next-auth-heksso 1.0.0

package/.env.example

@@ -0,0 +1,5 @@
+NEXTAUTH_URL=http://localhost:3000 # URL for this site
+NEXTAUTH_SECRET=<Secret for Token generation. Enter a random string>
+KEYCLOAK_CLIENT_ID=hekmoney
+KEYCLOAK_CLIENT_SECRET=<Go to Keycloak -> Clients -> Credentials>
+KEYCLOAK_ISSUER=http://localhost:8080/realms/master

package/.eslintrc.json

@@ -0,0 +1,3 @@
+{
+  "extends": "next/core-web-vitals"
+}

package/README.md

@@ -0,0 +1,11 @@
+# Next-Auth config for use with HEKsso (Keycloak)
+
+The rollowing environment variables are required:
+
+    NEXTAUTH_SECRET
+    NEXTAUTH_URL
+    KEYCLOAK_ISSUER
+    KEYCLOAK_CLIENT_ID
+    KEYCLOAK_CLIENT_SECRET
+
+See `.env.example`

package/lib/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./next";
+export * from "./next-api";

package/lib/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./next"), exports);
+__exportStar(require("./next-api"), exports);

package/lib/next/KeycloakSessionContext.d.ts

@@ -0,0 +1,9 @@
+import React, { ReactNode } from "react";
+export interface KeycloakSession {
+    getAccessToken: () => Promise<string>;
+}
+export declare const KeycloakSessionContext: React.Context<KeycloakSession>;
+export declare function KeycloakSessionProvider(props: {
+    children: ReactNode | ReactNode[];
+    signInPage?: string;
+}): JSX.Element;

package/lib/next/KeycloakSessionContext.js

@@ -0,0 +1,123 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakSessionProvider = exports.KeycloakSessionContext = void 0;
+const react_1 = require("next-auth/react");
+const router_1 = require("next/router");
+const react_2 = __importStar(require("react"));
+exports.KeycloakSessionContext = (0, react_2.createContext)({
+    getAccessToken: () => __awaiter(void 0, void 0, void 0, function* () {
+        return "";
+    })
+});
+function refreshAccessToken() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const response = yield fetch("/api/auth/session", {
+                method: "GET",
+                headers: {
+                    "Content-Type": "application/json"
+                }
+            });
+            const data = yield response.json();
+            if (data.error) {
+                throw data.error;
+            }
+            return { accessToken: data.accessToken, accessTokenExpires: data.accessTokenExpires };
+        }
+        catch (e) {
+            console.error(e);
+            return undefined;
+        }
+    });
+}
+function KeycloakSessionProvider(props) {
+    const session = (0, react_1.useSession)();
+    const router = (0, router_1.useRouter)();
+    const [accessToken, setAccessToken] = (0, react_2.useState)(undefined);
+    const [accessTokenError, setAccessTokenError] = (0, react_2.useState)(false);
+    const [accessTokenExpires, setAccessTokenExpires] = (0, react_2.useState)(undefined);
+    const getAccessToken = (0, react_2.useCallback)(() => __awaiter(this, void 0, void 0, function* () {
+        if (!accessToken)
+            return undefined;
+        if (accessTokenExpires && Date.now() >= accessTokenExpires) {
+            try {
+                const refreshed = yield refreshAccessToken();
+                if (refreshed) {
+                    setAccessTokenError(false);
+                    setAccessToken(refreshed.accessToken);
+                    setAccessTokenExpires(refreshed.accessTokenExpires);
+                    return refreshed.accessToken;
+                }
+                else {
+                    // Refresh failed due to network error
+                    return undefined;
+                }
+            }
+            catch (e) {
+                // Refresh failed because keycloak denied the request
+                console.error(e);
+                setAccessTokenError(true);
+                setAccessToken(undefined);
+                setAccessTokenExpires(undefined);
+                return undefined;
+            }
+        }
+        else
+            return accessToken;
+    }), [accessToken, accessTokenExpires]);
+    // Because this component is present on every page that requires a session,
+    // we check for a valid refresh token here
+    (0, react_2.useEffect)(() => {
+        var _a, _b, _c, _d;
+        if (!router.asPath.startsWith(props.signInPage || "/auth/signin") &&
+            (session.status === "unauthenticated" || accessTokenError)) {
+            router.push(props.signInPage || "/auth/signin");
+            return;
+        }
+        if (((_a = session.data) === null || _a === void 0 ? void 0 : _a.error) === "RefreshAccessTokenError") {
+            (0, react_1.signOut)(); // Force sign in to get a new refresh token
+        }
+        else if ((_b = session.data) === null || _b === void 0 ? void 0 : _b.accessToken) {
+            setAccessToken((_c = session.data) === null || _c === void 0 ? void 0 : _c.accessToken),
+                setAccessTokenExpires((_d = session.data) === null || _d === void 0 ? void 0 : _d.accessTokenExpires);
+        }
+        else {
+            setAccessToken(undefined);
+            setAccessTokenExpires(undefined);
+        }
+    }, [session, router.pathname, accessToken, router, props.signInPage, accessTokenError]);
+    return (react_2.default.createElement(exports.KeycloakSessionContext.Provider, { value: { getAccessToken } }, props.children));
+}
+exports.KeycloakSessionProvider = KeycloakSessionProvider;

