GREACT/KIS-TOiR
7
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d6875f4b0511677a61e60a040677e5644a30230
KIS-TOiR/auth/backend-auth-rules.md
MaKarin 8d6875f4b0 keycloak init
2026-03-21 16:00:27 +03:00

2.6 KiB
Raw Blame History

Backend Auth Rules

This document defines mandatory backend authentication and authorization behavior for generated applications.

Generated Backend Auth Surface

The generator must create explicit auth infrastructure in the generated NestJS backend.

At minimum generate:

  • server/src/auth/auth.module.ts
  • JWT auth guard
  • roles guard
  • @Public()
  • @Roles()
  • typed authenticated principal interface
  • typed environment validation in server/src/config/

The generator must not describe backend auth as an external manual integration step.

Standards-Based JWT Verification

The generated backend must validate JWTs against Keycloak using standards-based libraries.

Rules:

  1. Verify issuer
  2. Verify audience
  3. Verify signature via JWKS
  4. Do not use deprecated Keycloak-specific Node adapters such as keycloak-connect

The default library rule for this repository is:

  • jose for JWT and JWKS verification

JWT Verification Contract

The generated backend must verify tokens with:

  • KEYCLOAK_ISSUER_URL
  • KEYCLOAK_AUDIENCE

JWKS resolution priority must be exactly:

  1. explicit KEYCLOAK_JWKS_URL
  2. OIDC discovery
  3. fallback ${issuer}/protocol/openid-connect/certs

The generator must encode this priority explicitly.

Role Extraction

Authorization roles must be extracted only from:

  • realm_access.roles

The generator must not mix in:

  • resource roles
  • custom frontend-only permissions
  • undocumented claim fallbacks

realm_access.roles is the single RBAC source for this repository.

Default RBAC Policy

Apply these RBAC defaults to generated CRUD controllers:

  • GET: viewer, editor, admin
  • POST: editor, admin
  • PATCH: editor, admin
  • PUT: editor, admin
  • DELETE: admin

GET /health must remain public and must use the generated @Public() mechanism.

All other generated CRUD routes must be protected by default.

Typed Principal

The generated backend must attach a typed authenticated principal to the request context.

At minimum, the generated principal type must be able to represent:

  • sub
  • user identity fields when present
  • roles
  • raw claims payload

This principal type is required so guards, controllers, and tests share one consistent contract.

Backend Environment Contract

The generated backend env contract must include:

  • PORT
  • DATABASE_URL
  • CORS_ALLOWED_ORIGINS
  • KEYCLOAK_ISSUER_URL
  • KEYCLOAK_AUDIENCE
  • KEYCLOAK_JWKS_URL (optional)

The generated backend config must fail fast if required auth variables are missing.

The generated backend must not silently fall back to production auth settings in code.

Reference in New Issue View Git Blame Copy Permalink