nestjs-keycloak-auth 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 B. Joshua Adedigba
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,391 @@
+<div align="center">
+
+# NestJS Keycloak Auth
+
+![GitHub Issues or Pull Requests](https://img.shields.io/github/issues/bannaarr01/nestjs-keycloak-auth?style=for-the-badge)
+![GitHub License](https://img.shields.io/github/license/bannaarr01/nestjs-keycloak-auth?style=for-the-badge)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/bannaarr01/nestjs-keycloak-auth/badge)](https://scorecard.dev/viewer/?uri=github.com/bannaarr01/nestjs-keycloak-auth)
+
+A bearer-only Keycloak authentication and authorization module for [NestJS](https://nestjs.com/). Uses standard OIDC discovery and has zero runtime dependency on `keycloak-connect`.
+
+</div>
+
+## Features
+
+- Bearer-token API authentication and authorization for NestJS.
+- OIDC discovery — endpoints resolved from `.well-known/openid-configuration` (with fallback).
+- ONLINE and OFFLINE token validation (introspection + JWKS signature verification).
+- Algorithm allowlist — only RS, ES, and PS family algorithms are accepted during offline validation.
+- Per-realm `notBefore` revocation state for multi-tenant safety.
+- Resource/scope authorization via UMA (`@Resource`, `@Scopes`, `@ConditionalScopes`).
+- Role authorization (`@Roles`) with configurable role merge and match modes.
+- OIDC back-channel logout (`sid`/`sub` revocation).
+- Typed error hierarchy — all library errors extend `KeycloakAuthError` for easy catching.
+- Compatible with [Fastify](https://github.com/fastify/fastify) platform.
+
+## Runtime Scope (Important)
+
+- This package is designed for bearer-only API/server flows.
+- It does **not** implement browser/session middleware flows such as login redirects, auth-code callback exchange, session/cookie grant stores, or logout endpoints.
+- It implements Keycloak admin callback endpoints:
+  - `POST /k_push_not_before` for realm `notBefore` revocation updates (used by OFFLINE token validation).
+  - `POST /k_logout` for OIDC back-channel logout token handling (`sid`/`sub` revocation).
+
+## Installation
+
+### Yarn
+
+```bash
+yarn add nestjs-keycloak-auth
+```
+
+### NPM
+
+```bash
+npm install nestjs-keycloak-auth --save
+```
+
+## Getting Started
+
+### Module registration
+
+Registering the module:
+
+```typescript
+KeycloakAuthModule.register({
+  authServerUrl: 'http://localhost:8080', // might be http://localhost:8080/auth for older keycloak versions
+  realm: 'master',
+  clientId: 'my-nestjs-app',
+  secret: 'secret',
+  bearerOnly: true,
+  policyEnforcement: PolicyEnforcementMode.PERMISSIVE, // optional
+  tokenValidation: TokenValidation.ONLINE, // optional
+});
+```
+
+Async registration is also available:
+
+```typescript
+KeycloakAuthModule.registerAsync({
+  useExisting: KeycloakConfigService,
+  imports: [ConfigModule],
+});
+```
+
+#### KeycloakConfigService
+
+```typescript
+import { Injectable } from '@nestjs/common';
+import {
+  KeycloakAuthOptions,
+  KeycloakAuthOptionsFactory,
+  PolicyEnforcementMode,
+  TokenValidation,
+} from 'nestjs-keycloak-auth';
+
+@Injectable()
+export class KeycloakConfigService implements KeycloakAuthOptionsFactory {
+  createKeycloakAuthOptions(): KeycloakAuthOptions {
+    return {
+      // http://localhost:8080/auth for older keycloak versions
+      authServerUrl: 'http://localhost:8080',
+      realm: 'master',
+      clientId: 'my-nestjs-app',
+      secret: 'secret',
+      bearerOnly: true,
+      policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
+      tokenValidation: TokenValidation.ONLINE,
+    };
+  }
+}
+```
+
+You can also register by just providing the `keycloak.json` path and an optional module configuration:
+
+```typescript
+KeycloakAuthModule.register(`./keycloak.json`, {
+  policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
+  tokenValidation: TokenValidation.ONLINE,
+});
+```
+
+### Guards
+
+Register any of the guards either globally, or scoped in your controller.
