1 of 1

Keycloak

Getting the `issuerUri` and `clientId`

oidc-spa requires two parameters to connect to your Keycloak instance: issuerUri and clientId.

`issuerUri`

In Keycloak, the OIDC issuer URI follows this format:

https://<KC_DOMAIN><KC_RELATIVE_PATH>/realms/<REALM_NAME>

<KC_DOMAIN>: The domain where your Keycloak server is hosted (e.g., auth.my-company.com).
<KC_RELATIVE_PATH>: The subpath under which Keycloak is hosted. In recent versions, this is an empty string (""). In older versions, it was "/auth". Check your Keycloak server configuration; this parameter is typically set using an environment variable: Example: -e KC_HTTP_RELATIVE_PATH=/auth

`clientId`

The clientId is usually something like 'myapp'. Follow these steps to create a suitable client for your SPA:

Open https://<KC_DOMAIN><KC_RELATIVE_PATH>/admin/master/console.
Log in as an administrator.
Select your realm from the top-left dropdown.

Session Lifespan Configuration

One important policy to define is how often users need to re-authenticate when visiting your site.

This configuration does not affect the access token lifetime (default: 5 minutes). It controls how long Keycloak keeps the session active.

🔐 Security-Sensitive Apps (Banking, Admin Panels, etc.)

For security-critical apps, users should log in each visit and be logged out after inactivity.

Why? Users accessing sensitive applications should not remain authenticated indefinitely, especially if they step away from their device. The session idle timeout ensures automatic logout after inactivity.

Steps to enforce this policy:

Disable "Remember Me":
- Select your realm.
- Navigate to Realm Settings → Login.
- Set "Remember Me"

For apps where users should remain logged in for weeks or months (e.g., YouTube-style behavior):

Enable "Remember Me":
- Select your realm.
- Navigate to Realm Settings → Login.
- Set "Remember Me"

🗑️ Allowing Users to Delete Their Own Accounts

By default, Keycloak does not allow users to delete their accounts.

If you implement a , users will see an "Action not permitted" error.

Enabling Account Deletion:

Navigate to Authentication → Required Actions.
Enable "Delete Account".
Go to Realm Settings → User Registration → Default Roles.
Click Assign Role

Testing the Setup

To test your configuration:

Keycloak

Getting the `issuerUri` and `clientId`

oidc-spa requires two parameters to connect to your Keycloak instance: issuerUri and clientId.

const { ... } = createOidc({
    issuerUri: "...",
    clientId: "...",
    // ...
});

`issuerUri`

In Keycloak, the OIDC issuer URI follows this format:

https://<KC_DOMAIN><KC_RELATIVE_PATH>/realms/<REALM_NAME>

<KC_DOMAIN>: The domain where your Keycloak server is hosted (e.g., auth.my-company.com).
<KC_RELATIVE_PATH>: The subpath under which Keycloak is hosted. In recent versions, this is an empty string (""). In older versions, it was "/auth". Check your Keycloak server configuration; this parameter is typically set using an environment variable: Example: -e KC_HTTP_RELATIVE_PATH=/auth

`clientId`

The clientId is usually something like 'myapp'. Follow these steps to create a suitable client for your SPA:

Open https://<KC_DOMAIN><KC_RELATIVE_PATH>/admin/master/console.
Log in as an administrator.
Select your realm from the top-left dropdown.

Session Lifespan Configuration

One important policy to define is how often users need to re-authenticate when visiting your site.

This configuration does not affect the access token lifetime (default: 5 minutes). It controls how long Keycloak keeps the session active.

🔐 Security-Sensitive Apps (Banking, Admin Panels, etc.)

For security-critical apps, users should log in each visit and be logged out after inactivity.

Steps to enforce this policy:

Disable "Remember Me":
- Select your realm.
- Navigate to Realm Settings → Login.
- Set "Remember Me"

For apps where users should remain logged in for weeks or months (e.g., YouTube-style behavior):

Enable "Remember Me":
- Select your realm.
- Navigate to Realm Settings → Login.
- Set "Remember Me"

🗑️ Allowing Users to Delete Their Own Accounts

By default, Keycloak does not allow users to delete their accounts.

If you implement a , users will see an "Action not permitted" error.

Enabling Account Deletion:

Navigate to Authentication → Required Actions.
Enable "Delete Account".
Go to Realm Settings → User Registration → Default Roles.
Click Assign Role

Testing the Setup

To test your configuration:

Configure session timeout:

Users without "Remember Me" will need to log in every 2 weeks:
- Set Session idle timeout: 14 days.
- Set Session max idle timeout: 14 days.
Users who checked "Remember Me" should stay logged in for 1 year:
- Set Session idle timeout (Remember Me): 365 days.
- Set Session max idle timeout (Remember Me): 365 days.

Keycloak

Getting the issuerUri and clientId

issuerUri

clientId

Session Lifespan Configuration

🔐 Security-Sensitive Apps (Banking, Admin Panels, etc.)

🛍️ Non-Sensitive Apps (E-commerce, Social Media, etc.)

🗑️ Allowing Users to Delete Their Own Accounts

Testing the Setup

Keycloak

Getting the issuerUri and clientId

issuerUri

clientId

Session Lifespan Configuration

🔐 Security-Sensitive Apps (Banking, Admin Panels, etc.)

🛍️ Non-Sensitive Apps (E-commerce, Social Media, etc.)

🗑️ Allowing Users to Delete Their Own Accounts

Testing the Setup

Getting the `issuerUri` and `clientId`

`issuerUri`

`clientId`

Getting the `issuerUri` and `clientId`

`issuerUri`

`clientId`