package/lib/next/KeycloakSessionContext.jsx

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KeycloakSessionProvider = exports.KeycloakSessionContext = void 0;
+const react_1 = require("next-auth/react");
+const router_1 = require("next/router");
+const react_2 = __importStar(require("react"));
+exports.KeycloakSessionContext = (0, react_2.createContext)({
+    getAccessToken: () => __awaiter(void 0, void 0, void 0, function* () {
+        return "";
+    })
+});
+function refreshAccessToken() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const response = yield fetch("/api/auth/session", {
+                method: "GET",
+                headers: {
+                    "Content-Type": "application/json"
+                }
+            });
+            const data = yield response.json();
+            if (data.error) {
+                throw data.error;
+            }
+            return { accessToken: data.accessToken, accessTokenExpires: data.accessTokenExpires };
+        }
+        catch (e) {
+            console.error(e);
+            return undefined;
+        }
+    });
+}
+function KeycloakSessionProvider(props) {
+    const session = (0, react_1.useSession)();
+    const router = (0, router_1.useRouter)();
+    const [accessToken, setAccessToken] = (0, react_2.useState)(undefined);
+    const [accessTokenError, setAccessTokenError] = (0, react_2.useState)(false);
+    const [accessTokenExpires, setAccessTokenExpires] = (0, react_2.useState)(undefined);
+    const getAccessToken = (0, react_2.useCallback)(() => __awaiter(this, void 0, void 0, function* () {
+        if (!accessToken)
+            return undefined;
+        if (accessTokenExpires && Date.now() >= accessTokenExpires) {
+            try {
+                const refreshed = yield refreshAccessToken();
+                if (refreshed) {
+                    setAccessTokenError(false);
+                    setAccessToken(refreshed.accessToken);
+                    setAccessTokenExpires(refreshed.accessTokenExpires);
+                    return refreshed.accessToken;
+                }
+                else {
+                    // Refresh failed due to network error
+                    return undefined;
+                }
+            }
+            catch (e) {
+                // Refresh failed because keycloak denied the request
+                console.error(e);
+                setAccessTokenError(true);
+                setAccessToken(undefined);
+                setAccessTokenExpires(undefined);
+                return undefined;
+            }
+        }
+        else
+            return accessToken;
+    }), [accessToken, accessTokenExpires]);
+    // Because this component is present on every page that requires a session,
+    // we check for a valid refresh token here
+    (0, react_2.useEffect)(() => {
+        var _a, _b, _c, _d;
+        if (!router.asPath.startsWith(props.signInPage || "/auth/signin") &&
+            (session.status === "unauthenticated" || accessTokenError)) {
+            router.push(props.signInPage || "/auth/signin");
+            return;
+        }
+        if (((_a = session.data) === null || _a === void 0 ? void 0 : _a.error) === "RefreshAccessTokenError") {
+            (0, react_1.signOut)(); // Force sign in to get a new refresh token
+        }
+        else if ((_b = session.data) === null || _b === void 0 ? void 0 : _b.accessToken) {
+            setAccessToken((_c = session.data) === null || _c === void 0 ? void 0 : _c.accessToken),
+                setAccessTokenExpires((_d = session.data) === null || _d === void 0 ? void 0 : _d.accessTokenExpires);
+        }
+        else {
+            setAccessToken(undefined);
+            setAccessTokenExpires(undefined);
+        }
+    }, [session, router.pathname, accessToken, router, props.signInPage, accessTokenError]);
+    return (<exports.KeycloakSessionContext.Provider value={{ getAccessToken }}>
+            {props.children}
+        </exports.KeycloakSessionContext.Provider>);
+}
+exports.KeycloakSessionProvider = KeycloakSessionProvider;

