nuxt-oidc-auth icon indicating copy to clipboard operation
nuxt-oidc-auth copied to clipboard
verified publisher icon itpropro

Runtime Configuration

Open Flinty916 opened this issue 1 year ago • 7 comments

Hi All!

I run my Nuxt 3 app in Kubernetes, and I've been having some issues with Keycloak runtime configuration.

With the following nuxt.config.ts

oidc: {
    defaultProvider: "keycloak",
    middleware: {
      globalMiddlewareEnabled: false,
      customLoginPage: false,
    },
    providers: {
      keycloak: {
        exposeAccessToken: true,
        audience: "account",
        baseUrl: "https://<my-kc-url>/realms/<my-realm>",
        clientId: "",
        clientSecret: "",
        redirectUri: "",
        userNameClaim: "preferred_username",
        logoutRedirectUri: "http://localhost:3000",
      },
    },
  },

Then environment variables are in a configmap like so:

NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET: ""
  NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID: ""
  NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL: ""
  NUXT_OIDC_PROVIDERS_KEYCLOAK_REDIRECT_URI: ""
  NUXT_OIDC_PROVIDERS_KEYCLOAK_LOGOUT_REDIRECT_URI: ""
  NUXT_OIDC_AUTH_SESSION_SECRET: ""

Where all the values are set correctly.

When I try to load into my site when it's deployed, I get constant redirect loops, unless I hardcode my URLs.

Any tips?

Many thanks

Flinty916 avatar Apr 07 '25 18:04 Flinty916

Not all of those environment vars are pulled into the Keycloak provider config. I ran into the same thing and configured it this way:

oidc: {
        defaultProvider: 'keycloak',
        providers: {
            keycloak: {
                audience: 'account',
                optionalClaims: ['resource_access'],
                baseUrl: process.env.KEYCLOAK_BASE_URL || 'http://localhost:8080/realms/myrealm',
                clientId: process.env.KEYCLOAK_CLIENT_ID || 'myclient',
                clientSecret: process.env.KEYCLOAK_CLIENT_SECRET || 'a_default_dev_value',
                redirectUri: 'http://localhost:3000/auth/keycloak/callback',
                userNameClaim: 'preferred_username',
            }
        },
        middleware: {
            globalMiddlewareEnabled: false,
            customLoginPage: false,
        }
    },

theolint avatar May 20 '25 01:05 theolint

@theolint sadly, using your solution, overwriting baseUrl at runtime via env file in docker does not work either.

Valumard avatar Jun 09 '25 21:06 Valumard

Any suggestions? We're running into the same issue.

Diologenes avatar Jun 10 '25 12:06 Diologenes

Running into the same problem, please help

jahusa02 avatar Jun 11 '25 13:06 jahusa02

I seem to be facing a similar issue. After deploying my app, I get the following error: Page not found: /auth/auth0/authorize?...

The only way I found to make it work is to hardcode OIDC settings

maximemoreillon avatar Jun 26 '25 13:06 maximemoreillon

This can be worked around by using environment variables to override all of the URLs that get built from the base URL:

NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_ID=pg
NUXT_OIDC_PROVIDERS_KEYCLOAK_REDIRECT_URI=http://localhost:3000/auth/keycloak/callback
NUXT_OIDC_PROVIDERS_KEYCLOAK_CLIENT_SECRET=secrets_go_here

NUXT_OIDC_PROVIDERS_KEYCLOAK_BASE_URL=http://localhost:8080/realms/master
NUXT_OIDC_PROVIDERS_KEYCLOAK_AUTHORIZATION_URL=http://localhost:8080/realms/master/protocol/openid-connect/auth
NUXT_OIDC_PROVIDERS_KEYCLOAK_TOKEN_URL=http://localhost:8080/realms/master/protocol/openid-connect/token
NUXT_OIDC_PROVIDERS_KEYCLOAK_USER_INFO_URL=http://localhost:8080/realms/master/protocol/openid-connect/userinfo
NUXT_OIDC_PROVIDERS_KEYCLOAK_LOGOUT_URL=http://localhost:8080/realms/master/protocol/openid-connect/logout

And as @foxlegend pointed out (thanks!), these values should be set to empty string in nuxt.config.ts to ensure that these keys exist in the runtime configuration so that they can be overridden by the environment variables above:

      keycloak: {
        audience: 'account',
        baseUrl: '',
        authorizationUrl: '',
        tokenUrl: '',
        userInfoUrl: '',
        logoutUrl: '',
        clientId: '',
        clientSecret: '',
        redirectUri: '',
        logoutRedirectUri: '',
        userNameClaim: 'preferred_username',
        sessionConfiguration: {
          singleSignOut: true,
        },

I have a fork of this module for other fixes, which I also updated to build the various URLs from baseUrl at runtime. But, the above method will work without modifications to nuxt-oidc-auth.

theolint avatar Jun 30 '25 01:06 theolint

Hello,

I confirm this works 😊, but you should also add the authorizationUrl, tokenUrl, userInfoUrl and logoutUrl keys to the oidc provider configuration (to have them put in the runtimeConfig by the module at build time).

For what I have found, all these *url are constructed at build time based on baseUrl value and put in the runtimeConfig Nuxt configuration section by the module, and then reused as is at runtime. This seems to be the reason that overriding the baseUrl does nothing and that you should override the *url with their full URL.

Just a side note because this is something I tried just before: if you add them manually in the runtimeConfig section, you may have some side effects to take care of because of unmerged values as you are overriding the one provided by the module... (bref, do not use runtimeConfig to override values of this module).

foxlegend avatar Jun 30 '25 13:06 foxlegend