|
15 | 15 | --- |
16 | 16 |
|
17 | 17 | ## Introduction |
18 | | -**hapi-auth-keycloak** is a plugin for [hapi.js][hapijs] which enables to protect your endpoints in a smart but professional manner using [Keycloak][keycloak] as authentication service. It is inspired by the related [express.js middleware][keycloak-node]. The plugin validates the passed [`Bearer` token][bearer] offline with a provided public key or online with help of the [Keycloak][keycloak] server. Optionally, the successfully validated tokens and the related user data get cached using [`catbox`][catbox]. The caching enables a fast processing even though the user data don't get changed until the token expires. It plays well with the [hapi.js][hapijs]-integrated [authentication/authorization feature][hapi-route-options]. Besides the authentication strategy it is possible to validate tokens by yourself, e.g. to authenticate incoming websocket or queue messages. |
| 18 | +**hapi-auth-keycloak** is a plugin for [hapi.js][hapijs] which enables to protect your endpoints in a smart but professional manner using [Keycloak][keycloak] as authentication service. It is inspired by the related [express.js middleware][keycloak-node]. The plugin validates the passed [`Bearer` token][bearer] offline with a provided public key or online with help of the [Keycloak][keycloak] server. Optionally, the successfully validated tokens and the related user data get cached using [`catbox`][catbox]. The caching enables a fast processing even though the user data don't get changed until the token expires. Furthermore it is possible to enable an api key interceptor proxying the request to an api key service which returns the temporary bearer token. It plays well with the [hapi.js][hapijs]-integrated [authentication/authorization feature][hapi-route-options]. Besides the authentication strategy it is possible to validate tokens by yourself, e.g. to authenticate incoming websocket or queue messages. |
19 | 19 |
|
20 | 20 | The modules [`standard`][standardjs] and [`ava`][avajs] are used to grant a high quality implementation.<br/> |
21 | 21 | This major release supports just [hapi.js](https://github.com/hapijs/hapi) `>=v17.0.0` and node `>=v8.0.0` — to support older versions please use `v2.1.0`. |
@@ -133,13 +133,36 @@ The value have to be a positive integer.<br/> |
133 | 133 | Optional. Default: `0`. |
134 | 134 |
|
135 | 135 | - `userInfo {Array.<?string>}` — List of properties which should be included in the `request.auth.credentials` object besides `scope` and `sub`.<br/> |
136 | | -Optional. Default: `[]`.<br/> |
| 136 | +Optional. Default: `[]`. |
137 | 137 |
|
138 | 138 | - `cache {Object|boolean}` — The configuration of the [hapi.js cache][hapi-server-cache] powered by [catbox][catbox]. If the property `exp` ('expires at') is undefined, the plugin uses 60 seconds as default TTL. Otherwise the cache entry expires as soon as the token itself expires.<br/> |
139 | 139 | Please mind that an enabled cache leads to disabled live validation after the related token is cached once.<br/> |
140 | 140 | If `false` the cache is disabled. Use `true` or an empty object (`{}`) to use the built-in default cache. Otherwise just drop in your own cache configuration.<br/> |
141 | 141 | Optional. Default: `false`. |
142 | 142 |
|
| 143 | +- `apiKey {Object}` — <br/> |
| 144 | +Optional. Default: `undefined`. |
| 145 | + |
| 146 | + - `url {string}` — The absolute url to be requested. It's possible to use a [`pupa` template][pupa] with placeholders called `realm` and `clientId` getting rendered based on the passed options.<br/> |
| 147 | + Example: `http://barfoo.com/foo/{clientId}`<br/> |
| 148 | + Required. |
| 149 | + |
| 150 | + - `in {string}` — Whether the api key is placed in the headers or query.<br/> |
| 151 | + Allowed values: `headers` & 'query'<br/> |
| 152 | + Optional. Default: `headers`. |
| 153 | + |
| 154 | + - `name {string}` — The name of the related headers field or query key.<br/> |
| 155 | + Optional. Default: `authorization`. |
| 156 | + |
| 157 | + - `prefix {string}` — An optional prefix of the related api key value. Mind a trailing space if necessary.<br/> |
| 158 | + Optional. Default: `Api-Key `. |
| 159 | + |
| 160 | + - `tokenPath {string}` — The path to the access token in the response its body as dot notation.<br/> |
| 161 | + Optional. Default: `access_token`. |
| 162 | + |
| 163 | + - `request {Object}` – The detailed request options for [`got`][got].<br/> |
| 164 | + Optional. Default: `{}` |
| 165 | + |
143 | 166 | #### `await server.kjwt.validate(field {string})` |
144 | 167 | - `field {string}` — The `Bearer` field, including the scheme (`bearer`) itself.<br/> |
145 | 168 | Example: `bearer 12345.abcde.67890`.<br/> |
@@ -261,3 +284,5 @@ For further information read the [contributing guideline](CONTRIBUTING.md). |
261 | 284 | [introspect]: http://www.keycloak.org/docs/2.4/authorization_services_guide/topics/service/protection/token-introspection.html |
262 | 285 | [rpt]: http://www.keycloak.org/docs/2.4/authorization_services_guide/topics/service/entitlement/entitlement-api-aapi.html |
263 | 286 | [rpt-terms]: http://www.keycloak.org/docs/2.4/authorization_services_guide/topics/overview/terminology.html |
| 287 | +[got]: https://github.com/sindresorhus/got |
| 288 | +[pupa]: https://github.com/sindresorhus/pupa |
0 commit comments