtime issues with type imports.","symbol":"KeycloakConfig","correct":"import type { KeycloakConfig } from 'keycloak-connect';"}],"quickstart":{"code":"import express from 'express';\nimport session from 'express-session';\nimport Keycloak from 'keycloak-connect';\nimport path from 'path';\n\nconst app = express();\n\n// Session store setup for Keycloak\nconst memoryStore = new session.MemoryStore();\n\napp.use(session({\n  secret: process.env.SESSION_SECRET ?? 'superSecretSessionKey',\n  resave: false,\n  saveUninitialized: true,\n  store: memoryStore\n}));\n\n// Keycloak configuration (replace with your actual Keycloak client details)\n// This example assumes a keycloak.json file is not used and config is inline.\nconst keycloakConfig = {\n  realm: process.env.KEYCLOAK_REALM ?? 'myrealm',\n  'auth-server-url': process.env.KEYCLOAK_AUTH_SERVER_URL ?? 'http://localhost:8080/auth',\n  resource: process.env.KEYCLOAK_CLIENT_ID ?? 'my-express-app',\n  'public-client': true,\n  'ssl-required': 'external',\n  'confidential-port': 0\n};\n\nconst keycloak = new Keycloak({ store: memoryStore }, keycloakConfig);\n\n// Mount Keycloak middleware\napp.use(keycloak.middleware({\n  logout: '/logout',\n  admin: '/admin',\n  protected: '/protected'\n}));\n\n// Define routes\napp.get('/', (req, res) => {\n  res.send('<h1>Public Page</h1><p><a href=\"/protected\">Go to Protected Page</a></p><p><a href=\"/logout\">Logout</a></p>');\n});\n\napp.get('/protected', keycloak.protect(), (req, res) => {\n  res.send(`<h1>Protected Page</h1><p>Welcome, ${req.kauth.grant.access_token.content.preferred_username ?? 'user'}!</p><p><a href=\"/\">Go to Public Page</a></p><p><a href=\"/logout\">Logout</a></p>`);\n});\n\napp.get('/login', keycloak.protect(), (req, res) => {\n  res.send('You should be redirected to Keycloak for login, then back here if successful.');\n});\n\n// Error handling for Keycloak\napp.use((err: any, req: express.Request, res: express.Response, next: express.NextFunction) => {\n  if (err && err.name === 'UnauthorizedError') {\n    return res.status(401).send('Unauthorized');\n  }\n  next(err);\n});\n\nconst PORT = process.env.PORT ?? 3000;\napp.listen(PORT, () => {\n  console.log(`Server running on http://localhost:${PORT}`);\n  console.log('Ensure Keycloak is running and configured with a client named \\'my-express-app\\'.');\n});","lang":"typescript","description":"This quickstart demonstrates setting up `keycloak-connect` with an Express application, showing how to protect routes, configure session management, and handle basic authentication flows with a Keycloak server. It uses environment variables for sensitive Keycloak configuration."},"warnings":[{"fix":"Begin planning migration to a generic OpenID Connect client library for Node.js (e.g., `openid-client`) and integrate it directly with your application's authentication flow, or explore other Keycloak-maintained solutions if they become available.","message":"The `keycloak-connect` package is officially deprecated by the Keycloak project. It will be removed in the future, and users are strongly advised to migrate to alternative integration methods, likely involving generic OpenID Connect client libraries.","severity":"deprecated","affected_versions":">=26.0.0"},{"fix":"Ensure `express-session` is installed and configured with a persistent `store` option (e.g., `MemoryStore` for development, `connect-mongo`, `connect-redis` for production) and passed to the `Keycloak` constructor: `new Keycloak({ store: sessionStore }, config)`.","message":"Keycloak Connect requires a session store for proper operation, typically `express-session` with a compatible store. Without a properly configured and shared session store, authentication flows (like redirect after login) will fail or users will not maintain their authenticated state.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always consult the specific Keycloak documentation for the version of the server you are using and the corresponding `keycloak-connect` adapter version. Pay close attention to the client registration in Keycloak and its mirroring in your `keycloak-connect` configuration.","message":"Configuration structure and initialization might have subtle changes between major Keycloak versions and corresponding adapter versions. For instance, the expected content of `keycloak.json` or inline configuration objects can vary, especially regarding public vs. confidential clients and SSL settings.","severity":"breaking","affected_versions":">=20.0.0"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Ensure `keycloak.protect()` is invoked as middleware for routes requiring authentication (e.g., `app.get('/protected', keycloak.protect(), (req, res) => { ... })`). Also verify `express-session` and the Keycloak middleware are correctly initialized and ordered before protected routes.","cause":"`keycloak.protect()` middleware was not applied to the route, or the session was not correctly initialized, leading to `req.kauth` being undefined.","error":"TypeError: Cannot read properties of undefined (reading 'grant')"},{"fix":"Initialize `keycloak-connect` with an `express-session` compatible store: `const memoryStore = new session.MemoryStore(); const keycloak = new Keycloak({ store: memoryStore }, keycloakConfig);`","cause":"The `Keycloak` constructor was called without providing a `store` option, or the provided store was invalid.","error":"Error: `keycloak-connect` must be initialized with a session store."},{"fix":"Check your Keycloak client configuration in the Keycloak admin console. Ensure the 'Valid Redirect URIs' for your client includes the exact URL that Keycloak should redirect back to after successful authentication (e.g., `http://localhost:3000/*`). Also, verify the `auth-server-url` in your `keycloak-connect` config is correct.","cause":"The application is redirecting to the Keycloak authentication server, but the redirect might not be working as expected or the client configuration in Keycloak is incorrect (e.g., invalid redirect URIs).","error":"GET /protected 302 -"}],"ecosystem":"npm","meta_description":null}