Keycloak integration with Hasura GraphQL – Unable to Authenticate using access token

[Manjunath-Shivegowda-waisl]

Hi team,

We are trying to integrate Keycloak with Hasura GraphQL Engine, and wanted to confirm whether this integration is supported and if we are following the correct approach.

What we have done so far:
1.Created a user and role in Keycloak, along with username, password, and client secret.

2.Generated an access token using the following endpoint:

https://dev-aop-keycloak.wdplatform.com/realms/dev-aop/protocol/openid-connect/token

3. Successfully received the access token from the above API. Passed the token in the Authorization header while calling Hasura GraphQL APIs. Despite passing the token, the requests are not getting authenticated by Hasura, getting below error. Please find the attached documents for reference.

Error:

"errors": [
{
"message": "claims key: 'https://hasura.io/jwt/claims' not found",
"extensions": {
"path": "$",
"code": "jwt-invalid-claims"
}
}
]

[hgiasac]

@Manjunath-Shivegowda-waisl Hasura GraphQL Engine definitely supports Keycloak. That error happened because you haven't configured the custom claims for the JWT yet. Check out this tutorial for more detail.

[itxashancode]

The error indicates that Hasura is not finding the expected JWT claims in your Keycloak token. You need to configure custom claims in Keycloak to match Hasura's expected format.

In your Keycloak realm, create a mapper under your client configuration:

• Name: hasura-claims
• Mapper Type: JSON Type
• Claim JSON Type: JSON
• Claim Name: https://hasura.io/jwt/claims
• Add the following JSON structure:

{
 "x-hasura-default-role": "user",
 "x-hasura-allowed-roles": ["user"],
 "x-hasura-user-id": "{{sub}}"
}

After creating the mapper, regenerate your access token and try again. The token should now include the required claims that Hasura expects for authentication.