A New Collection of Thoughtful Learning Apps — Now Available on iOS & Android

By -
Image
I’m excited to share a set of mobile apps I’ve recently completed and published on both the Google Play Store and the Apple App Store. These apps are designed with a simple goal in mind: to make meaningful, structured content more accessible, whether you’re studying theology or improving your English vocabulary. 📱 Now Available on Both Platforms All apps are live and available for download: Google Play Developer Page: https://play.google.com/store/apps/dev?id=5835943159853189043 Apple App Store Developer Page: https://apps.apple.com/ca/developer/q-z-l-corp/id1888794100 📖 Theology & Confession Study Apps For those interested in Reformed theology and classical Christian teachings, I’ve developed a series of apps that present foundational texts in a clean, focused reading format: The Belgic Confession Canons of Dort Heidelberg Catechism Westminster Shorter Catechism Each app is designed to provide a distraction-free experience, making it easier to read, reflect, and revisit these im...
Post a Comment

Next.js + NextAuth.js — Keycloak SSO Integration

By -

Next.js + NextAuth.js — Keycloak SSO Integration

In the previous post, we introduced NextAuth.js and the basic SSO concepts for frontend apps. Now we will integrate Keycloak with NextAuth.js and implement a full login flow in Next.js.

Step 1: Configure Keycloak client

Assuming you already have a Keycloak realm:

  1. Create a client for your Next.js app (e.g., nextjs-app)
  2. Set Access Type to public or confidential depending on your security strategy
  3. Add valid redirect URIs: http://localhost:3000/api/auth/callback/keycloak
  4. Optional: configure roles and mappers

Step 2: Install NextAuth.js in Next.js

npm install next-auth

Create the authentication API route: pages/api/auth/[...nextauth].js

Step 3: Configure Keycloak provider in NextAuth.js



import NextAuth from "next-auth";

import KeycloakProvider from "next-auth/providers/keycloak";

export default NextAuth({

  providers: [

    KeycloakProvider({

      clientId: process.env.KEYCLOAK_CLIENT_ID,

      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,

      issuer: process.env.KEYCLOAK_ISSUER

    })

  ],

  session: { strategy: "jwt" },

  callbacks: {

    async jwt({ token, account }) {

      if (account) {

        token.accessToken = account.access_token;

        token.idToken = account.id_token;

      }

      return token;

    },

    async session({ session, token }) {

      session.accessToken = token.accessToken;

      session.idToken = token.idToken;

      return session;

    }

  }

});

> Key points:

  • Use issuer from your Keycloak realm URL
  • JWT strategy keeps the session on the client side for API calls
  • Callbacks inject access tokens and ID tokens into the session

Step 4: Protecting pages

Use getServerSideProps or useSession hook for page protection: 



import { getSession, useSession } from "next-auth/react";

export default function Profile() {

  const { data: session } = useSession();

  if (!session) return <p>Access Denied</p>;

  return <div>Welcome {session.user.name}!</div>;

}

// Or server-side

export async function getServerSideProps(context) {

  const session = await getSession(context);

  if (!session) {

    return {

      redirect: { destination: "/api/auth/signin", permanent: false }

    };

  }

  return { props: { session } };

}

Step 5: Calling backend APIs with Keycloak token

When calling your Spring Boot backend: 



const res = await fetch("/api/protected", {

  headers: { Authorization: `Bearer ${session.accessToken}` }

});

> Your backend validates the JWT as usual (Spring Boot + Keycloak).

Step 6: Debugging tips

  • Redirect loops: check callback URLs in Keycloak and NextAuth.js
  • Roles not applied: verify mappers and session callbacks
  • Token expiration: NextAuth.js can refresh tokens using JWT callbacks
  • Inspect tokens: log session.accessToken for debugging

Next steps

The next post will cover **handling sessions, roles, and protecting routes** in Next.js using NextAuth.js, including role-based page access and API protection.

Part of the Next.js Frontend SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular Posts

2026 Begins: Choosing to Stay on the Path as a Blogger

By -
Image
  Today is January 1st, 2026 . Before rushing into new goals, I spent some time looking back at the past 12 months of data for this blog — the quiet numbers that tell a very honest story. Looking Back at the Numbers Over the past year: 📈 Total views: ~44,600 👀 Daily average visits: ~200 💬 Comments: 19 💰 AdSense income: about $0.01 per month At first glance, these numbers may look small — especially the income. But when I zoom out, I see something more meaningful. This blog has been quietly read every single day . No viral posts. No aggressive promotion. No paid traffic. Just consistent readers arriving through search, bookmarks, and curiosity. That consistency matters. What the Traffic Graph Tells Me The graph over the last 12 months shows something important: Early months were quiet and uneven Mid-year brought steady growth Toward the end of the year, traffic became more stable , with clear spikes when certain posts resonated This tell...
Read more

Health Checks and Scaling Strategies for Next.js in Kubernetes

By -
Image
Health Checks and Scaling Strategies for Next.js in Kubernetes This is Part 6 and the final post of the series: Self-Hosting Next.js in Kubernetes (Without Vercel) . At this point, your Next.js standalone app: Builds cleanly Runs in a minimal Docker image Deploys correctly on Kubernetes / OpenShift Serves static assets properly Uses runtime configuration and secrets Now let’s make it resilient and scalable . Why Health Checks Matter Kubernetes relies on health checks to: Know when a pod is ready to receive traffic Restart unhealthy containers Safely roll out new versions Without proper probes, traffic can be sent to a pod that isn’t ready yet. Readiness Probe A readiness probe tells Kubernetes: “This pod can accept traffic.” For most Next.js apps, the root path works well: readinessProbe: httpGet: path: / port: 3000 initialDelaySeconds: 10 periodSeconds: 5 If your app depends on downstream services (APIs, d...
Read more