KeyCloak
Feature/OIDC support
✅ PKCE
✅ Nonce
❌ State
✅ Access Token validation
❌ ID Token validation
Introduction
KeyCloak is an open-source identity and access management solution that provides features like single sign-on (SSO), social login, and user management, making it a popular choice for securing applications. This provider has tested defaults for KeyCloak to offer seamless OpenID Connect (OIDC) authentication with minimal necessary configuration.
Example Configurations
Minimal
keycloak: {
audience: 'account',
baseUrl: '',
clientId: '',
clientSecret: '',
redirectUri: 'http://localhost:3000/auth/keycloak/callback',
},
Use logout url
The to redirect to a specific url after logout, use the logoutRedirectUri
configuration.
You have to specifically allow a redirect uri, if you want your application to redirect to there after logout:

keycloak: {
audience: 'account',
baseUrl: '',
clientId: '',
clientSecret: '',
redirectUri: 'http://localhost:3000/auth/keycloak/callback',
userNameClaim: 'preferred_username',
logoutRedirectUri: 'http://localhost:3000', // Target of your post logout redirection
},
By default, the following settings are already set internall, but can be overwritten, if needed
logoutUrl
:protocol/openid-connect/logout
,logoutRedirectParameterName
:post_logout_redirect_uri
,
Environment variables
Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.
NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET=CLIENT_SECRET
NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID=CLIENT_ID
NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL=http://localhost:8080/realms/nuxt-oidc-test
Provider specific parameters
Additional parameters to be used in additionalAuthParameters, additionalTokenParameters or additionalLogoutParameters:
Option | Type | Default | Description |
---|---|---|---|
realm | string | - | Optional. This parameter allows to slightly customize the login flow on the KeyCloak server side. For example, enforce displaying the login screen in case of value login. |
realm | string | - | Optional. Used to pre-fill the username/email field on the login form. |
realm | string | - | Optional. Used to tell KeyCloak to skip showing the login page and automatically redirect to the specified identity provider instead. |
realm | string | - | Optional. Sets the 'ui_locales' query param. |
For more information on these parameters, check the KeyCloak documentation.
For KeyCloak you have to provide at least the baseUrl
, clientId
and clientSecret
properties. The baseUrl
is used to dynamically create the authorizationUrl
, tokenUrl
, logoutUrl
and userInfoUrl
.
Please include the realm you want to use in the baseUrl
(e.g. https://<keycloak-url>/realms/<realm>
).
If you don't want to use the post logout redirect feature of key cloak, set logoutUrl
to undefined
or ''
.
Also remember to enable Client authentication
to be able to get a client secret.