+
+#### Global registration using APP_GUARD token
+
+**_NOTE: These are in order, see https://docs.nestjs.com/guards#binding-guards for more information._**
+
+```typescript
+providers: [
+  {
+    provide: APP_GUARD,
+    useClass: AuthGuard,
+  },
+  {
+    provide: APP_GUARD,
+    useClass: ResourceGuard,
+  },
+  {
+    provide: APP_GUARD,
+    useClass: RoleGuard,
+  },
+];
+```
+
+#### Scoped registration
+
+```typescript
+@Controller('cats')
+@UseGuards(AuthGuard, ResourceGuard)
+export class CatsController {}
+```
+
+## What do these guards do?
+
+### AuthGuard
+
+Adds an authentication guard, you can also have it scoped if you like (using regular `@UseGuards(AuthGuard)` in your controllers). By default, it will throw a 401 unauthorized when it is unable to verify the JWT token or `Bearer` header is missing.
+
+### ResourceGuard
+
+Adds a resource guard, which is permissive by default (can be configured see [options](#nest-keycloak-options)). Only controllers annotated with `@Resource` and methods with `@Scopes` are handled by this guard.
+
+**_NOTE: This guard is not necessary if you are using role-based authorization exclusively. You can use role guard exclusively for that._**
+
+### RoleGuard
+
+Adds a role guard, **can only be used in conjunction with resource guard when enforcement policy is PERMISSIVE**, unless you only use role guard exclusively.
+Permissive by default. Used by controller methods annotated with `@Roles` (matching can be configured)
+
+## Configuring controllers
+
+In your controllers, simply do:
+
+```typescript
+import {
+  Resource,
+  Roles,
+  Scopes,
+  Public,
+  RoleMatchingMode,
+} from 'nestjs-keycloak-auth';
+import { Controller, Get, Delete, Put, Post, Param } from '@nestjs/common';
+import { Product } from './product';
+import { ProductService } from './product.service';
+
+@Controller()
+@Resource(Product.name)
+export class ProductController {
+  constructor(private service: ProductService) {}
+
+  @Get()
+  @Public()
+  async findAll() {
+    return await this.service.findAll();
+  }
+
+  @Get()
+  @Roles({ roles: ['admin', 'other'] })
+  async findAllBarcodes() {
+    return await this.service.findAllBarcodes();
+  }
+
+  @Get(':code')
+  @Scopes('View')
+  async findByCode(@Param('code') code: string) {
+    return await this.service.findByCode(code);
+  }
+
+  @Post()
+  @Scopes('Create')
+  @ConditionalScopes((request, token) => {
+    if (token.hasRealmRole('sysadmin')) {
+      return ['Overwrite'];
+    }
+    return [];
+  })
+  async create(@Body() product: Product) {
+    return await this.service.create(product);
+  }
+
+  @Delete(':code')
+  @Scopes('Delete')
+  @Roles({ roles: ['admin', 'realm:sysadmin'], mode: RoleMatchingMode.ALL })
+  async deleteByCode(@Param('code') code: string) {
+    return await this.service.deleteByCode(code);
+  }
+
+  @Put(':code')
+  @Scopes('Edit')
+  async update(@Param('code') code: string, @Body() product: Product) {
+    return await this.service.update(code, product);
+  }
+}
+```
+
+## Decorators
+
+Here are the decorators you can use in your controllers.
