Express-jwt and Keycloak: how I did not use official Keycloak library


We have many microservices that run on multiple deployments. I wanted to add security by using Keycloak with the help of JWT.


One of the earliest solution was to use Keycloak Js Adapter. Yet, Keycloak JS adapter requires following:

which seems cumbersome way of doing this.

I thought there must be more simple way, I just wanted to validate requests.

That’s why I liked Spring Boot approach which is:

  • include package
  • add one line config

At start, it fetches makes request to issuer-uri which has response like this

and stores public_key which is used to validate JWT tokens. It doesn't make request each time to verify JWT.
As result, any request is validated and working out of box.

So I wanted to replicate this on NodeJS.

I started with express-jwt and simple example was like this

However it was problem for us to provide public key because

  • we have multiple deployments
  • each deployment has its own Keycloak.

We couldn’t maintain this so I decided to implement like in Spring Boot.

With the help sync-request package:

I achieved on-start fetch of public key without cumbersome settings on NodeJS.