A package that provides a seamless interface for integrating Keycloak authentication into Angular applications. It simplifies communication between Angular and Keycloak, handling token management, session control, and user authentication.
To get started, you can install this package using your preferred package manager.
npm install @ogs-gmbh/ngx-keycloakOther package manager
yarn add @ogs-gmbh/ngx-keycloakpnpm install @ogs-gmbh/ngx-keycloakImport the library module in a module of our application:
...
@NgModule({
...
imports: [
...
KeycloakModule
...
]
...
})
...This provides our application the ability to use all functionalities from this package.
For configure this package, we need to provide a configuration with the type of KeycloakConfig. This configuration represents the customizations of the Keycloak-Workflow on our client-side.
Supported properties of KeycloakConfig:
resource: string,
authServerUrl: string,
realm: string,
guardFallbackUrl: string,
storageType: Storage,
storageKey: string,
useEmailAsCurrentUser?: boolean | undefined,
timeout?: number | undefined,
expirationOffset?: number | undefinedAfter creating a KeycloakConfig, we can provide it by an injection-token:
...
@NgModule({
...
providers: [
...
{
provide: KEYCLOAK_CONFIG_TOKEN,
useValue: KEYCLOAK_CONFIG
}
...
]
...
})
...The resource our client is accessing to. This option'll be appended into the requests' body as form data with the key "client_id".
The URL or Path to our auth server. Every endpoint from Keycloak will be appended to this.
The realm from Keycloak specifikation.
Fallback-URL the user gets redirected to, when securing router with keycloakGuard and missing authentication.
This property allows to specify, which storage should be used to store value.
This property enables the customization of the key, where the storage (if enabled) should store the values.
This property is only for internal use.
With this property set to true, the email given by KeycloakService.login()'ll be used as currentUser HTTP requests header field as long as the KeycloakInterceptor is used.
Default: false
This property is for controlling the HTTP request timeout (in milliseconds).
Default: 3000
This property allows to add offset (in milliseconds) to the expiration of the Access Token.
Default: 3000
To be able to use this Service, we need to provide it in a injection-context.
private readonly _keycloakService: KeycloakService = inject(KeycloakService);This methods allows to add a callback to this service, that'll be executed if the user is not authorised by Keycloak.
Arguments:
- value: The callback, that'll be executed.
login(email: string, password: string, additionalsInRequest?: AdditionalsInRequest | undefined): Observable<KeycloakTokens>
This methods is used for authenticating a user by a given email and password.
Arguments:
- email: The given email by the user
- password: The given password by the user
- additionalsInRequest?: Additional HTTP header and body values.
Returns: The KeycloakTokens of the newly created Keycloak session as Observable.
This methods is used to logout the currently logged in user.
Arguments:
- additionsInRequest?: Additional HTTP header and body values.
Returns: An Observable
Initializing the Access Token update procedure by calling this method.
Arguments:
- additionsInRequest?: Additional HTTP header and body values.
validateCredentials(email: string, password: string, additionalsInRequest?: AdditionalsInRequest | undefined): Observable<void>
Validate credentials of an user by creating a new Keycloak session.
If the given credentials are valid, then the Keycloak Session'll be invalidated by revoking the Access Tokens of the created Keycloak session.
Otherwise, a new Keycloak session could not be created and a revokation is void.
Arguments:
- email: The given email by the user
- password: The given password by the user
- additionalsInRequest?: Additional HTTP header and body values.
Returns: An Observable
Revoke a saved or overwritten Refresh Token by Keycloak since it is allowed by Keycloak.
For the OAuth Revoke Specifications: See here
Arguments:
- overwriteRefreshToken?: Optional Refresh Token, that'll be revoked. If it is not set, the currently issued Refresh Token will be used.
Returns: An Observable
Revoke a saved or overwritten Access Token by Keycloak.
For the OAuth Revoke Specifications: See here
Arguments:
- overwriteAccessToken?: Optional Access Token, that'll be revoked. If it is not set, the currently issued Access Token will be used.
Returns: An Observable
Check if the user is authorized.
Returns: true, if the user is authorized. Othwerise false.
To be able to use this Service, we need to provide it in a injection-context.
private readonly _keycloakStoreService: KeycloakStoreService = inject(KeycloakStoreService);By calling this method, the whole storage will be cleared.
Getter for getting the email, which is in the storage.
Returns: string if the email is present. Otherwise null.
Setter for setting the email in the storage.
Arguments:
- email: The email, that should be stored.
Getter for getting the tokens (Access Token & Refresh Token), which are in the storage.
Returns: KeycloakTokens if the tokens are present. Otherwise null.
Setter for setting the tokens (Access Token & Refresh Token) in the storage.
Arguments:
- The tokens, that should be stored.
Getter for getting the Access Token, that is stored in the storage.
Returns: string, that represents the Access Token, if the Access Token is present in the storage. Otherwise undefined.
Getter for getting the Refresh Token, that is stored in the storage.
Returns: stirng, that represents the Refresh Token, if the Refresh Token is present in the storage. Otherwise undefined.
Getter for getting the TTL of Access Token.
Default: 300
Returns: number, that represents the TTL of the Access Token, if the Access Token is present in the storage. Otherwise the default value.
Getter for getting the remaining TTL of Access Token.
Default: 300
Returns: number, that represents the remaining TTL of the Access Token, if the Access Token is present in the storage. Otherwise the default value.
Getter for getting the remaining TTL of Refresh Token.
Default: 1800
Returns: number, that represents the remaining TTL of the Refresh Token, if the Refresh Token is present in the
storage. Otherwise the default value.
Getter for getting the Base64Url-decoded Access Token.
Returns ParsedKeycloakToken if the Access Token could be decoded. Otherwise null.
Getter for getting the Base64Url-decoded Refresh Token.
Returns ParsedKeycloakToken if the Refresh Token could be decoded. Otherwise null.
The MIT License (MIT) - Please have a look at the LICENSE file for more details.
Contributions are always welcome and greatly appreciated. Whether you want to report a bug, suggest a new feature, or improve the documentation, your input helps make the project better for everyone.
If you're unsure where to start, check the open issues for guidance. Even small contributions, such as fixing typos or improving code readability, are valuable.
Feel free to submit a pull request or start a discussion — we're happy to collaborate!
Gesellschaft für Datenverarbeitung und Systemberatung mbH