+
+| Decorator          | Description                                                                                               |
+| ------------------ | --------------------------------------------------------------------------------------------------------- |
+| @KeycloakUser      | Retrieves the current Keycloak logged-in user. (must be per method, unless controller is request scoped.) |
+| @AccessToken       | Retrieves the access token used in the request                                                            |
+| @ResolvedScopes    | Retrieves the resolved scopes (used in @ConditionalScopes)                                                |
+| @EnforcerOptions   | Keycloak enforcer options.                                                                                |
+| @Public            | Allow any user to use the route.                                                                          |
+| @Resource          | Keycloak application resource name.                                                                       |
+| @Scopes            | Keycloak application scopes.                                                                              |
+| @ConditionalScopes | Conditional keycloak application scopes.                                                                  |
+| @Roles             | Keycloak realm/application roles.                                                                         |
+| @TokenScopes       | Required OAuth scopes on the access token.                                                                |
+
+## Multi tenant configuration
+
+Setting up for multi-tenant is configured as an option in your configuration:
+
+```typescript
+{
+  // Add /auth for older keycloak versions
+  authServerUrl: 'http://localhost:8180/', // will be used as fallback
+  clientId: 'nest-api', // will be used as fallback
+  secret: 'fallback', // will be used as fallback
+  multiTenant: {
+    resolveAlways: true,
+    realmResolver: (request) => {
+      return request.get('host').split('.')[0];
+    },
+    realmSecretResolver: (realm, request) => {
+      const secrets = { master: 'secret', slave: 'password' };
+      return secrets[realm];
+    },
+    realmClientIdResolver: (realm, request) => {
+      const clientIds = { master: 'angular-app', slave: 'vue-app' };
+      return clientIds[realm];
+    },
+    // note to add /auth for older keycloak versions
+    realmAuthServerUrlResolver: (realm, request) => {
+      const authServerUrls = { master: 'https://master.local/', slave: 'https://slave.local/' };
+      return authServerUrls[realm];
+    }
+  }
+}
+```
+
+## Admin callback endpoints
+
+This module mounts Keycloak admin callback endpoints:
+
+- `POST /k_push_not_before`
+- `POST /k_logout`
+
+Purpose:
+
+- Accepts signed Keycloak admin callbacks with action `PUSH_NOT_BEFORE`.
+- Updates token revocation cutoff (`notBefore`) used by OFFLINE validation.
+- Stores `notBefore` per realm URL, so one realm update does not affect another realm in multi-tenant setups.
+- Accepts signed OIDC back-channel logout tokens and revokes token usage by `sid` and/or `sub`.
+
+Realm resolution for callback verification:
+
+1. `multiTenant.realmResolver(request)` when configured
+2. Single-tenant configured realm (`realm`)
+
+`k_logout` here is callback-only revocation handling for bearer tokens. It does not add browser/session middleware flows.
+
+## Error handling
+
+All errors thrown by the library extend `KeycloakAuthError`, so you can catch any library error with a single `instanceof` check:
+
+```typescript
+import {
+  KeycloakAuthError,
+  KeycloakConfigError,
+  KeycloakTokenError,
+  KeycloakPermissionError,
+  KeycloakAdminError,
+} from 'nestjs-keycloak-auth';
+```
+
+| Error class              | Code                        | When                                                     |
+| ------------------------ | --------------------------- | -------------------------------------------------------- |
+| `KeycloakAuthError`      | `KEYCLOAK_AUTH_ERROR`       | Base class — catches all library errors via `instanceof` |
+| `KeycloakConfigError`    | `KEYCLOAK_CONFIG_ERROR`     | Missing config, invalid options, file not found          |
+| `KeycloakTokenError`     | `KEYCLOAK_TOKEN_ERROR`      | Malformed JWT, grant validation failure, JWKS key miss   |
+| `KeycloakPermissionError`| `KEYCLOAK_PERMISSION_ERROR` | UMA permission check failure                             |
+| `KeycloakAdminError`     | `KEYCLOAK_ADMIN_ERROR`      | Admin callback signature/token verification failure      |
+
+Guards continue to throw standard NestJS `UnauthorizedException` / `ForbiddenException` at the HTTP boundary.
+
+## Example project
+
+The [`example/`](example/) folder contains a complete working NestJS application with:
+
+- Docker Compose setup (Keycloak + PostgreSQL + NestJS API)
+- Pre-configured Keycloak realm exports (single tenant + two tenants)
+- Postman collection for testing all endpoints
+- Product CRUD controller demonstrating `@Resource`, `@Scopes`, `@ConditionalScopes`, `@Roles`, `@EnforcerOptions`, and UMA response modes
+
+See [example/README.md](example/README.md) for setup and usage instructions.
