Lucia logo

Lucia

Keycloak OAuth provider

OAuth integration for Keycloak. Refer to Keycloak Documentation for getting the required credentials. Provider id is keycloak.

import { keycloak } from "@lucia-auth/oauth/providers";
import { auth } from "./lucia.js";

const keycloakAuth = keycloak(auth, config);

keycloak()#

const keycloak: (
	auth: Auth,
	config: {
		domain: string;
		realm: string;
		clientId: string;
		clientSecret: string;
		scope?: string[];
		redirectUri?: string;
	}
) => KeycloakProvider;
Parameters#
nametypedescriptionoptional
authAuthLucia instance
config.domainstringKeycloak OAuth app client id (e.g. ‘my.domain.com’)
config.realmstringKeycloak Realm of client
config.clientIdstringKeycloak OAuth app client id
config.clientSecretstringKeycloak OAuth app client secret
config.scopestring[]an array of scopes
config.redirectUristringan authorized redirect URI
Returns#
typedescription
KeycloakProviderKeycloak provider

Interfaces#

KeycloakAuth#

See OAuth2ProviderAuth.

// implements OAuth2ProviderAuth<KeycloakAuth<_Auth>>

interface KeycloakAuth<_Auth extends Auth> {
	getAuthorizationUrl: () => Promise<readonly [url: URL, state: string]>;
	validateCallback: (code: string) => Promise<KeycloakUserAuth<_Auth>>;
}
type
KeycloakUserAuth
Generics#
nameextendsdefault
_AuthAuthAuth

KeycloakTokens#

type KeycloakTokens = {
	accessToken: string;
	accessTokenExpiresIn: number;
	authTime: number;
	issuedAtTime: number;
	expirationTime: number;
	refreshToken: string | null;
	refreshTokenExpiresIn: number | null;
};

KeycloakUser#

type KeycloakUser = {
	exp: number;
	iat: number;
	auth_time: number;
	jti: string;
	iss: string;
	aud: string;
	sub: string;
	typ: string;
	azp: string;
	session_state: string;
	at_hash: string;
	acr: string;
	sid: string;
	email_verified: boolean;
	name: string;
	preferred_username: string;
	given_name: string;
	locale: string;
	family_name: string;
	email: string;
	picture: string;
	user: any;
};

KeycloakRole#

type KeycloakUser = PublicKeycloakUser | PrivateKeycloakUser;

type KeycloakRole = {
	role_type: "realm" | "resource";

	client: null | string; // null if realm_access

	role: string;
};

KeycloakUserAuth#

Extends ProviderUserAuth.

interface KeycloakUserAuth<_Auth extends Auth> extends ProviderUserAuth<_Auth> {
	keycloakUser: KeycloakUser;
	keycloakTokens: KeycloakTokens;
	keycloakRoles: KeycloakRoles;
}
propertiestypedescription
keycloakUserKeycloakUserKeycloak user
keycloakTokensKeycloakTokensAccess tokens etc
keycloakRolesKeycloakRolesKeycloak roles retrieved from OIDC Token
Generics#
nameextends
_AuthAuth