The latest articles on DEV Community by Tousif (@mrtousif). https://dev.to/mrtousif https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F384967%2Fab44ce2d-ea0e-4d73-b093-116573fd19bc.jpg https://dev.to/mrtousif en Tousif Thu, 07 Dec 2023 17:08:07 +0000 https://dev.to/mrtousif/hasura-and-keycloak-integration-with-nestjs-server-without-using-passportjs-4kjh https://dev.to/mrtousif/hasura-and-keycloak-integration-with-nestjs-server-without-using-passportjs-4kjh <p><a href="https://hasura.io/" rel="noopener noreferrer">Hasura</a> is an open-source real-time GraphQL API server with a strong authorization layer on your database. You can subscribe to database events via webhooks. It can combine multiple API servers into one unified graphQL API. Hasura is a great tool to build any CRUD GraphQL API. Hasura does not have any authentication mechanisms; e.g., you need an auth server to handle sign-up and sign-in.</p> <p><a href="https://www.keycloak.org/" rel="noopener noreferrer">Keycloak</a> is an OpenID-compliant auth server.</p> <p>Hasura will validate the JWT token passed in header. The JWT token will have necessary information to handle the authorization in Hasura. Hasura can’t perform the OAuth flow. For that we’ll need an app server to handle it. App server will initiate the Sign-up or sign-in process and pass the auth tokens to client. Client app will need to send the access token in header to Hasura to get access to the protected data.</p> <p>In this tutorial, we’ll learn how to integrate Hasura and Keycloak with RBAC.</p> <p>The code is available on Github</p> <p><a href="https://github.com/mrtousif/hasura-keycloak-nx" rel="noopener noreferrer">GitHub - hasura-keycloak-nx</a></p> <h2> Setup </h2> <p>Let’s create a docker compose yaml file and paste the following code. You can also clone the repo, which contains all the code you need.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1">#docker-compose.yml</span> <span class="na">version</span><span class="pi">:</span> <span class="s1">'</span><span class="s">3'</span> <span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres_data</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">local</span> <span class="na">services</span><span class="pi">:</span> <span class="na">postgres</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:15-alpine</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres_data:/var/lib/postgresql/data</span> <span class="pi">-</span> <span class="s">./init/db:/docker-entrypoint-initdb.d/</span> <span class="na">command</span><span class="pi">:</span> <span class="s">postgres -c wal_level=logical</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">5433:5432'</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">${POSTGRES_DB}</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">${POSTGRES_USER}</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">${POSTGRES_PASSWORD}</span> <span class="na">hasura</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">hasura</span> <span class="na">image</span><span class="pi">:</span> <span class="s">hasura/graphql-engine:v2.29.0</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="c1"># - keycloak</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">6080:8080'</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./hasura/metadata:/hasura-metadata</span> <span class="na">environment</span><span class="pi">:</span> <span class="c1">## postgres database to store Hasura metadata</span> <span class="na">HASURA_GRAPHQL_METADATA_DATABASE_URL</span><span class="pi">:</span> <span class="s">postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/hasura_metadata</span> <span class="na">HASURA_GRAPHQL_DATABASE_URL</span><span class="pi">:</span> <span class="s">postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}</span> <span class="na">HASURA_GRAPHQL_LOG_LEVEL</span><span class="pi">:</span> <span class="s">warn</span> <span class="c1">## enable the console served by server</span> <span class="na">HASURA_GRAPHQL_ENABLE_CONSOLE</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="c1"># set to "false" to disable console</span> <span class="c1">## enable debugging mode. It is recommended to disable this in production</span> <span class="na">HASURA_GRAPHQL_DEV_MODE</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">HASURA_GRAPHQL_ENABLED_LOG_TYPES</span><span class="pi">:</span> <span class="s">startup, http-log, webhook-log, websocket-log, query-log</span> <span class="c1">## enable jwt secret when keycloak realm is ready</span> <span class="c1"># HASURA_GRAPHQL_JWT_SECRET: '{ "type": "RS256", "jwk_url": "http://keycloak:8080/realms/development/protocol/openid-connect/certs" }'</span> <span