npm - keycloak-express-middleware - Versions diffs - 6.1.1 → 6.1.2 - Mend

keycloak-express-middleware 6.1.1 → 6.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

package/MIGRATION_STATUS.md +46 -160
package/OIDC_INTEGRATION_GUIDE.md +15 -240
package/README.md +1515 -8
package/docs/MIGRATION_STATUS.md +46 -160
package/docs/OIDC_INTEGRATION_GUIDE.md +35 -29
package/docs/README.md +26 -221
package/docs/api/authorization-services.md +121 -0
package/docs/api/configuration.md +116 -0
package/docs/api/oidc-token-endpoint.md +148 -0
package/docs/api/route-protection.md +122 -0
package/docs/api/session-and-navigation.md +138 -0
package/docs/api/token-decode-helpers.md +94 -0
package/docs/api-reference.md +96 -0
package/docs/architecture.md +91 -384
package/docs/keycloak-setup.md +1 -1
package/docs/test-configuration.md +2 -2
package/docs/testing-environment.md +142 -0
package/docs/testing.md +8 -6
package/index.js +64 -665
package/oidc-methods.js +6 -6
package/package.json +1 -1
package/test/docker-keycloak/setup-keycloak.js +1 -1
package/test/helpers/config.js +2 -2
package/test/package-lock.json +1 -1

package/MIGRATION_STATUS.md CHANGED Viewed

@@ -1,162 +1,48 @@
-# OIDC Methods Migration - Status Report
-## 📋 Summary
-Ho creato una soluzione **pronta all'uso** per migrare i metodi OIDC da `keycloak-api-manager` a `keycloak-express-middleware`.
-## ✅ What's Been Done
-### 1. **Ready-to-Integrate File: `oidc-methods.js`**
-- ✅ 3 metodi pronti: `generateAuthorizationUrl()`, `login()`, `loginPKCE()`
-- ✅ Full JSDoc documentation
-- ✅ No external dependencies (only Node.js crypto)
-- ✅ Copy-paste ready into the middleware class
-- ✅ Tested and verified
-### 2. **Comprehensive Test Suite: `test/oidc-methods.test.js`**
-- ✅ 21 test cases, all passing
-- ✅ Tests configuration, PKCE generation, token exchange
-- ✅ Error handling and edge cases covered
-- ✅ Mock fetch to avoid external calls
-- ✅ Run with: `npm test`
-### 3. **Integration Guide: `OIDC_INTEGRATION_GUIDE.md`**
-- ✅ Step-by-step instructions
-- ✅ Copy-paste code snippets
-- ✅ Troubleshooting guide
-- ✅ Usage examples
-- ✅ Verification checklist
-### 4. **Files Location (keycloak-express-middleware)**
-```
-keycloak-express-middleware/
-├── oidc-methods.js                    ← Copy methods from here
-├── test/
-│   └── oidc-methods.test.js          ← Tests (21 passing ✓)
-└── OIDC_INTEGRATION_GUIDE.md         ← Integration instructions
-```
-## 🚀 Next Steps
-### **Option 1: Manual Integration (Safe & Controlled)**
-Follow the `OIDC_INTEGRATION_GUIDE.md`:
-1. Add 2 lines to constructor (save clientId, clientSecret)
-2. Copy 3 methods from `oidc-methods.js` into the class
-3. Run `npm test` to verify
-4. Deploy
-### **Option 2: I Can Automate It**
-If you want me to:
-1. Integrate the methods directly into `index.js`
-2. Run full test suite
-3. Create release v6.1.0 with OIDC support
-4. Push to git and npm
-Just let me know!
