I wanted to ask if anyone knows of any vanilla JS lib that helps SPA’s work with the keycloak adapter. Specifically, the generic functionality that we see repeated over and over is:
- Dynamically pulling the keycloak.js adapter file from the server.
- Hooking into window user events and updating the token to prevent the session from going idle. This is to help SPA’s where user activity does not always trigger a network request.
Although this is not a ton of stuff I think it might be nice to not have to re-implement it over and over. I’ve see framework specific libs out there, but have not seen any such light wrapper. Does anyone know if something like this exists? Or if not, is there any reason this might be a bad idea?
I don’t pull the lib dynamically from the server, I integrate it to my app dependencies in package.json, as usual. Then, I’m using the code when I need it, no hooking into window events and nothing. It works like expected.
If people doing what you described, then they’re doing it w… in a strange way.
Check out my repo at GitHub - dasniko/keycloak-reactjs-demo: Demo for React.js and Keycloak SSO integration. and my corresponding video at Keycloak & React.JS - Part 1 - YouTube
Statically bundling the keycloak.js adapter into your SPA is not the recommend approach. From the KC docs here: Securing Applications and Services Guide it says:
As for hooking into window events for user actions, I agree the more common situation is that apps will be triggering network calls when the user is active, and hence causing the token to refresh on activity. However, in some cases (and we have lots of apps like this), SPA’s will not have network requests being triggered as the user uses the app… which will make it possible for the user to hit the idle time if they never refresh the token. We deal with this by just calling updateToken periodically on user activity: its throttled, and the call itself to the adapter will only trigger a refresh if its about to expire. If this is not done a users session may hit the idle expiration time even though the user has been active.