package/lib/next/index.d.ts

@@ -0,0 +1 @@
+export * from "./KeycloakSessionContext";

package/lib/next/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./KeycloakSessionContext"), exports);

package/lib/next-api/federatedLogout.d.ts

@@ -0,0 +1,8 @@
+import { NextApiRequest, NextApiResponse } from "next";
+/**
+ * Provides a next api route for performing a federated logout of the user (logs ouf of keycloak)
+ * @param req NextApiRequest
+ * @param res NextApiRequest
+ * @returns
+ */
+export default function federatedLogout(req: NextApiRequest, res: NextApiResponse): Promise<NextApiResponse<any> | undefined>;

package/lib/next-api/federatedLogout.js

@@ -0,0 +1,69 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jwt = __importStar(require("next-auth/jwt"));
+/**
+ * Provides a next api route for performing a federated logout of the user (logs ouf of keycloak)
+ * @param req NextApiRequest
+ * @param res NextApiRequest
+ * @returns
+ */
+function federatedLogout(req, res) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const token = yield jwt.getToken({ req, secret: process.env.NEXTAUTH_SECRET });
+            if (!token) {
+                console.warn("No JWT token found when calling /federated-logout endpoint");
+                return res.redirect(process.env.NEXTAUTH_URL || "");
+            }
+            const endsessionURL = `${process.env.KEYCLOAK_ISSUER}/protocol/openid-connect/logout`;
+            if (token.idToken) {
+                console.warn("Without an id_token the user won't be redirected back from the IdP after logout.");
+                const endsessionParams = new URLSearchParams({
+                    id_token_hint: token.idToken,
+                    post_logout_redirect_uri: process.env.NEXTAUTH_URL + "/logout" || ""
+                });
+                return res.redirect(`${endsessionURL}?${endsessionParams}`);
+            }
+            else {
+                return res.redirect(`${endsessionURL}`);
+            }
+        }
+        catch (error) {
+            console.error(error);
+            res.redirect(process.env.NEXTAUTH_URL || "");
+        }
+    });
+}
+exports.default = federatedLogout;

package/lib/next-api/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./federatedLogout";
+export * from "./nextAuthConfig";

package/lib/next-api/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./federatedLogout"), exports);
+__exportStar(require("./nextAuthConfig"), exports);

package/lib/next-api/nextAuthConfig.d.ts

@@ -0,0 +1,7 @@
+import { NextAuthOptions } from "next-auth";
+/**
+ * Provides authOptions for next-auth that configures it for use with the typical HEKsso setup
+ */
+export declare const authOptions: NextAuthOptions;
+declare const _default: any;
+export default _default;

package/lib/next-api/nextAuthConfig.js

@@ -0,0 +1,74 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.authOptions = void 0;
+const next_auth_1 = __importDefault(require("next-auth"));
+const keycloak_1 = __importDefault(require("next-auth/providers/keycloak"));
+const refreshAccessToken_1 = require("./refreshAccessToken");
+/**
+ * Provides authOptions for next-auth that configures it for use with the typical HEKsso setup
+ */
+exports.authOptions = {
+    secret: process.env.NEXTAUTH_SECRET,
+    providers: [
+        (0, keycloak_1.default)({
+            clientId: process.env.KEYCLOAK_CLIENT_ID || "",
+            clientSecret: process.env.KEYCLOAK_CLIENT_SECRET || "",
+            issuer: process.env.KEYCLOAK_ISSUER,
+            authorization: { params: { scope: "openid email profile roles" } }
+        })
+    ],
+    pages: {
+        signIn: "/",
+    },
+    callbacks: {
+        jwt(data) {
+            var _a, _b;
+            return __awaiter(this, void 0, void 0, function* () {
+                const hekGroups = (_a = data.profile) === null || _a === void 0 ? void 0 : _a.hekGroups;
+                // Persist the OAuth access_token to the token right after signin
+                if (data.account && data.user) {
+                    data.token.idToken = (_b = data.account) === null || _b === void 0 ? void 0 : _b.id_token;
+                    data.token.accessToken = data.account.access_token;
+                    data.token.hekGroups = hekGroups;
+                    data.token.username = data.profile.preferred_username;
+                    if (data.account.expires_at)
+                        data.token.accessTokenExpires = data.account.expires_at * 1000;
+                    data.token.refreshToken = data.account.refresh_token;
+                    return data.token;
+                }
+                // Return previous token if the access token has not expired yet
+                if (Date.now() < data.token.accessTokenExpires) {
+                    return data.token;
+                }
+                // Access token has expired, try to update it
+                return (0, refreshAccessToken_1.refreshAccessToken)(data.token);
+            });
+        },
+        session({ session, token }) {
+            return __awaiter(this, void 0, void 0, function* () {
+                // Send properties to the client, like an access_token from a provider.
+                const _session = session;
+                _session.accessToken = token.accessToken;
+                _session.accessTokenExpires = token.accessTokenExpires;
+                _session.hekGroups = token.hekGroups || [];
+                _session.username = token.username;
+                if (token.error)
+                    _session.error = token.error;
+                return _session;
+            });
+        }
+    }
+};
+exports.default = (0, next_auth_1.default)(exports.authOptions);