-## 📊 Test Results
-```
-✔ generateAuthorizationUrl() - 10 tests passing
-  ✓ Generates valid authorization URLs with all OAuth2 parameters
-  ✓ PKCE pair generation (random, cryptographically secure)
-  ✓ SHA256 code_challenge validation
-  ✓ Custom scope and state support
-  ✓ CamelCase parameter aliasing
-  ✓ Error handling for missing parameters
-✔ login() - 6 tests passing
-  ✓ Auto-append clientId and clientSecret
-  ✓ Token endpoint communication
-  ✓ Success and error response handling
-  ✓ Credential construction
-✔ loginPKCE() - 5 tests passing
-  ✓ Parameter validation (code, verifier, redirect_uri)
-  ✓ CamelCase aliases support
-  ✓ PKCE token exchange construction
-  ✓ Delegation to login()
-Total: 21 passing (57ms)
-```
-## 🎯 Architecture Decision
-**Why move from keycloak-api-manager to keycloak-express-middleware?**
-| Aspect | API Manager | Express Middleware |
-|--------|------------|-------------------|
-| Purpose | Admin resource management | User application auth |
-| OAuth2 Context | ❌ Not needed | ✅ Natural fit |
-| Session/Cookies | ❌ Not part of it | ✅ Full support |
-| Express integration | ❌ No | ✅ Yes |
-| Dependencies | ✅ keycloak-admin-client | ✅ keycloak-connect |
-**Result:** OIDC methods belong in the middleware package.
-## 📝 Git History
-```
-keycloak-express-middleware/main
-├── ef61793 Feat: add ready-to-integrate OIDC methods (generateAuthorizationUrl, login, loginPKCE) with comprehensive tests
-├── [previous middleware commits...]
-```
-## ⚠️ Important Notes
-### ✅ Backward Compatibility
-- No breaking changes planned
-- Existing middleware functionality untouched
-- New methods are additions only
-### 🔐 Security Considerations
-- PKCE verifier stored server-side only (session)
-- State parameter for CSRF protection
-- Tokens in HttpOnly cookies recommended
-- Code uses Go crypto best practices
-### 📦 Dependencies
-- No new npm packages needed
-- Uses Node.js 18+ global fetch
-- For Node 16-17: `npm install node-fetch`
-## 🎬 What You Can Do Now
-### Test Everything Works
-```bash
-cd keycloak-express-middleware
-npm test  # All 21 tests pass ✓
-```
-### Review the Code
-- Open `oidc-methods.js` - See the implementation
-- Open `test/oidc-methods.test.js` - See comprehensive tests
-- Open `OIDC_INTEGRATION_GUIDE.md` - Integration instructions
-### Integrate When Ready
-Follow `OIDC_INTEGRATION_GUIDE.md` to add to `index.js` class
-## 🔄 Next: keycloak-api-manager Updates
-Once integrated in middleware, we should:
-1. **Deprecate in keycloak-api-manager v6.0.0**
-   - Mark `auth()`, `login()`, `loginPKCE()` as deprecated
-   - Update docs with migration guide
-   - Keep methods working (backward compat)
-2. **Update documentation**
-   - Remove OIDC docs from API manager
-   - Add migration guide to middleware
-   - Update PKCE guide to use middleware
+# OIDC Migration Status
-3. **Release cycle**
-   - keycloak-express-middleware v6.1.0 with OIDC support
-   - keycloak-api-manager v6.0.0 with deprecation warnings
+## Summary
-## 📞 Questions?
-All documentation is in:
-- `OIDC_INTEGRATION_GUIDE.md` - How to integrate
-- `oidc-methods.js` - Full JSDoc comments
-- `test/oidc-methods.test.js` - Real usage examples
+OIDC runtime helpers are now documented and implemented in `keycloak-express-middleware`, with test coverage and integration guidance aligned to the current constructor-based API.
+## Implemented Scope
+The following helper methods are part of the migration scope:
+- `generateAuthorizationUrl(options)`
+- `loginWithCredentials(credentials)`
+- `loginPKCE(credentials)`
+These methods are documented in:
+- `docs/api/oidc-token-endpoint.md`
+- `docs/OIDC_INTEGRATION_GUIDE.md`
+## Validation Status
+- OIDC helper methods documented with parameters, return values, and examples
+- Integration guide updated to reflect constructor-based initialization
+- Naming consistency aligned with code (`keyCloackConfig`, `keyCloackOptions`)
+- Error handling guidance included for common runtime failures
+## Design Rationale
+OIDC login flow helpers belong in the Express middleware package because they are coupled to request/session lifecycle and application routing concerns.
+| Aspect | keycloak-api-manager | keycloak-express-middleware |
+|--------|----------------------|-----------------------------|
+| Primary purpose | Admin API orchestration | Application authentication and authorization |
+| Session/cookie awareness | No | Yes |
+| Express routing integration | No | Yes |
+| OIDC runtime flow fit | Limited | Native |
+## Compatibility Notes
+- The migration is additive for middleware users.
+- Existing middleware behavior remains unchanged.
