Demonstrates Single Sign-On across a Web App, API Gateway, and Laravel API Server using Keycloak as the identity provider.
Browser
│
│ 1. Visit web app → not logged in
▼
┌─────────────┐ 2. Redirect to Keycloak login ┌────────────────────┐
│ Web App │ ─────────────────────────────────▶ │ │
│ (Node.js) │ ◀───────────────────────────────── │ Keycloak (OIDC) │
│ :3000 │ 3. Auth code → exchange → tokens │ master realm │
└──────┬──────┘ └────────────────────┘
│ ▲ ▲
│ 4. GET /api/resources JWKS │ │ JWKS
│ Authorization: Bearer <access_token> │ │
▼ │ │
┌─────────────┐ 5. Validate JWT (JWKS) ┌──────────────────────────┐
│ API Gateway │ ─────────────────────────▶ │ (fetch certs from KC) │
│ (Node.js) │ ◀───────────────────────── │ │
│ :4000 │ 6. Forward + X-User-* └──────────────────────────┘
└──────┬──────┘
│ 7. Bearer <access_token> (same token)
▼
┌─────────────┐ 8. Validate JWT (JWKS) ┌──────────────────────────┐
│ API Server │ ─────────────────────────▶ │ (fetch certs from KC) │
│ (Laravel) │ independently └──────────────────────────┘
│ :8000 │
└─────────────┘
9. Return protected resources → upstream to browser
Node.js / Express
OIDC Auth Code + PKCE
openid-client v5
Node.js / Express
JWT Bearer validation
jose v5 (JWKS)
Laravel (PHP)
JWT Bearer validation
firebase/php-jwt
OIDC Provider
Realm: sifulan
https://keycloak.sifulan.dev
Click Login with Keycloak to start the OIDC Authorization Code + PKCE flow.
You will be redirected to Keycloak, then returned here after authentication.