package/lib/next-api/refreshAccessToken.d.ts

@@ -0,0 +1,23 @@
+import { JWT } from "next-auth/jwt";
+/**
+ * Takes a token, and returns a new token with updated
+ * `accessToken` and `accessTokenExpires`. If an error occurs,
+ * returns the old token and an error property
+ *
+ * This is a utility function and not an API route
+ */
+export declare function refreshAccessToken(token: JWT): Promise<{
+    accessToken: any;
+    accessTokenExpires: number;
+    refreshToken: any;
+    name?: string | null | undefined;
+    email?: string | null | undefined;
+    picture?: string | null | undefined;
+    sub?: string | undefined;
+} | {
+    error: string;
+    name?: string | null | undefined;
+    email?: string | null | undefined;
+    picture?: string | null | undefined;
+    sub?: string | undefined;
+}>;

package/lib/next-api/refreshAccessToken.js

@@ -0,0 +1,50 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.refreshAccessToken = void 0;
+/**
+ * Takes a token, and returns a new token with updated
+ * `accessToken` and `accessTokenExpires`. If an error occurs,
+ * returns the old token and an error property
+ *
+ * This is a utility function and not an API route
+ */
+function refreshAccessToken(token) {
+    var _a;
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const url = process.env.KEYCLOAK_ISSUER + "/protocol/openid-connect/token?";
+            const response = yield fetch(url, {
+                headers: {
+                    "Content-Type": "application/x-www-form-urlencoded"
+                },
+                method: "POST",
+                body: new URLSearchParams({
+                    client_id: process.env.KEYCLOAK_CLIENT_ID || "",
+                    client_secret: process.env.KEYCLOAK_CLIENT_SECRET || "",
+                    grant_type: "refresh_token",
+                    refresh_token: token.refreshToken
+                })
+            });
+            const refreshedTokens = yield response.json();
+            if (!response.ok) {
+                throw refreshedTokens;
+            }
+            return Object.assign(Object.assign({}, token), { accessToken: refreshedTokens.access_token, accessTokenExpires: Date.now() + refreshedTokens.expires_in * 1000, refreshToken: (_a = refreshedTokens.refresh_token) !== null && _a !== void 0 ? _a : token.refreshToken // Fall back to old refresh token
+             });
+        }
+        catch (error) {
+            console.log(error);
+            return Object.assign(Object.assign({}, token), { error: "RefreshAccessTokenError" });
+        }
+    });
+}
+exports.refreshAccessToken = refreshAccessToken;

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "next-auth-heksso",
+  "author": {
+    "name": "Voakie",
+    "email": "contact@voakie.com"
+  },
+  "license": "MIT",
+  "version": "1.0.0",
+  "scripts": {
+    "build": "tsc"
+  },
+  "main": "lib/index.js",
+  "types": "lib/index.d.ts",
+  "dependencies": {
+    "@types/node": "^18.11.18",
+    "@types/react": "^18.0.27",
+    "@types/react-dom": "^18.0.10",
+    "eslint": "^8.32.0",
+    "eslint-config-next": "^13.1.6",
+    "next": "^13.1.6",
+    "next-auth": "^4.19.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
+    "typescript": "^4.9.4"
+  }
+}

package/src/index.ts

@@ -0,0 +1,2 @@
+export * from "./next"
+export * from "./next-api"