+- Runtime requirements remain compatible with Node.js 18+ (`fetch` available globally).
+## Recommended Next Steps
+1. Validate your local environment with `npm test`.
+2. Review `docs/OIDC_INTEGRATION_GUIDE.md` for implementation-level guidance.
+3. Use `docs/api-reference.md` as the canonical API entry point.

package/OIDC_INTEGRATION_GUIDE.md CHANGED Viewed

@@ -1,248 +1,23 @@
-# Integration Guide: Adding OIDC Methods to keycloak-express-middleware
+# OIDC Integration Guide
-This guide explains how to integrate the new OIDC authentication methods (`generateAuthorizationUrl()`, `login()`, `loginPKCE()`) into the `keycloak-express-middleware` class.
+This root-level guide is intentionally kept short to avoid drift.
+The canonical and maintained version is:
-## Files Created
+- docs/OIDC_INTEGRATION_GUIDE.md
-- **`oidc-methods.js`** - Ready-to-use OIDC methods (no external dependencies)
-- **`test/oidc-methods.test.js`** - Complete test suite (run with `npm test`)
+Current OIDC helper methods in code are:
-## Integration Steps
+- generateAuthorizationUrl(options)
+- loginWithCredentials(credentials)
+- loginPKCE(credentials)
-### Step 1: Run Tests (Verify Methods Work)
+Important alignment notes with current implementation:
-```bash
-npm test
-```
+- Initialization is constructor-based, not configure-based.
+- Use a middleware instance created with:
+  new keycloackAdapter(app, keyCloackConfig, keyCloackOptions)
+- For generic token endpoint exchange use loginWithCredentials, not login.
-Expected output: All tests should pass (20+ assertions)
+Quick verification command:
-### Step 2: Locate the Constructor in index.js
-Find the `keycloakExpressMiddleware` constructor:
-```javascript
-constructor(app, keyCloackConfig, keyCloackOptions) {
-    this.keycloak = null;
-    this.ready = false;
-    this.readyQueue = [];
-    this.realmName = keyCloackConfig.realm || keyCloackOptions.realmName;
-    this.authServerUrl = keyCloackConfig['auth-server-url'];
-    // ... rest of constructor
-}
-```
-### Step 3: Save Configuration in Constructor
-Add these lines after `this.authServerUrl`:
-```javascript
-// Store OIDC configuration for token endpoint helpers
-this.clientId = keyCloackConfig.resource || keyCloackOptions.clientId;
-this.clientSecret = keyCloackConfig.credentials?.secret || keyCloackOptions.clientSecret;
-```
-**Full example:**
-```javascript
-constructor(app, keyCloackConfig, keyCloackOptions) {
-    this.keycloak = null;
-    this.ready = false;
-    this.readyQueue = [];
-    this.realmName = keyCloackConfig.realm || keyCloackOptions.realmName;
-    this.authServerUrl = keyCloackConfig['auth-server-url'];
-    // NEW: Store OIDC configuration
-    this.clientId = keyCloackConfig.resource || keyCloackOptions.clientId;
-    this.clientSecret = keyCloackConfig.credentials?.secret || keyCloackOptions.clientSecret;
-    // ... rest of constructor (unchanged)
-}
-```
-### Step 4: Add Methods to the Class
-At the end of the `keycloakExpressMiddleware` class (before the closing brace), add these three methods from `oidc-methods.js`:
-```javascript
-    // ===== OIDC Authentication Methods =====
-    /**
-     * Generate Authorization URL + PKCE pair for OAuth2 flow
-     * See oidc-methods.js for full documentation
-     */
-    generateAuthorizationUrl(options = {}) {
-        // ... copy from oidc-methods.js
-    }
-    /**
-     * Exchange credentials for OIDC tokens (generic token endpoint)
-     * See oidc-methods.js for full documentation
-     */
-    async login(credentials = {}) {
-        // ... copy from oidc-methods.js
-    }
-    /**
-     * Exchange authorization code + PKCE verifier for tokens
-     * See oidc-methods.js for full documentation
-     */
-    async loginPKCE(credentials = {}) {
-        // ... copy from oidc-methods.js
-    }
-```
-**Option: Copy-Paste from oidc-methods.js**
-You can copy the entire content from `oidc-methods.js` (lines with the three functions) directly into the class.
