node.js - 使用keycloak的安全Node.js后端API(Secured nodejs backend API's using keycloak)

Question

I'm implementing a Nodejs backend API's.

(我正在实现Nodejs后端API。)

Some of them are need to authenticate before access.

(其中一些需要在访问之前进行身份验证。)

for that I choose keycloak server as identity server.

(为此，我选择keycloak服务器作为身份服务器。)

I used npm keycloak-connect library to integrate node server and the keycloak server.

(我使用npm keycloak-connect库来集成节点服务器和keycloak服务器。)

Now the authentication are woking fine.

(现在身份验证正常。)

problem is when I logout from keycloak server by using ' http://localhost:8080/auth/realms/test-realm/protocol/openid-connect/logout ' this API.

(问题是当我通过使用' http：// localhost：8080 / auth / realms / test-realm / protocol / openid-connect / logout '此API从keycloak服务器注销时 。)

keycloak server says token is not valid anymore.

(keycloak服务器说令牌不再有效。)

But when I used the same taken to access Node server it takes that token as valid token.

(但是，当我使用相同的方法访问节点服务器时，它将该令牌作为有效令牌。)

'use strict';

const Keycloak = require('keycloak-connect');
const express = require('express');
var cors = require('cors')
const app = express();

app.use(cors())


var keycloakConfig ={
  "realm": "test-realm",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "test-dev-api",
  "public-client": true,
  "confidential-port": 0
}

var keycloak = new Keycloak({},keycloakConfig);

app.use( keycloak.middleware( { logout: '/logout'} ));

app.get('/secured-echo', keycloak.protect(), function(req,resp) {
  resp.send("Secured Hello");
});

//unprotected route
app.get('/echo', function(req,resp) {
  console.log(keycloakConfig)
  console.log(keycloak)
  resp.json({"say": "hello"});
});

app.listen(4000, function () {
  console.log('Listening at port:4000');
});

  ask by Padmasankha translate from so

Answer 1

Your application uses Express, which maintains its own sessions and synchronizes those with Keycloak tokens.

(您的应用程序使用Express，该Express维护其自己的会话，并将这些会话与Keycloak令牌同步。)

So logging out on Keycloak does not tell Express that you have logged out.

(因此，在Keycloak上注销不会告诉Express您已注销。)

Subsequently you can still log in to your application.

(随后，您仍然可以登录到您的应用程序。)

In your code you have specified this:

(在您的代码中，您已指定以下内容：)

app.use( keycloak.middleware( { logout: '/logout'} ));

Which is the URL on your application to logout in your Express application.

(您的应用程序上要注销的URL是Express应用程序中的URL。)

Use that instead of directly logging out of Keycloak.

(使用它而不是直接注销Keycloak。)

The keycloak middleware will then log out in Keycloak.

(然后，密钥库中间件将在密钥库中注销。)

It will be something like

(它会像)

http://localhost:4000/logout