class="na">HASURA_GRAPHQL_ADMIN_SECRET</span><span class="pi">:</span> <span class="s">${HASURA_GRAPHQL_ADMIN_SECRET}</span> <span class="na">HASURA_GRAPHQL_UNAUTHORIZED_ROLE</span><span class="pi">:</span> <span class="s">anonymous</span> <span class="na">HASURA_GRAPHQL_ENABLE_REMOTE_SCHEMA_PERMISSIONS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">HASURA_GRAPHQL_MIGRATIONS_SERVER_TIMEOUT</span><span class="pi">:</span> <span class="m">30</span> <span class="c1"># To view tables in Postgres</span> <span class="c1"># pgweb:</span> <span class="c1"># container_name: pgweb</span> <span class="c1"># image: sosedoff/pgweb:latest</span> <span class="c1"># restart: unless-stopped</span> <span class="c1"># ports:</span> <span class="c1"># - '8081:8081'</span> <span class="c1"># environment:</span> <span class="c1"># - DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}?sslmode=disable</span> <span class="c1"># depends_on:</span> <span class="c1"># - postgres</span> <span class="na">keycloak</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">keycloak</span> <span class="na">image</span><span class="pi">:</span> <span class="s">quay.io/keycloak/keycloak:22.0.5</span> <span class="na">command</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">start-dev'</span><span class="pi">]</span> <span class="c1"># Uncomment following if you want to import realm configuration on start up</span> <span class="c1"># command: ['start-dev', '--import-realm']</span> <span class="na">environment</span><span class="pi">:</span> <span class="c1">## https://www.keycloak.org/server/all-config</span> <span class="na">KEYCLOAK_ADMIN</span><span class="pi">:</span> <span class="s">admin</span> <span class="na">KEYCLOAK_ADMIN_PASSWORD</span><span class="pi">:</span> <span class="s">password123</span> <span class="na">KC_DB</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">KC_DB_PASSWORD</span><span class="pi">:</span> <span class="s">postgres_pass</span> <span class="na">KC_DB_USERNAME</span><span class="pi">:</span> <span class="s">postgres</span> <span class="na">KC_DB_SCHEMA</span><span class="pi">:</span> <span class="s">public</span> <span class="na">KC_DB_URL</span><span class="pi">:</span> <span class="s">jdbc:postgresql://postgres:5432/keycloak_db</span> <span class="na">KC_HOSTNAME</span><span class="pi">:</span> <span class="s">localhost</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">8090:8080</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres</span> <span class="c1"># Uncomment following if you want to import realm configuration on start up</span> <span class="c1"># volumes:</span> <span class="c1"># - ./realm-export.json:/opt/keycloak/data/import/realm.json:ro</span> </code></pre> </div> <p>Let’s create an env file<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># .env.local</span> <span class="s">POSTGRES_USER=postgres</span> <span class="s">POSTGRES_PASSWORD=postgres_pass</span> <span class="s">POSTGRES_DB=my_app_db</span> <span class="s">HASURA_GRAPHQL_ADMIN_SECRET=secret</span> </code></pre> </div> <p>Let's create a SQL file for the initial Postgres configuration.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight sql"><code><span class="c1">-- init/db/00-setup.sql</span> <span class="c1">-- Creating user and database for Hasura metadata</span> <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">hasura</span> <span class="k">WITH</span> <span class="n">PASSWORD</span> <span class="s1">'postgres'</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">hasura_metadata</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="k">DATABASE</span> <span class="n">hasura_metadata</span> <span class="k">TO</span> <span class="n">hasura</span><span class="p">;</span> <span class="c1">-- Creating user and database for Keycloak</span> <span class="k">CREATE</span> <span class="k">USER</span> <span class="n">keycloak</span> <span class="k">WITH</span> <span class="n">PASSWORD</span> <span class="s1">'password'</span><span class="p">;</span> <span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">keycloak_db</span><span class="p">;</span> <span class="k">GRANT</span> <span class="k">ALL</span> <span class="k">PRIVILEGES</span> <span class="k">ON</span> <span class="k">DATABASE</span> <span class="n">keycloak_db</span> <span class="k">TO</span> <span class="n">keycloak</span><span class="p">;</span> </code></pre> </div> <p>Lets start up the containers by running<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker-compose <span class="nt">--env-file</span> ./.env.development up </code></pre> </div> <p>It will take some time for the initial start up</p> <h3> Setup Hasura client in Keycloak </h3> <p>Open up the Keycloak admin console at <a href="http://localhost:8090" rel="noopener noreferrer">localhost:8090</a></p> <p>Admin credential: admin / password123</p> <p>Create a realm. Let’s name it <code>development</code>. You should not use the <code>master</code> realm, which is for managing Keycloak itself. Once you’ve created a realm, let’s set up hasura client in Keycloak.