I wanted to ask if anyone knows of any vanilla JS lib that helps SPA’s work with the keycloak adapter. Specifically, the generic functionality that we see repeated over and over is:
Dynamically pulling the keycloak.js adapter file from the server.
Hooking into window user events and updating the token to prevent the session from going idle. This is to help SPA’s where user activity does not always trigger a network request.
Although this is not a ton of stuff I think it might be nice to not have to re-implement it over and over. I’ve see framework specific libs out there, but have not seen any such light wrapper. Does anyone know if something like this exists? Or if not, is there any reason this might be a bad idea?
Hm, the keycloak-js IS THE vanilla javascript adapter for Keycloak. I’m using it since years in my react based apps (I’ve several of them).
I don’t pull the lib dynamically from the server, I integrate it to my app dependencies in package.json, as usual. Then, I’m using the code when I need it, no hooking into window events and nothing. It works like expected.
If people doing what you described, then they’re doing it w… in a strange way.
Statically bundling the keycloak.js adapter into your SPA is not the recommend approach. From the KC docs here: Securing Applications and Services Guide it says:
“A best practice is to load the JavaScript adapter directly from Keycloak Server as it will automatically be updated when you upgrade the server. If you copy the adapter to your web application instead, make sure you upgrade the adapter only after you have upgraded the server.”
As for hooking into window events for user actions, I agree the more common situation is that apps will be triggering network calls when the user is active, and hence causing the token to refresh on activity. However, in some cases (and we have lots of apps like this), SPA’s will not have network requests being triggered as the user uses the app… which will make it possible for the user to hit the idle time if they never refresh the token. We deal with this by just calling updateToken periodically on user activity: its throttled, and the call itself to the adapter will only trigger a refresh if its about to expire. If this is not done a users session may hit the idle expiration time even though the user has been active.