+
+## Testing
+
+```bash
+npm test
+npm run test:cov
+```
+
+Current test setup uses Jest + ts-jest and is configured to enforce 100% global coverage thresholds.
+
+## Configuration options
+
+### Nest Keycloak Options
+
+| Option            | Description                                                                | Required | Default    |
+| ----------------- | -------------------------------------------------------------------------- | -------- | ---------- |
+| policyEnforcement | Sets the policy enforcement mode                                           | no       | PERMISSIVE |
+| tokenValidation   | Sets the token validation method                                           | no       | ONLINE     |
+| multiTenant       | Sets options for [multi-tenant configuration](#multi-tenant-configuration) | no       | -          |
+| roleMerge         | Sets the merge mode for `@Roles` decorator                                | no       | OVERRIDE   |
+
+### Common Keycloak Config Fields
+
+| Option                         | Description                                            |
+| ------------------------------ | ------------------------------------------------------ |
+| `realm`                        | Realm name                                             |
+| `clientId` / `client-id`       | Client ID (or `resource`)                              |
+| `secret` / `credentials.secret` | Client secret (confidential clients)                  |
+| `authServerUrl` / `serverUrl`  | Keycloak base URL                                      |
+| `bearerOnly` / `bearer-only`   | Marks bearer-only behavior                             |
+| `public` / `public-client`     | Public client mode                                     |
+| `realmPublicKey`               | Static realm public key for OFFLINE validation         |
+| `verifyTokenAudience`          | Enables strict audience check in OFFLINE validation    |
+| `minTimeBetweenJwksRequests`   | JWKS retry throttle                                    |
+
+### Multi Tenant Options
+
+| Option                     | Description                                                                                               | Required | Default |
+| -------------------------- | --------------------------------------------------------------------------------------------------------- | -------- | ------- |
+| resolveAlways              | Always resolve realm config instead of using cached values                                                | no       | false   |
+| realmResolver              | Resolves realm from request                                                                               | yes      | -       |
+| realmSecretResolver        | Resolves secret by realm (and optional request)                                                           | no       | -       |
+| realmAuthServerUrlResolver | Resolves auth server URL by realm (and optional request)                                                  | no       | -       |
+| realmClientIdResolver      | Resolves client ID by realm (and optional request)                                                        | yes      | -       |
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
+
+## Security
+
+To report a vulnerability, see [SECURITY.md](SECURITY.md). Do not open a public issue.
+
+## Acknowledgements
+
+Inspired by [nest-keycloak-connect](https://github.com/ferrerojosh/nest-keycloak-connect) by [John Joshua Ferrer](https://github.com/ferrerojosh) and the official [keycloak-nodejs-connect](https://github.com/keycloak/keycloak-nodejs-connect) adapter.
+
+## License
+
+[MIT](LICENSE)

package/dist/constants.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Used internally, provides keycloak options for the Nest guards.
+ */
+export declare const KEYCLOAK_AUTH_OPTIONS = "KEYCLOAK_AUTH_OPTIONS";
+/**
+ * Key for injecting a keycloak instance.
+ */
+export declare const KEYCLOAK_INSTANCE = "KEYCLOAK_INSTANCE";
+/**
+ * Key for injecting a keycloak multi tenant service.
+ */
+export declare const KEYCLOAK_MULTITENANT_SERVICE = "KEYCLOAK_MULTITENANT_SERVICE";
+/**
+ * Role matching mode.
+ */
+export declare enum RoleMatch {
+    /**
+     * Match all roles
+     */
+    ALL = "all",
+    /**
+     * Match any roles
+     */
+    ANY = "any"
+}
+/**
+ * Policy enforcement mode.
+ */
+export declare enum PolicyEnforcementMode {
+    /**
+     * Deny all request when there is no matching resource.
+     */
+    ENFORCING = "enforcing",
+    /**
+     * Allow all request even when there's no matching resource.
+     */
+    PERMISSIVE = "permissive"
+}
+/**
+ * Token validation methods.
