Next.js + NextAuth.js Frontend SSO Series

By

Next.js + NextAuth.js Frontend SSO Series

This series covers everything you need to implement SSO in a Next.js frontend using NextAuth.js and Keycloak (or other OAuth2/OIDC providers). From basic setup to advanced flows and security hardening, follow these posts step by step.

Series Overview

  1. Introduction to NextAuth.js and SSO Learn what NextAuth.js is, how it works, and how to start integrating SSO in your Next.js app.
  2. Integrating Keycloak with NextAuth.js Step-by-step guide to connect Keycloak with NextAuth.js and handle login flow.
  3. Handling Session, Roles, and Protected Routes Learn to manage sessions, enforce roles, and protect pages and API routes in Next.js.
  4. Debugging SSO in Next.js Tips and best practices for debugging common SSO issues like token expiration and redirect loops.
  5. Refreshing Access Tokens for Linked Accounts Ensure linked accounts always have the latest access token on every login.
  6. Manager Approval Flow with Popup Login Implement a popup-based manager approval flow, with token validation, role checking, and logout cleanup.
  7. Security Hardening and Best Practices Production-ready SSO security practices, including cookie settings, token rotation, and CSRF/CORS protection.

Recommended Reading Order

  • Start with post 1 for SSO basics
  • Follow posts 2–4 for setup, session handling, and debugging
  • Advanced flows: posts 5–6
  • End with post 7 for security best practices

About This Series

By the end of this series, you will be able to:

  • Integrate Keycloak (or other OAuth2/OIDC provider) with Next.js frontend
  • Manage sessions, roles, and protected pages
  • Implement advanced login flows like manager approval in popups
  • Debug token issues and redirect problems
  • Follow production-grade security best practices for SSO

This series is part of Lengerrong Blog. Click on each post above to read the full tutorial.

Comments

Post a Comment

Popular posts from this blog

fixed: embedded-redis: Unable to run on macOS Sonoma

By
Image
Issue you might see below error while trying to run embedded-redis for your testing on your macOS after you upgrade to Sonoma. java.lang.RuntimeException: Can't start redis server. Check logs for details. Redis process log: at redis.embedded.AbstractRedisInstance.awaitRedisServerReady(AbstractRedisInstance.java:70) at redis.embedded.AbstractRedisInstance.start(AbstractRedisInstance.java:42) at redis.embedded.RedisServer.start(RedisServer.java:9) Solution use the latest one: https://mv   ...
Read more

Copying MDC Context Map in Web Clients: A Comprehensive Guide

By
Image
Introduction In distributed systems, maintaining context across microservices is crucial for effective logging and tracing. The Mapped Diagnostic Context (MDC) in logging frameworks like Logback or Log4j allows developers to propagate contextual information such as request IDs, user IDs, or correlation IDs across threads and services. When using web clients to make outgoing requests, it's essential to propagate the MDC context map to ensure consistency and traceability. This guide will provide   ...
Read more

Reset user password for your own Ghost blog

By
Image
If you do not config mail up for your ghost blog, it maybe a big problem once you lost your user password. however, methods are always more than problems. We can fix it up by reset it. 1. Find out your database name in your ghost config, it is maybe in config.production.json   "database": {     "client": "mysql",     "connection": {       "host": "localhost",       "user": "ghost-452",       "password": "dade1b0565f2585e07c7",       "database": "ghost_production_acm" 2. Use mysql to reset the password. mysql -u root -p Enter the password for root account. mysql> use ghost_production_acm; mysql> select * from users; ghost use bcrypthash for the password. You can get bcrypt hash string from http://bcrypthashgenerator.apphb.com/ mysql>update users set password=' $2b$10$PaL8tKcU4i0CsjRrM6BhROVQMwwLFw2HSx/kWlAUgja23fNllc2Fy' where ...
Read more