-### Step 5: Run Tests Again
-```bash
-npm test
-```
-Verify that all tests pass with the new methods integrated.
-### Step 6: Test in Your Application
-Create a simple test to verify the middleware works:
-```javascript
-const keycloakAdapter = require('keycloak-express-middleware');
-const express = require('express');
-const app = express();
-// Configure middleware
-await keycloakAdapter.configure({
-  app,
-  keyCloakConfig: {
-    realm: 'my-realm',
-    'auth-server-url': 'https://keycloak.example.com/',
-    resource: 'my-client',
-    credentials: { secret: 'my-secret' }
-  }
-});
-// Test PKCE flow initialization
-const pkceFlow = keycloakAdapter.generateAuthorizationUrl({
-  redirect_uri: 'http://localhost:3000/auth/callback'
-});
-```
-## Key Points
-### 1. No External Dependencies
-- Uses only Node.js built-in `crypto` module
-- Uses global `fetch` (available in Node 18+)
-- No new npm packages needed
-### 2. Backward Compatibility
-- All existing middleware functionality remains unchanged
-- New methods are optional additions
-- No breaking changes to existing API
-### 3. Configuration Sources
-The three methods use these configuration values from the middleware:
-- `this.authServerUrl` - From `keyCloakConfig['auth-server-url']`
-- `this.realmName` - From `keyCloakConfig.realm`
-- `this.clientId` - From `keyCloakConfig.resource` (or `keyCloackOptions.clientId`)
-- `this.clientSecret` - From `keyCloakConfig.credentials.secret` (or `keyCloackOptions.clientSecret`)
-### 4. Usage Examples
-#### Generate Authorization URL (for PKCE login initiation)
-```javascript
-const pkceFlow = keycloakAdapter.generateAuthorizationUrl({
-  redirect_uri: 'https://app.example.com/auth/callback',
-  scope: 'openid profile email'  // optional
-});
-req.session.pkce_state = pkceFlow.state;
-req.session.pkce_verifier = pkceFlow.codeVerifier;
-res.redirect(pkceFlow.authUrl);
-```
-#### Exchange Code for Token (for PKCE callback)
-```javascript
-const tokens = await keycloakAdapter.loginPKCE({
-  code: req.query.code,
-  redirect_uri: 'https://app.example.com/auth/callback',
-  code_verifier: req.session.pkce_verifier
-});
-res.cookie('access_token', tokens.access_token, { httpOnly: true });
-res.redirect('/dashboard');
-```
-#### Direct Token Grant
-```javascript
-// Password grant
-const tokens = await keycloakAdapter.login({
-  grant_type: 'password',
-  username: 'user@example.com',
-  password: 'password123'
-});
-// Client credentials
-const tokens = await keycloakAdapter.login({
-  grant_type: 'client_credentials'
-});
-// Refresh token
-const newTokens = await keycloakAdapter.login({
-  grant_type: 'refresh_token',
-  refresh_token: oldRefreshToken
-});
-```
-## Verification Checklist
-- [ ] All tests in `test/oidc-methods.test.js` pass
-- [ ] Constructor saves `clientId` and `clientSecret`
-- [ ] Three methods added to the class
-- [ ] `generateAuthorizationUrl()` works
-- [ ] `login()` works
-- [ ] `loginPKCE()` works
-- [ ] Existing middleware functionality still works
-- [ ] No runtime errors
-## Troubleshooting
-### Error: "requires middleware to be initialized"
-- Ensure `configure()` was called before using OIDC methods
-- Verify `authServerUrl`, `realmName`, and `clientId` are set
-### Error: "generateAuthorizationUrl requires redirect_uri"
-- Pass `redirect_uri` or `redirectUri` in options object
-### Fetch errors
-- Ensure Node.js 18+ (for global fetch)
-- For Node 16-17, add: `npm install node-fetch`
-## Testing Checklist
-Run tests to verify:
-```bash
-# All tests pass
-npm test
-# Test output shows:
-# - 20+ assertions passing
-# - No failures
-# - OIDC Methods suite: ✓
-```
-## Questions?
-Refer to:
-- `oidc-methods.js` - Method implementations and full JSDoc documentation
-- `test/oidc-methods.test.js` - Test examples showing all use cases
-- [PKCE Login Flow Guide](../keycloak-api-manager/docs/guides/PKCE-Login-Flow.md) - Real-world usage patterns
+- npm test