+ */
+export declare enum TokenValidation {
+    /**
+     * The default validation method, performs live validation via Keycloak servers.
+     */
+    ONLINE = "online",
+    /**
+     * Validate offline against the configured keycloak options.
+     */
+    OFFLINE = "offline",
+    /**
+     * Does not check for any validation. Should only be used for special cases (i.e development, internal networks)
+     */
+    NONE = "none"
+}
+export declare enum RoleMerge {
+    /**
+     * Overrides roles if defined both controller and handlers, with controller taking over.
+     */
+    OVERRIDE = 0,
+    /**
+     * Merges all roles from both controller and handlers.
+     */
+    ALL = 1
+}

package/dist/constants.js

@@ -0,0 +1,72 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RoleMerge = exports.TokenValidation = exports.PolicyEnforcementMode = exports.RoleMatch = exports.KEYCLOAK_MULTITENANT_SERVICE = exports.KEYCLOAK_INSTANCE = exports.KEYCLOAK_AUTH_OPTIONS = void 0;
+/**
+ * Used internally, provides keycloak options for the Nest guards.
+ */
+exports.KEYCLOAK_AUTH_OPTIONS = 'KEYCLOAK_AUTH_OPTIONS';
+/**
+ * Key for injecting a keycloak instance.
+ */
+exports.KEYCLOAK_INSTANCE = 'KEYCLOAK_INSTANCE';
+/**
+ * Key for injecting a keycloak multi tenant service.
+ */
+exports.KEYCLOAK_MULTITENANT_SERVICE = 'KEYCLOAK_MULTITENANT_SERVICE';
+/**
+ * Role matching mode.
+ */
+var RoleMatch;
+(function (RoleMatch) {
+    /**
+     * Match all roles
+     */
+    RoleMatch["ALL"] = "all";
+    /**
+     * Match any roles
+     */
+    RoleMatch["ANY"] = "any";
+})(RoleMatch || (exports.RoleMatch = RoleMatch = {}));
+/**
+ * Policy enforcement mode.
+ */
+var PolicyEnforcementMode;
+(function (PolicyEnforcementMode) {
+    /**
+     * Deny all request when there is no matching resource.
+     */
+    PolicyEnforcementMode["ENFORCING"] = "enforcing";
+    /**
+     * Allow all request even when there's no matching resource.
+     */
+    PolicyEnforcementMode["PERMISSIVE"] = "permissive";
+})(PolicyEnforcementMode || (exports.PolicyEnforcementMode = PolicyEnforcementMode = {}));
+/**
+ * Token validation methods.
+ */
+var TokenValidation;
+(function (TokenValidation) {
+    /**
+     * The default validation method, performs live validation via Keycloak servers.
+     */
+    TokenValidation["ONLINE"] = "online";
+    /**
+     * Validate offline against the configured keycloak options.
+     */
+    TokenValidation["OFFLINE"] = "offline";
+    /**
+     * Does not check for any validation. Should only be used for special cases (i.e development, internal networks)
+     */
+    TokenValidation["NONE"] = "none";
+})(TokenValidation || (exports.TokenValidation = TokenValidation = {}));
+var RoleMerge;
+(function (RoleMerge) {
+    /**
+     * Overrides roles if defined both controller and handlers, with controller taking over.
+     */
+    RoleMerge[RoleMerge["OVERRIDE"] = 0] = "OVERRIDE";
+    /**
+     * Merges all roles from both controller and handlers.
+     */
+    RoleMerge[RoleMerge["ALL"] = 1] = "ALL";
+})(RoleMerge || (exports.RoleMerge = RoleMerge = {}));

package/dist/controllers/keycloak-admin.controller.d.ts

@@ -0,0 +1,16 @@
+import { KeycloakAdminService } from '../services/keycloak-admin.service';
+import { ServerRequest, ServerResponse } from '../interface/server.interface';
+/**
+ * Handles Keycloak admin callbacks:
+ * - `POST k_push_not_before`: not-before policy updates
+ * - `POST k_logout`: OIDC back-channel logout tokens
+ *
+ * All business logic is delegated to {@link KeycloakAdminService}.