package/src/next/KeycloakSessionContext.tsx

@@ -0,0 +1,103 @@
+import { signOut, useSession } from "next-auth/react"
+import { useRouter } from "next/router"
+import React, { createContext, ReactNode, useCallback, useEffect, useState } from "react"
+
+export interface KeycloakSession {
+    getAccessToken: () => Promise<string>
+}
+
+export const KeycloakSessionContext = createContext<KeycloakSession>({
+    getAccessToken: async () => {
+        return ""
+    }
+})
+
+async function refreshAccessToken() {
+    try {
+        const response = await fetch("/api/auth/session", {
+            method: "GET",
+            headers: {
+                "Content-Type": "application/json"
+            }
+        })
+
+        const data = await response.json()
+
+        if (data.error) {
+            throw data.error
+        }
+
+        return { accessToken: data.accessToken, accessTokenExpires: data.accessTokenExpires }
+    } catch (e: unknown) {
+        console.error(e)
+        return undefined
+    }
+}
+
+export function KeycloakSessionProvider(props: {
+    children: ReactNode | ReactNode[]
+    signInPage?: string
+}) {
+    const session = useSession()
+    const router = useRouter()
+
+    const [accessToken, setAccessToken] = useState<string | undefined>(undefined)
+    const [accessTokenError, setAccessTokenError] = useState(false)
+    const [accessTokenExpires, setAccessTokenExpires] = useState<number | undefined>(undefined)
+
+    const getAccessToken = useCallback(async () => {
+        if (!accessToken) return undefined
+        if (accessTokenExpires && Date.now() >= accessTokenExpires) {
+            try {
+                const refreshed = await refreshAccessToken()
+
+                if (refreshed) {
+                    setAccessTokenError(false)
+                    setAccessToken(refreshed.accessToken)
+                    setAccessTokenExpires(refreshed.accessTokenExpires)
+                    return refreshed.accessToken
+                } else {
+                    // Refresh failed due to network error
+                    return undefined
+                }
+            } catch (e) {
+                // Refresh failed because keycloak denied the request
+                console.error(e)
+                setAccessTokenError(true)
+                setAccessToken(undefined)
+                setAccessTokenExpires(undefined)
+                return undefined
+            }
+        } else return accessToken
+    }, [accessToken, accessTokenExpires])
+
+    // Because this component is present on every page that requires a session,
+    // we check for a valid refresh token here
+    useEffect(() => {
+        if (
+            !router.asPath.startsWith(props.signInPage || "/auth/signin") &&
+            (session.status === "unauthenticated" || accessTokenError)
+        ) {
+            router.push(props.signInPage || "/auth/signin")
+            return
+        }
+
+        if ((session.data as any)?.error === "RefreshAccessTokenError") {
+            signOut() // Force sign in to get a new refresh token
+        } else if ((session.data as any)?.accessToken) {
+            setAccessToken((session.data as any)?.accessToken as string),
+            setAccessTokenExpires((session.data as any)?.accessTokenExpires as number)
+        } else {
+            setAccessToken(undefined)
+            setAccessTokenExpires(undefined)
+        }
+    }, [session, router.pathname, accessToken, router, props.signInPage, accessTokenError])
+
+    return (
+        <KeycloakSessionContext.Provider
+            value={{ getAccessToken }}
+        >
+            {props.children}
+        </KeycloakSessionContext.Provider>
+    )
+}

package/src/next/index.ts

@@ -0,0 +1 @@
+export * from "./KeycloakSessionContext"

package/src/next-api/federatedLogout.ts

@@ -0,0 +1,38 @@
+// /api/auth/federated-logout
+import { NextApiRequest, NextApiResponse } from "next"
+import * as jwt from "next-auth/jwt"
+
+/**
+ * Provides a next api route for performing a federated logout of the user (logs ouf of keycloak)
+ * @param req NextApiRequest
+ * @param res NextApiRequest
+ * @returns 
+ */
+export default async function federatedLogout(req: NextApiRequest, res: NextApiResponse) {
+    try {
+        const token = await jwt.getToken({ req, secret: process.env.NEXTAUTH_SECRET })
+        if (!token) {
+            console.warn("No JWT token found when calling /federated-logout endpoint")
+            return res.redirect(process.env.NEXTAUTH_URL || "")
+        }
+
+        const endsessionURL = `${process.env.KEYCLOAK_ISSUER}/protocol/openid-connect/logout`
+
+        if (token.idToken) {
+            console.warn(
+                "Without an id_token the user won't be redirected back from the IdP after logout."
+            )
+
+            const endsessionParams = new URLSearchParams({
+                id_token_hint: token.idToken as string,
+                post_logout_redirect_uri: process.env.NEXTAUTH_URL + "/logout" || ""
+            })
+            return res.redirect(`${endsessionURL}?${endsessionParams}`)
+        } else {
+            return res.redirect(`${endsessionURL}`)
+        }
+    } catch (error) {
+        console.error(error)
+        res.redirect(process.env.NEXTAUTH_URL || "")
+    }
+}

