Updating keycloak roles into database
Hey there, I was trying to integrate Keycloak into my Wasp project but I got into a problem. I wanted to add my client roles into my database whenever a user tries to log in so I can query those roles for specific operations later. For that I used the getConfig and userSignupFields functions from the Keycloak implementation. Until then, everything was ok and it worker, the problem is that after that user is saved into my databases, if I decided to change this user´s roles into Keycloak, next time the user log in, it is not updating those new roles into the database.
After a long time thinking, I decided to call the Keycloak /userinfo endpoint myself in every operation. But for that I need the keycloak access token which I do not have.
Am I missing something? Any other suggestions about how to solve my problem?
Thanks 😉
6 Replies
Hi @PepeEst. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Hmm, I don't know enough to give you a confident answer yet. The provided knowledge sources do not contain specific information about updating Keycloak roles in the database when they change in Keycloak, or about accessing the Keycloak access token in Wasp.
However, Wasp does provide a way to define user signup fields using the
defineUserSignupFields function, which you could potentially use to store the roles of a user at signup time. Here is an example of how to use it:
(Source: Using the Data Received From Keycloak Part 2 (https://wasp-lang.dev/docs/auth/social-auth/keycloak#using-the-data-received-from-keycloak))
For more detailed advice, I would recommend checking the Wasp documentation (https://wasp-lang.dev/docs) or asking in the Wasp community.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @PepeEst, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?One thing we have in progress and will be released soon is auth hooks which sound perfect for your use case - do something related to auth at a specific point in time: https://github.com/wasp-lang/wasp/pull/1993
We decided to develop
onBeforeSignup, onAfterSignup and onBeforeOAuthRedirect hooks, first.
if I decided to change this user´s roles into Keycloak, next time the user log in, it is not updating those new roles into the database.So, you'd benefit from a hook like
onAfterLogin or similar ...
After a long time thinking, I decided to call the Keycloak /userinfo endpoint myself in every operation. But for that I need the keycloak access token which I do not have.... which would ideally give you the access token as well! I have to admit I was on the fence to develop the extra login hooks right away, but it seems they might be really useful for you! I'm not sure if we'll have the time to include them in the next release, but probably we'll be able to do it quickly after. How big of a problem is this for you? Are there any alternatives you considered for your app? 🙂 Thanks cc: @martinsos
Actually I’m not in a real hurry.
I was using an older Wasp version in my project (0.11), so I integrate Keycloak myself using the keycloak.js package as an alternative. But since I saw you released the version 0.13 with Keycloak integration I gave it a try.
At this point, I believe the project is not gonna be in production for a while, so I can maintain my own Keycloak installation until you implement the new hook functionality.
Thanks.
Oh this is really interesting for us 🙂 would you mind sharing the way you use Keycloak and how you integrated it with Wasp? We are by no means Keycloak experts, so this could help us with improve the DX for you and others.
Well, actually I’m not a keycloak expert neither, I just made a simple integration mixing the basic key cloak knowledge with your login functions.
First, I call the keycloak authentication url in the client (which probably is not very secure), and then give the receive token to my wasp backend through an api endpoint. In that endpoint, first I obtain the user info corresponding to that token with the userinfo keycloak token, and then I sign up the user received into to DB. Finally, with this user I call the framework createAuthToken function to get a wasp token and return it to the client, so I can call the initSession framework function.
As I said, I do not believe it is the most secure way to integrate it, but for the moment it does its functionality.
@miho -> yeah I agree that hook on login sounds like a good use case for this! Especially if it allows obtaining that access token