Safe Haskell | Safe-Inferred |
---|---|
Language | Haskell2010 |
Authentication with Keycloak is based on JWTs. This module helps you retrieve tokens from Keycloak, and use them to authenticate your users. In Keycloak, you need to configure a realm, a client and a user.
Users can also have additional attributes. To see them in the Token, you need to add "protocol mappers" in the Client, that will copy the User attribute in the Token.
The example below retrieves a User token using Login/password, verifies it, and extract all the user details from it.
main :: IO () main = do --configure Keycloak with the adapter config file. You can retrieve this file in your Client/Installation tab (JSON format). --This function will also get the signing keys from Keycloak, so make sure that Keycloak is on and configured! kcConfig <- configureKeycloak "keycloak.json" void $ flip runKeycloak kcConfig $ do -- Get a JWT from Keycloak. A JWT can then be used to authenticate yourself with an application. jwt <- getJWT "demo" "demo" liftIO $ putStrLn $ "Got JWT: n" ++ (show jwt) ++ "nn" -- Retrieve the claims contained in the JWT. claims <- verifyJWT jwt liftIO $ putStrLn $ "Claims decoded from Token: n" ++ (show claims) ++ "nn" -- get the user from the claim let user = getClaimsUser claims liftIO $ putStrLn $ "User decoded from claims: n" ++ (show user) ++ "nn"
Documentation
getJWT :: MonadIO m => Username -> Password -> KeycloakT m JWT Source #
Retrieve the user's token. This token can be used to authenticate the user. This token can be also used for every other Keycloak calls.
getClientJWT :: MonadIO m => KeycloakT m JWT Source #
return a Client token (linked to a Client, not a User). It is useful to create Resources in that Client in Keycloak.
verifyJWT :: (MonadTime m, MonadIO m) => JWT -> KeycloakT m ClaimsSet Source #
Verify a JWT. If sucessful, the claims are returned. Otherwise, a JWTError is thrown.
getClaimsUser :: ClaimsSet -> User Source #
Extract the user identity from a token. Additional attributes can be encoded in the token.