package/src/next-api/index.ts

@@ -0,0 +1,2 @@
+export * from "./federatedLogout"
+export * from "./nextAuthConfig"

package/src/next-api/nextAuthConfig.ts

@@ -0,0 +1,60 @@
+import NextAuth, { NextAuthOptions } from "next-auth"
+import KeycloakProvider from "next-auth/providers/keycloak"
+import { refreshAccessToken } from "./refreshAccessToken"
+
+/**
+ * Provides authOptions for next-auth that configures it for use with the typical HEKsso setup
+ */
+export const authOptions: NextAuthOptions = {
+    secret: process.env.NEXTAUTH_SECRET,
+    providers: [
+        KeycloakProvider({
+            clientId: process.env.KEYCLOAK_CLIENT_ID || "",
+            clientSecret: process.env.KEYCLOAK_CLIENT_SECRET || "",
+            issuer: process.env.KEYCLOAK_ISSUER, // something like "http://localhost:8080/realms/master"
+            authorization: { params: { scope: "openid email profile roles" } }
+        })
+    ],
+    pages: {
+        signIn: "/",
+    },
+    callbacks: {
+        async jwt(data) {
+            const hekGroups = (data.profile as any)?.hekGroups
+
+            // Persist the OAuth access_token to the token right after signin
+            if (data.account && data.user) {
+                data.token.idToken = data.account?.id_token
+                data.token.accessToken = data.account.access_token
+                data.token.hekGroups = hekGroups
+                data.token.username = (data.profile as { [key: string]: string }).preferred_username
+
+                if (data.account.expires_at)
+                    data.token.accessTokenExpires = data.account.expires_at * 1000
+
+                data.token.refreshToken = data.account.refresh_token
+                return data.token
+            }
+
+            // Return previous token if the access token has not expired yet
+            if (Date.now() < (data.token.accessTokenExpires as number)) {
+                return data.token
+            }
+
+            // Access token has expired, try to update it
+            return refreshAccessToken(data.token)
+        },
+        async session({ session, token }) {
+            // Send properties to the client, like an access_token from a provider.
+            const _session = session as any
+            _session.accessToken = token.accessToken
+            _session.accessTokenExpires = token.accessTokenExpires
+            _session.hekGroups = token.hekGroups || []
+            _session.username = token.username
+            if (token.error) _session.error = token.error
+            return _session
+        }
+    }
+}
+
+export default NextAuth(authOptions)

package/src/next-api/refreshAccessToken.ts

@@ -0,0 +1,47 @@
+import { JWT } from "next-auth/jwt"
+
+/**
+ * Takes a token, and returns a new token with updated
+ * `accessToken` and `accessTokenExpires`. If an error occurs,
+ * returns the old token and an error property
+ * 
+ * This is a utility function and not an API route
+ */
+export async function refreshAccessToken(token: JWT) {
+    try {
+        const url = process.env.KEYCLOAK_ISSUER + "/protocol/openid-connect/token?"
+
+        const response = await fetch(url, {
+            headers: {
+                "Content-Type": "application/x-www-form-urlencoded"
+            },
+            method: "POST",
+            body: new URLSearchParams({
+                client_id: process.env.KEYCLOAK_CLIENT_ID || "",
+                client_secret: process.env.KEYCLOAK_CLIENT_SECRET || "",
+                grant_type: "refresh_token",
+                refresh_token: token.refreshToken as string
+            })
+        })
+
+        const refreshedTokens = await response.json()
+
+        if (!response.ok) {
+            throw refreshedTokens
+        }
+
+        return {
+            ...token,
+            accessToken: refreshedTokens.access_token,
+            accessTokenExpires: Date.now() + refreshedTokens.expires_in * 1000,
+            refreshToken: refreshedTokens.refresh_token ?? token.refreshToken // Fall back to old refresh token
+        }
+    } catch (error) {
+        console.log(error)
+
+        return {
+            ...token,
+            error: "RefreshAccessTokenError"
+        }
+    }
+}

