{"library":"passport-keycloak-bearer","title":"Passport Keycloak Bearer Strategy","description":"Passport-Keycloak-Bearer is an HTTP Bearer authentication strategy designed for Passport.js, enabling Node.js applications to authenticate requests against a Keycloak identity provider using OAuth 2.0 bearer tokens. This package, currently at version 2.4.1, integrates seamlessly with Connect-style middleware frameworks like Express.js. It focuses on extracting, validating, and propagating JWT claims from access tokens to a `verify` callback, allowing developers to process user information and attach it to `req.user`. While there isn't an explicit release cadence mentioned, the versioning suggests ongoing maintenance. Its key differentiator is the direct integration with Keycloak's token validation, simplifying the setup for Keycloak-backed applications compared to generic JWT strategies that require manual configuration of Keycloak's public keys and issuer metadata.","language":"javascript","status":"active","last_verified":"Wed Apr 22","install":{"commands":["npm install passport-keycloak-bearer"],"cli":null},"imports":["import KeycloakBearerStrategy from 'passport-keycloak-bearer'","import passport from 'passport'","import type { IKeycloakBearerStrategyOptions } from 'passport-keycloak-bearer'"],"auth":{"required":false,"env_vars":[]},"quickstart":{"code":"import express from 'express';\nimport passport from 'passport';\nimport KeycloakBearerStrategy from 'passport-keycloak-bearer';\n\nconst app = express();\n\n// --- IMPORTANT: Replace with your actual Keycloak configuration ---\nconst KEYCLOAK_URL = process.env.KEYCLOAK_AUTH_URL ?? 'https://your-keycloak-instance.com/auth';\nconst KEYCLOAK_REALM = process.env.KEYCLOAK_REALM ?? 'your-realm';\n// ------------------------------------------------------------------\n\npassport.use(new KeycloakBearerStrategy({\n url: KEYCLOAK_URL,\n realm: KEYCLOAK_REALM,\n passReqToCallback: false // Set to true if your verify callback needs the request object\n}, (jwtPayload, done) => {\n // In a real application, you would fetch user details from a DB\n // or create a user object based on the JWT payload (e.g., jwtPayload.sub)\n const user = { id: jwtPayload.sub, username: jwtPayload.preferred_username, roles: jwtPayload.realm_access?.roles };\n \n // Example: only allow users with 'api-user' role\n if (user.roles && user.roles.includes('api-user')) {\n return done(null, user); // User authenticated successfully\n } else {\n return done(null, false, { message: 'User does not have required roles.' }); // Authentication failed\n }\n}));\n\napp.use(passport.initialize());\n\n// A protected route\napp.get('/api/protected', passport.authenticate('keycloak-bearer', { session: false }), (req, res) => {\n // req.user will contain the user object returned from the verify callback\n res.json({ message: 'Access granted!', user: req.user });\n});\n\n// Public route\napp.get('/api/public', (req, res) => {\n res.json({ message: 'This is a public endpoint.' });\n});\n\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n console.log(`Server running on http://localhost:${PORT}`);\n console.log(`Test with curl -H \"Authorization: Bearer \" http://localhost:${PORT}/api/protected`);\n});\n","lang":"typescript","description":"This quickstart demonstrates how to set up an Express application with Passport.js and `passport-keycloak-bearer` to protect an API endpoint. It initializes the strategy with Keycloak URL and realm, defines a `verify` callback to process the JWT payload and attach a user object to `req.user`, and uses `passport.authenticate` middleware to secure a route.","tag":null,"tag_description":null,"last_tested":null,"results":[]},"compatibility":null}