web/versioned_docs/version-0.17/auth/social-auth/keycloak.md
import useBaseUrl from '@docusaurus/useBaseUrl'; import DefaultBehaviour from './_default-behaviour.md'; import OverrideIntro from './_override-intro.md'; import OverrideExampleIntro from './_override-example-intro.md'; import UsingAuthNote from './_using-auth-note.md'; import WaspFileStructureNote from './_wasp-file-structure-note.md'; import GetUserFieldsType from './_getuserfields-type.md'; import ApiReferenceIntro from './_api-reference-intro.md'; import UserSignupFieldsExplainer from '../_user-signup-fields-explainer.md'; import KeycloakData from '../entities/_keycloak-data.md'; import AccessingUserDataNote from '../_accessing-user-data-note.md';
Wasp supports Keycloak Authentication out of the box.
Keycloak is an open-source identity and access management solution for modern applications and services. Keycloak provides both SAML and OpenID protocol solutions. It also has a very flexible and powerful administration UI.
Let's walk through enabling Keycloak authentication, explain some of the default settings, and show how to override them.
Enabling Keycloak Authentication comes down to a series of steps:
User entity.Let's start by properly configuring the Auth object:
app myApp {
wasp: {
version: "{latestWaspVersion}"
},
title: "My App",
auth: {
// 1. Specify the User entity (we'll define it next)
// highlight-next-line
userEntity: User,
methods: {
// 2. Enable Keycloak Auth
// highlight-next-line
keycloak: {}
},
onAuthFailedRedirectTo: "/login"
},
}
userEntity is explained in the social auth overview.
Let's now define the app.auth.userEntity entity in the schema.prisma file:
// 3. Define the user entity
model User {
// highlight-next-line
id Int @id @default(autoincrement())
// Add your own fields below
// ...
}
http://localhost:3001/auth/keycloak/callback for local development.https://my-server-url.com/auth/keycloak/callback.Add these environment variables to the .env.server file at the root of your project (take their values from the previous step):
KEYCLOAK_CLIENT_ID=your-keycloak-client-id
KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
KEYCLOAK_REALM_URL=https://your-keycloak-url.com/realms/master
We assumed in the KEYCLOAK_REALM_URL env variable that you are using the master realm. If you are using a different realm, replace master with your realm name.
Let's define the necessary authentication Routes and Pages.
Add the following code to your main.wasp file:
// ...
route LoginRoute { path: "/login", to: LoginPage }
page LoginPage {
component: import { Login } from "@src/pages/auth"
}
We'll define the React components for these pages in the src/pages/auth.{jsx,tsx} file below.
:::info We are using Tailwind CSS to style the pages. Read more about how to add it here. :::
Let's now create an auth.{jsx,tsx} file in the src/pages.
It should have the following code:
import type { ReactNode } from 'react'
import { LoginForm } from 'wasp/client/auth'
export function Login() {
return (
<Layout>
<LoginForm />
</Layout>
)
}
// A layout component to center the content
export function Layout({ children }: { children: ReactNode }) {
return (
<div className="h-full w-full bg-white">
<div className="flex min-h-[75vh] min-w-full items-center justify-center">
<div className="h-full w-full max-w-sm bg-white p-5">
<div>{children}</div>
</div>
</div>
</div>
)
}
:::info Auth UI Our pages use an automatically generated Auth UI component. Read more about Auth UI components here. :::
Yay, we've successfully set up Keycloak Auth!
Running wasp db migrate-dev and wasp start should now give you a working app with authentication.
To see how to protect specific pages (i.e., hide them from non-authenticated users), read the docs on using auth.
Add keycloak: {} to the auth.methods dictionary to use it with default settings:
app myApp {
wasp: {
version: "{latestWaspVersion}"
},
title: "My App",
auth: {
userEntity: User,
methods: {
// highlight-next-line
keycloak: {}
},
onAuthFailedRedirectTo: "/login"
},
}
We are using Keycloak's API and its /userinfo endpoint to fetch the user's data.
{
sub: '5adba8fc-3ea6-445a-a379-13f0bb0b6969',
email_verified: true,
name: 'Test User',
preferred_username: 'test',
given_name: 'Test',
family_name: 'User',
email: '[email protected]'
}
The fields you receive will depend on the scopes you requested. The default scope is set to profile only. If you want to get the user's email, you need to specify the email scope in the configFn function.
app myApp {
wasp: {
version: "{latestWaspVersion}"
},
title: "My App",
auth: {
userEntity: User,
methods: {
keycloak: {
// highlight-next-line
configFn: import { getConfig } from "@src/auth/keycloak",
// highlight-next-line
userSignupFields: import { userSignupFields } from "@src/auth/keycloak"
}
},
onAuthFailedRedirectTo: "/login"
},
}
model User {
id Int @id @default(autoincrement())
username String @unique
displayName String
}
// ...
import { defineUserSignupFields } from 'wasp/server/auth'
export const userSignupFields = defineUserSignupFields({
username: () => 'hardcoded-username',
displayName: (data: any) => data.profile.name,
})
export function getConfig() {
return {
scopes: ['profile', 'email'],
}
}
When you receive the user object on the client or the server, you'll be able to access the user's Keycloak ID like this:
app myApp {
wasp: {
version: "{latestWaspVersion}"
},
title: "My App",
auth: {
userEntity: User,
methods: {
keycloak: {
// highlight-next-line
configFn: import { getConfig } from "@src/auth/keycloak",
// highlight-next-line
userSignupFields: import { userSignupFields } from "@src/auth/keycloak"
}
},
onAuthFailedRedirectTo: "/login"
},
}
The keycloak dict has the following properties:
configFn: ExtImportThis function must return an object with the scopes for the OAuth provider.
export function getConfig() {
return {
scopes: ['profile', 'email'],
}
}
userSignupFields: ExtImportRead more about the userSignupFields function here.