package/tsconfig.json

@@ -0,0 +1,104 @@
+{
+  "compilerOptions": {
+    /* Visit https://aka.ms/tsconfig to read more about this file */
+
+    /* Projects */
+    // "incremental": true,                              /* Save .tsbuildinfo files to allow for incremental compilation of projects. */
+    // "composite": true,                                /* Enable constraints that allow a TypeScript project to be used with project references. */
+    // "tsBuildInfoFile": "./.tsbuildinfo",              /* Specify the path to .tsbuildinfo incremental compilation file. */
+    // "disableSourceOfProjectReferenceRedirect": true,  /* Disable preferring source files instead of declaration files when referencing composite projects. */
+    // "disableSolutionSearching": true,                 /* Opt a project out of multi-project reference checking when editing. */
+    // "disableReferencedProjectLoad": true,             /* Reduce the number of projects loaded automatically by TypeScript. */
+
+    /* Language and Environment */
+    "target": "es2016",                                  /* Set the JavaScript language version for emitted JavaScript and include compatible library declarations. */
+    // "lib": [],                                        /* Specify a set of bundled library declaration files that describe the target runtime environment. */
+    "jsx": "react",                                /* Specify what JSX code is generated. */
+    // "experimentalDecorators": true,                   /* Enable experimental support for TC39 stage 2 draft decorators. */
+    // "emitDecoratorMetadata": true,                    /* Emit design-type metadata for decorated declarations in source files. */
+    // "jsxFactory": "",                                 /* Specify the JSX factory function used when targeting React JSX emit, e.g. 'React.createElement' or 'h'. */
+    // "jsxFragmentFactory": "",                         /* Specify the JSX Fragment reference used for fragments when targeting React JSX emit e.g. 'React.Fragment' or 'Fragment'. */
+    // "jsxImportSource": "",                            /* Specify module specifier used to import the JSX factory functions when using 'jsx: react-jsx*'. */
+    // "reactNamespace": "",                             /* Specify the object invoked for 'createElement'. This only applies when targeting 'react' JSX emit. */
+    // "noLib": true,                                    /* Disable including any library files, including the default lib.d.ts. */
+    // "useDefineForClassFields": true,                  /* Emit ECMAScript-standard-compliant class fields. */
+    // "moduleDetection": "auto",                        /* Control what method is used to detect module-format JS files. */
+
+    /* Modules */
+    "module": "commonjs",                                /* Specify what module code is generated. */
+    "rootDir": "./src",                                  /* Specify the root folder within your source files. */
+    // "moduleResolution": "node",                       /* Specify how TypeScript looks up a file from a given module specifier. */
+    // "baseUrl": "./",                                  /* Specify the base directory to resolve non-relative module names. */
+    // "paths": {},                                      /* Specify a set of entries that re-map imports to additional lookup locations. */
+    // "rootDirs": [],                                   /* Allow multiple folders to be treated as one when resolving modules. */
+    // "typeRoots": [],                                  /* Specify multiple folders that act like './node_modules/@types'. */
+    // "types": [],                                      /* Specify type package names to be included without being referenced in a source file. */
+    // "allowUmdGlobalAccess": true,                     /* Allow accessing UMD globals from modules. */
+    // "moduleSuffixes": [],                             /* List of file name suffixes to search when resolving a module. */
+    // "resolveJsonModule": true,                        /* Enable importing .json files. */
+    // "noResolve": true,                                /* Disallow 'import's, 'require's or '<reference>'s from expanding the number of files TypeScript should add to a project. */
+
+    /* JavaScript Support */
+    // "allowJs": true,                                  /* Allow JavaScript files to be a part of your program. Use the 'checkJS' option to get errors from these files. */
+    // "checkJs": true,                                  /* Enable error reporting in type-checked JavaScript files. */
+    // "maxNodeModuleJsDepth": 1,                        /* Specify the maximum folder depth used for checking JavaScript files from 'node_modules'. Only applicable with 'allowJs'. */
+
+    /* Emit */
+    "declaration": true,                                 /* Generate .d.ts files from TypeScript and JavaScript files in your project. */
+    // "declarationMap": true,                           /* Create sourcemaps for d.ts files. */
+    // "emitDeclarationOnly": true,                      /* Only output d.ts files and not JavaScript files. */
+    // "sourceMap": true,                                /* Create source map files for emitted JavaScript files. */
+    // "outFile": "./lib/index.js",                      /* Specify a file that bundles all outputs into one JavaScript file. If 'declaration' is true, also designates a file that bundles all .d.ts output. */
+    "outDir": "./lib",                                   /* Specify an output folder for all emitted files. */
+    // "removeComments": true,                           /* Disable emitting comments. */
