Provider

KeyCloak

KeyCloak provider documentation

Feature/OIDC support

✅  PKCE
✅  Nonce
❌  State
✅  Access Token validation
❌  ID Token validation

Introduction

KeyCloak is an open-source identity and access management solution that provides features like single sign-on (SSO), social login, and user management, making it a popular choice for securing applications. This provider has tested defaults for KeyCloak to offer seamless OpenID Connect (OIDC) authentication with minimal necessary configuration.

Example Configurations

Never store sensitive values like your client secret in your Nuxt config. Our recommendation is to inject at least client id and client secret via. environment variables.

Minimal

nuxt.config.ts
keycloak: {
  audience: 'account',
  baseUrl: '',
  clientId: '',
  clientSecret: '',
  redirectUri: 'http://localhost:3000/auth/keycloak/callback',
},

Use logout url

The to redirect to a specific url after logout, use the logoutRedirectUri configuration. You have to specifically allow a redirect uri, if you want your application to redirect to there after logout:

KeyCloak logout redirect
KeyCloak logout redirect
nuxt.config.ts
keycloak: {
  audience: 'account',
  baseUrl: '',
  clientId: '',
  clientSecret: '',
  redirectUri: 'http://localhost:3000/auth/keycloak/callback',
  userNameClaim: 'preferred_username',
  logoutRedirectUri: 'http://localhost:3000',  // Target of your post logout redirection
},

By default, the following settings are already set internall, but can be overwritten, if needed

  • logoutUrl: protocol/openid-connect/logout,
  • logoutRedirectParameterName: post_logout_redirect_uri,

Environment variables

Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.

.env
NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET=CLIENT_SECRET
NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID=CLIENT_ID
NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL=http://localhost:8080/realms/nuxt-oidc-test

Provider specific parameters

Additional parameters to be used in additionalAuthParameters, additionalTokenParameters or additionalLogoutParameters:

OptionTypeDefaultDescription
realmstring-Optional. This parameter allows to slightly customize the login flow on the KeyCloak server side. For example, enforce displaying the login screen in case of value login.
realmstring-Optional. Used to pre-fill the username/email field on the login form.
realmstring-Optional. Used to tell KeyCloak to skip showing the login page and automatically redirect to the specified identity provider instead.
realmstring-Optional. Sets the 'ui_locales' query param.

For more information on these parameters, check the KeyCloak documentation.

For KeyCloak you have to provide at least the baseUrl, clientId and clientSecret properties. The baseUrl is used to dynamically create the authorizationUrl, tokenUrl, logoutUrl and userInfoUrl. Please include the realm you want to use in the baseUrl (e.g. https://<keycloak-url>/realms/<realm>). If you don't want to use the post logout redirect feature of key cloak, set logoutUrl to undefined or ''. Also remember to enable Client authentication to be able to get a client secret.


Copyright © 2024