This repository provides a starter template for integrating Keycloak authentication with a Next.js frontend and a Node.js + Express + MongoDB backend. It also includes role-based access control (RBAC) setup.
Make sure you have Docker Desktop installed and running.
Run the following command in your terminal (PowerShell, CMD, or bash):
docker run -d -p 8080:8080 \
-e KEYCLOAK_ADMIN=admin \
-e KEYCLOAK_ADMIN_PASSWORD=admin \
quay.io/keycloak/keycloak:26.0.0 start-devAfter running this command:
-
Open http://localhost:8080 in your browser.
-
Log in with:
- Username:
admin - Password:
admin
- Username:
-
Go to http://localhost:8080 → Login with admin credentials.
-
Click Create Realm → Name it
myrealm. -
Inside the realm, go to Clients → Click Create client.
- Client ID:
next-app - Client Authentication: On (confidential client)
- Standard Flow: Enabled
- Direct Access Grants: Enabled
- Root URL:
http://localhost:3000 - Valid Redirect URIs:
http://localhost:3000/* - Web Origins:
*
- Client ID:
To enable the Google login button on your Keycloak login page:
-
Go to the Google Cloud Console → create a new project.
-
Enable OAuth 2.0 Client ID under APIs & Services → Credentials.
-
Configure the Authorized Redirect URI in Google to point to your Keycloak realm callback URL:
-
Copy the generated Client ID and Client Secret.
-
In Keycloak Admin Console → Identity Providers, choose Google.
-
Paste the Client ID and Client Secret.
-
Save — now the Google login button will automatically appear on your Keycloak login page 🎉.
⚡ You don’t need extra UI work — Keycloak renders the Google button out of the box once it’s configured.
If you want to enable email verification, signup emails, and forgot password:
-
Go to Realm Settings → Login:
- Enable:
User registration,Email as username,Forgot password,Verify email.
- Enable:
-
Go to Realm Settings → Email:
- From:
[email protected] - Host:
smtp.gmail.com - Port:
587 - Encryption: StartTLS
- Authentication: Enabled
- Username: your Gmail
- Password: Gmail App Password (not your real Gmail password).
- From:
👉 To generate an app password in Gmail: Google Account → Security → App Passwords → Generate new.
PORT=5000
MONGODB_URI=mongodb://localhost:27017/keycloak_rbac
JWT_SECRET=your-super-secret-jwt-key-change-in-production
JWT_EXPIRES_IN=7d
KEYCLOAK_URL=http://localhost:8080
KEYCLOAK_REALM=myrealm
KEYCLOAK_CLIENT_ID=next-app
KEYCLOAK_CLIENT_SECRET=your-client-secret-here
FRONTEND_URL=http://localhost:3000cd backend
npm install
npm run devBackend will start at http://localhost:5000.
NEXT_PUBLIC_API_URL=http://localhost:5000
NEXT_PUBLIC_KEYCLOAK_URL=http://localhost:8080
NEXT_PUBLIC_KEYCLOAK_REALM=myrealm
NEXT_PUBLIC_KEYCLOAK_CLIENT_ID=next-app
NEXT_PUBLIC_APP_URL=http://localhost:3000cd frontend
npm install
npm run devFrontend will start at http://localhost:3000.
- User visits frontend → redirected to Keycloak login.
- After login, Keycloak redirects back to frontend with authorization code.
- Frontend exchanges code with backend → backend verifies with Keycloak.
- Backend stores user info in MongoDB (first-time signup) or updates last login.
- Backend issues its own JWT for session management.
- Frontend stores session (cookie/localStorage).
- Logout → clears both backend session and Keycloak SSO session.
- User roles are stored and managed in MongoDB, not in Keycloak.
- When a user logs in, backend ensures a record exists in MongoDB and attaches default role.
- Backend issues JWT including the role.
You now have a complete base setup:
- Keycloak (Auth)
- Node.js + Express + MongoDB backend (session, API, persistence, RBAC)
- Next.js frontend (UI, role indicators)
From here, you can build your application features on top of this authentication + authorization flow.