+    // "noEmit": true,                                   /* Disable emitting files from a compilation. */
+    // "importHelpers": true,                            /* Allow importing helper functions from tslib once per project, instead of including them per-file. */
+    // "importsNotUsedAsValues": "remove",               /* Specify emit/checking behavior for imports that are only used for types. */
+    // "downlevelIteration": true,                       /* Emit more compliant, but verbose and less performant JavaScript for iteration. */
+    // "sourceRoot": "",                                 /* Specify the root path for debuggers to find the reference source code. */
+    // "mapRoot": "",                                    /* Specify the location where debugger should locate map files instead of generated locations. */
+    // "inlineSourceMap": true,                          /* Include sourcemap files inside the emitted JavaScript. */
+    // "inlineSources": true,                            /* Include source code in the sourcemaps inside the emitted JavaScript. */
+    // "emitBOM": true,                                  /* Emit a UTF-8 Byte Order Mark (BOM) in the beginning of output files. */
+    // "newLine": "crlf",                                /* Set the newline character for emitting files. */
+    // "stripInternal": true,                            /* Disable emitting declarations that have '@internal' in their JSDoc comments. */
+    // "noEmitHelpers": true,                            /* Disable generating custom helper functions like '__extends' in compiled output. */
+    // "noEmitOnError": true,                            /* Disable emitting files if any type checking errors are reported. */
+    // "preserveConstEnums": true,                       /* Disable erasing 'const enum' declarations in generated code. */
+    // "declarationDir": "./",                           /* Specify the output directory for generated declaration files. */
+    // "preserveValueImports": true,                     /* Preserve unused imported values in the JavaScript output that would otherwise be removed. */
+
+    /* Interop Constraints */
+    // "isolatedModules": true,                          /* Ensure that each file can be safely transpiled without relying on other imports. */
+    // "allowSyntheticDefaultImports": true,             /* Allow 'import x from y' when a module doesn't have a default export. */
+    "esModuleInterop": true,                             /* Emit additional JavaScript to ease support for importing CommonJS modules. This enables 'allowSyntheticDefaultImports' for type compatibility. */
+    // "preserveSymlinks": true,                         /* Disable resolving symlinks to their realpath. This correlates to the same flag in node. */
+    "forceConsistentCasingInFileNames": true,            /* Ensure that casing is correct in imports. */
+
+    /* Type Checking */
+    "strict": true,                                      /* Enable all strict type-checking options. */
+    // "noImplicitAny": true,                            /* Enable error reporting for expressions and declarations with an implied 'any' type. */
+    // "strictNullChecks": true,                         /* When type checking, take into account 'null' and 'undefined'. */
+    // "strictFunctionTypes": true,                      /* When assigning functions, check to ensure parameters and the return values are subtype-compatible. */
+    // "strictBindCallApply": true,                      /* Check that the arguments for 'bind', 'call', and 'apply' methods match the original function. */
+    // "strictPropertyInitialization": true,             /* Check for class properties that are declared but not set in the constructor. */
+    // "noImplicitThis": true,                           /* Enable error reporting when 'this' is given the type 'any'. */
+    // "useUnknownInCatchVariables": true,               /* Default catch clause variables as 'unknown' instead of 'any'. */
+    // "alwaysStrict": true,                             /* Ensure 'use strict' is always emitted. */
+    // "noUnusedLocals": true,                           /* Enable error reporting when local variables aren't read. */
+    // "noUnusedParameters": true,                       /* Raise an error when a function parameter isn't read. */
+    // "exactOptionalPropertyTypes": true,               /* Interpret optional property types as written, rather than adding 'undefined'. */
+    // "noImplicitReturns": true,                        /* Enable error reporting for codepaths that do not explicitly return in a function. */
+    // "noFallthroughCasesInSwitch": true,               /* Enable error reporting for fallthrough cases in switch statements. */
+    // "noUncheckedIndexedAccess": true,                 /* Add 'undefined' to a type when accessed using an index. */
+    // "noImplicitOverride": true,                       /* Ensure overriding members in derived classes are marked with an override modifier. */
+    // "noPropertyAccessFromIndexSignature": true,       /* Enforces using indexed accessors for keys declared using an indexed type. */
+    // "allowUnusedLabels": true,                        /* Disable error reporting for unused labels. */
+    // "allowUnreachableCode": true,                     /* Disable error reporting for unreachable code. */
+
+    /* Completeness */
+    // "skipDefaultLibCheck": true,                      /* Skip type checking .d.ts files that are included with TypeScript. */
+    "skipLibCheck": true                                 /* Skip type checking all .d.ts files. */
+  },
+  "exclude": ["lib", "node_modules"]
+}