+ */
+export declare class KeycloakAdminController {
+    private readonly adminService;
+    private readonly logger;
+    constructor(adminService: KeycloakAdminService);
+    handlePushNotBefore(body: unknown, request: ServerRequest, response: ServerResponse): Promise<void>;
+    handleBackchannelLogout(body: unknown, request: ServerRequest, response: ServerResponse): Promise<void>;
+}

package/dist/controllers/keycloak-admin.controller.js

@@ -0,0 +1,94 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var KeycloakAdminController_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakAdminController = void 0;
+const errors_1 = require("../errors");
+const keycloak_admin_service_1 = require("../services/keycloak-admin.service");
+const public_decorator_1 = require("../decorators/public.decorator");
+const common_1 = require("@nestjs/common");
+/**
+ * Handles Keycloak admin callbacks:
+ * - `POST k_push_not_before`: not-before policy updates
+ * - `POST k_logout`: OIDC back-channel logout tokens
+ *
+ * All business logic is delegated to {@link KeycloakAdminService}.
+ */
+let KeycloakAdminController = KeycloakAdminController_1 = class KeycloakAdminController {
+    constructor(adminService) {
+        this.adminService = adminService;
+        this.logger = new common_1.Logger(KeycloakAdminController_1.name);
+    }
+    handlePushNotBefore(body, request, response) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                yield this.adminService.processPushNotBefore(body, request);
+                response.send('ok');
+            }
+            catch (err) {
+                this.logger.warn(`Push not-before failed: ${err}`);
+                const status = err instanceof errors_1.KeycloakAdminError ? 401 : 400;
+                response.status(status).send(status === 401 ? 'unauthorized' : 'bad request');
+            }
+        });
+    }
+    handleBackchannelLogout(body, request, response) {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                yield this.adminService.processBackchannelLogout(body, request);
+                response.send('ok');
+            }
+            catch (err) {
+                this.logger.warn(`Back-channel logout failed: ${err}`);
+                const status = err instanceof errors_1.KeycloakAdminError ? 401 : 400;
+                response.status(status).send(status === 401 ? 'unauthorized' : 'bad request');
+            }
+        });
+    }
+};
+exports.KeycloakAdminController = KeycloakAdminController;
+__decorate([
+    (0, common_1.Post)('k_push_not_before'),
+    (0, common_1.HttpCode)(200),
+    __param(0, (0, common_1.Body)()),
+    __param(1, (0, common_1.Req)()),
+    __param(2, (0, common_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object, Object]),
+    __metadata("design:returntype", Promise)
+], KeycloakAdminController.prototype, "handlePushNotBefore", null);
+__decorate([
+    (0, common_1.Post)('k_logout'),
+    (0, common_1.HttpCode)(200),
+    __param(0, (0, common_1.Body)()),
+    __param(1, (0, common_1.Req)()),
+    __param(2, (0, common_1.Res)()),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", [Object, Object, Object]),
+    __metadata("design:returntype", Promise)
+], KeycloakAdminController.prototype, "handleBackchannelLogout", null);
+exports.KeycloakAdminController = KeycloakAdminController = KeycloakAdminController_1 = __decorate([
+    (0, public_decorator_1.Public)(),
+    (0, common_1.Controller)(),
+    __metadata("design:paramtypes", [keycloak_admin_service_1.KeycloakAdminService])
+], KeycloakAdminController);

package/dist/decorators/access-token.decorator.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Retrieves the currently used access token
+ * @since 2.0.0
+ */
+export declare const AccessToken: (...dataOrPipes: unknown[]) => ParameterDecorator;

package/dist/decorators/access-token.decorator.js

@@ -0,0 +1,13 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AccessToken = void 0;
+const internal_util_1 = require("../internal.util");
+const common_1 = require("@nestjs/common");
+/**
+ * Retrieves the currently used access token
+ * @since 2.0.0
+ */
+exports.AccessToken = (0, common_1.createParamDecorator)((data, ctx) => {
+    const [req] = (0, internal_util_1.extractRequest)(ctx);
+    return req.accessToken;
+});