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jpf7lwm8n58zcis6rjy.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F5jpf7lwm8n58zcis6rjy.png" alt="01"></a></p> <p>Navigate to the <strong>Clients</strong> page and click on <strong>Create client.</strong></p> <p>Enter the client name (e.g. hasura ) in <strong>Client ID</strong> field and click next</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkexowqczr2crbyjyyxh8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fkexowqczr2crbyjyyxh8.png" alt="02"></a></p> <p>On the next page, enable <strong>Client authentication</strong> and click <strong>Next</strong>. You can also choose to enable implicit flow for easier authentication handling. You can modify this later</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fub8678563fmigs8jtk5c.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fub8678563fmigs8jtk5c.png" alt="03"></a></p> <p>Provide a valid redirect URI and a post-logout URI and <strong>Save</strong>. I’ve entered the URL of our NestJS app running on <a href="http://localhost:7000" rel="noopener noreferrer">localhost:7000</a>.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcjd6xfpbonhrvojlgkkm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fcjd6xfpbonhrvojlgkkm.png" alt="04"></a></p> <h3> User Roles in Keycloak </h3> <p>Keycloak has two type of roles:</p> <ul> <li>Realm roles: All the clients share them</li> <li>Client roles: They are available only to the client for whom it was created</li> </ul> <p>In this case, we will create client roles.</p> <p>Navigate to the <strong>Roles</strong> tab of hasura client and click <strong>Create Role</strong> then create two roles: <code>user</code> and <code>admin</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslmy6ai32mvur2d52wqj.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fslmy6ai32mvur2d52wqj.png" alt="05"></a></p> <p><strong><em>Create Mappers for Hasura JWT Claims</em></strong></p> <p>When Keycloak generates the JWT, the custom claims in the JWT <strong>must contain the following</strong> in a custom <code>https://hasura.io/jwt/claims</code> namespace</p> <ol> <li>A <code>x-hasura-allowed-roles</code> field. A list of allowed roles for the user</li> <li>A <code>x-hasura-default-role</code> field. The role that will be used when the optional <code>x-hasura-role</code> <em>header</em> is not passed.</li> <li>Add any other optional <code>x-hasura-*</code> claim fields (required as per your defined permissions) to the custom namespace</li> </ol> <p>Navigate to Clients → hasura → Client Scopes and click <code>hasura-dedicated</code></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjuaol0t4wpnihwpwdqn8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjuaol0t4wpnihwpwdqn8.png" alt="06"></a></p> <p>Click on <strong>Configure a new mapper</strong> and select <strong>User Property.</strong></p> <p>Add the following values and save</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>x-hasura-user-id</th> </tr> </thead> <tbody> <tr> <td>Property</td> <td>id</td> </tr> <tr> <td>Token Claim Name</td> <td><code>https://hasura\.io/jwt/claims.x-hasura-user-id</code></td> </tr> </tbody> </table></div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe81fqfcomecv93pjxt18.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe81fqfcomecv93pjxt18.png" alt="07"></a></p> <p>Add mapper for <strong>User Attribute</strong></p> <p>Add the followings and save.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>x-hasura-default-role</th> </tr> </thead> <tbody> <tr> <td>User Attribute</td> <td>x-hasura-default-role</td> </tr> <tr> <td>Token Claim Name</td> <td><code>https://hasura\.io/jwt/claims.x-hasura-default-role</code></td> </tr> <tr> <td>Claim value</td> <td>user</td> </tr> </tbody> </table></div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1c7dodam5m2wseu5mnxo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1c7dodam5m2wseu5mnxo.png" alt="08"></a></p> <p>Add mapper for <strong>User Client Role</strong></p> <p>Add the followings and save.