Gathering detailed insights and metrics for passport-keycloak-bearer
Gathering detailed insights and metrics for passport-keycloak-bearer
Installations
npm install passport-keycloak-bearerScore
51.8
Supply Chain
98
Quality
77.8
Maintenance
100
Vulnerability
98.2
License
Releases
Unable to fetch releases
Developer
hgranlund
Developer Guide
BETA
Module System
CommonJS
Min. Node Version
>=10.0.0
Typescript Support
Yes
Node Version
21.6.0
NPM Version
8.15.1
Statistics
31 Stars
95 Commits
5 Forks
2 Watching
2 Branches
5 Contributors
Updated on 04 Oct 2024
Languages
JavaScript (100%)
Total Downloads
Cumulative downloads
Total Downloads
658,434
Last day
-2.8%
1,832
Compared to previous day
Last week
-11.4%
8,762
Compared to previous week
Last month
-1%
40,948
Compared to previous month
Last year
84.5%
336,603
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
Versions
passport-keycloak-bearer
HTTP Bearer authentication strategy for Passport and Keycloak.
This module lets you authenticate HTTP requests using bearer tokens with a Keycloak authority in your Node.js applications. Bearer tokens are typically used protect API endpoints, and are often issued using OAuth 2.0.
By plugging into Passport, bearer token support can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express.
Install
$ npm install passport-keycloak-bearer
Usage
KeycloakBearerStrategy uses Bearer Token protocol to protect web resource/api. It works in the following manner:
User sends a request to the protected web api which contains an access_token in either the authorization header or body. Passport extracts and validates the access_token, and propagates the claims in access_token to the verify callback and let the framework finish the remaining authentication procedure.
On successful authentication, passport adds the user information to req.user and passes it to the next middleware, which is usually the business logic of the web resource/api. In case of error, passport sends back an unauthorized response.
Sample usage
1 import KeycloakBearerStrategy from 'passport-keycloak-bearer' 2 ... 3 // new KeycloakBearerStrategy(options, verify) 4 passport.use(new KeycloakBearerStrategy(({ 5 "realm": "master", 6 "url": "https://keycloak.dev.com/auth" 7 }, (jwtPayload, done) => { 8 const user = doSomethingWithUser(jwtPayload); 9 return done(null, user); 10 }));
The JWT authentication strategy is constructed as follows:
new KeycloakBearerStrategy(options, verify)
Options
-
url(Required)Keycloak auth url. For instance: https://keycloak.dev.org/auth.
-
realm(Required)Your realm.
-
passReqToCallback(Optional - Default: false)Whether you want to use
reqas the first parameter in the verify callback. See section 5.1.1.3 for more details. -
loggingLevel(Optional - Default: 'warn')Logging level. 'debug', 'info', 'warn' or 'error'.
-
customLogger(Optional)Custom logging instance. It must be able to log the following types: 'debug', 'info', 'warn' and 'error'.
-
issuer(Optional)If defined the token issuer (iss) will be verified against this value.
-
audience(Optional)If defined, the token audience (aud) will be verified against this value.
-
algorithms(Optional - Default: ['HS256'])List of strings with the names of the allowed algorithms. For instance, ["HS256", "HS384"].
-
ignoreExpiration(Optional)If true do not validate the expiration of the token.
-
jwtFromRequest(Optional)This value can be set according passport-jwt if this options is not used, passport-keycloak-bearer will obtain jwt from http header Auth as a Bearer token.
-
jsonWebTokenOptions(Optional)passport-keycloak-bearer is verifying the token using jsonwebtoken. Pass here an options object for any other option you can pass the jsonwebtoken verifier. (i.e maxAge)
Verify callback
verify is a function with the parameters verify(jwtPayload, done)
jwtPayloadis an object literal containing the decoded JWT payload.doneis a passport error first callback accepting arguments done(error, user, info)
Authenticate Requests
Use passport.authenticate(), specifying the 'keycloak' strategy, to
authenticate requests. Requests containing bearer verified do not require session support, so the session option can be set to false.
For example, as route middleware in an Express application:
1app.get( 2 '/path', 3 passport.authenticate('keycloak', { session: false }), 4 function(req, res) { 5 res.json(req.user); 6 } 7);
Support
Submit an issue
Contribute
Contribute usage docs
License
Simen Haugerud Granlund © 2018
Credits
- Simen Haugerud Granlund - Author
No vulnerabilities found.
Reason
no binaries found in the repo
Reason
license file detected
Details
- Info: project has a license file: LICENSE:0
- Info: FSF or OSI recognized license: MIT License: LICENSE:0
Reason
3 existing vulnerabilities detected
Details
- Warn: Project is vulnerable to: GHSA-3xgq-45jj-v275
- Warn: Project is vulnerable to: GHSA-fc9h-whq2-v747
- Warn: Project is vulnerable to: GHSA-35jh-r3h4-6jhm
Reason
Found 5/11 approved changesets -- score normalized to 4
Reason
4 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 3
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
branch protection not enabled on development/release branches
Details
- Warn: branch protection not enabled for branch 'master'
Reason
SAST tool is not run on all commits -- score normalized to 0
Details
- Warn: 0 commits out of 24 are checked with a SAST tool
Score
3.6
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More