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Name</th> <th>x-hasura-allowed-roles</th> </tr> </thead> <tbody> <tr> <td>Client ID</td> <td>hasura</td> </tr> <tr> <td>Token Claim Name</td> <td><code>https://hasura\.io/jwt/claims.x-hasura-allowed-roles</code></td> </tr> </tbody> </table></div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwx1i3gdkdzm7yugs1h3u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwx1i3gdkdzm7yugs1h3u.png" alt="09"></a></p> <p><strong>Create groups</strong></p> <p>Navigate to <strong>Groups</strong> tab and create two groups Admins &amp; Users</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhwkw08xf98b8nwss2rcf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhwkw08xf98b8nwss2rcf.png" alt="10"></a></p> <p><strong>Add attributes to the Groups</strong></p> <p>Group: Users</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Key</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>x-hasura-default-role</td> <td>user</td> </tr> </tbody> </table></div> <p>Group: Admins</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Key</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>x-hasura-default-role</td> <td>admin</td> </tr> </tbody> </table></div> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frxhxas93i9pt5qjye0a1.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Frxhxas93i9pt5qjye0a1.png" alt="11"></a></p> <p><strong>Assign Roles</strong></p> <p>We need to assign the role we created at the beginning. Every member of this group will have that role</p> <p>Group: <strong>Users</strong></p> <p>Click on Role mapping → Assign role → Filter by clients → <code>hasura user</code> → Assign</p> <p>Group: <strong>Admins</strong></p> <p>Click on Role mapping → Assign role → Filter by clients → <code>hasura admin</code> → Assign</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F34m64snad1t0d4lghnhb.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F34m64snad1t0d4lghnhb.png" alt="12"></a></p> <p><strong>Create user</strong></p> <p>Navigate to the Users tab and create two users. One is an admin user, and another is a regular user.</p> <p>Join the group <code>Admins</code> when creating an admin user and <code>Users</code> when creating regular user.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ixv1pxk3wvx8f48af3q.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2ixv1pxk3wvx8f48af3q.png" alt="13"></a></p> <p>After user creation, set their password. You can do this by navigating to the <strong>Credentials</strong> tab of that user. You may turn off the <strong>Temporary</strong> option.</p> <p>To make things easy to test, let’s increase the access token lifespan.</p> <p>Navigate to <strong>Relam settings</strong> → Tokens → Access Token Lifespan → Enter 10 Hours → Save</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjq33ssp8y3hg4b2ma1ze.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjq33ssp8y3hg4b2ma1ze.png" alt="14"></a></p> <p>Now set the <code>HASURA_GRAPHQL_JWT_SECRET</code> environment variable in the docker compose file for hasura with this</p> <p><code>'{ "type": "RS256", "jwk_url": "http://keycloak:8080/realms/development/protocol/openid-connect/certs" }'</code></p> <p>Hasura will get the public certificate from Keycloak.</p> <h2> <strong>Setup app login</strong> </h2> <p>If you haven’t already, let's clone the repo and cd into <code>apps/backend_server</code> in your terminal.</p> <p><a href="https://github.com/tousifws/hasura-keycloak" rel="noopener noreferrer">GitHub - tousifws/hasura-keycloak</a></p> <p>We’ll integrate keycloak with our NodeJS server to initiate the login. Lets grab the <strong>Client secret</strong> by navigating to <strong>Clients</strong> → <strong>hasura</strong> → <strong>Credentials</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftg2c94c382hfc019dtnk.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftg2c94c382hfc019dtnk.png" alt="15"></a></p> <p>Set the copied client secret to <code>OPENID_CLIENT_REGISTRATION_LOGIN_CLIENT_SECRET</code> environment variable present in <code>.env.development.local</code></p> <p>Next, do <code>npx nx run main-server:dev</code>. It’ll start the NestJS server. It’ll do the OAuth dance.</p> <p>Open up <a href="http://localhost:7000/auth/login" rel="noopener noreferrer">http://localhost:7000/auth/login</a> in your browser; it’ll redirect you to the Keycloak login page. Here you’ll need to enter the credentials of the users you created earlier.</p> <p>Next, open up <a href="http://localhost:7000/auth/user" rel="noopener noreferrer">http://localhost:7000/auth/user</a> You’ll get user information and associated tokens. You can use the access token in Hasura. Here’s a demo</p> <p><iframe width="710" height="399" src="https://www.youtube.com/embed/l4lrjCC0Qes"> </iframe> </p> <h2> Acknowledgements </h2> <ul> <li><a href="https://github.com/janhapke/hasura-keycloak" rel="noopener noreferrer">https://github.com/janhapke/hasura-keycloak</a></li> <li><a href="https://youtu.be/h2SLNwAEQVE" rel="noopener noreferrer">https://youtu.be/h2SLNwAEQVE</a></li> </ul> nestjs hasura keycloak