Multi-Tenant Authentication
I'm implementing multi-tenant authentication with custom OAuth state
parameters using Wasp's auth hooks. I have a onBeforeOAuthRedirect
hook configured in my main.wasp file like this:
auth: {
userEntity: User,
methods: {
keycloak: {
configFn: import { getKeycloakConfig } from
"@src/auth/keycloak.js",
userSignupFields: import { keycloakSignupFields } from
"@src/auth/keycloak.js"
}
},
onAuthFailedRedirectTo: "/login",
onAuthSucceededRedirectTo: "/auth-success",
onBeforeOAuthRedirect: import { onBeforeOAuthRedirect } from
"@src/auth/hooks.js"
}
My hook implementation looks like:
export const onBeforeOAuthRedirect = async ({ url, oauth, prisma, req
}) => {
console.log('๐ Auth Hook: onBeforeOAuthRedirect triggered')
// Logic to modify OAuth URL with custom state parameter
return { url: modifiedUrl }
}
Questions:
1. Are onBeforeOAuthRedirect hooks supported for Keycloak OAuth
method, or only for social providers like Google/GitHub?
2. Do auth hooks require server restart after adding them to
main.wasp, or should they hot-reload?
3. What's the exact format/signature expected for the
onBeforeOAuthRedirect hook return value?
4. Are there any console logs or debugging methods to verify auth
hooks are being registered and called?
5. Does the hook fire before the initial redirect to Keycloak, or at
a different point in the OAuth flow?
I'm not seeing any console logs from my hook, which suggests it's
either not being called or not properly registered. Any insights on
troubleshooting auth hooks would be helpful!
6 Replies
Hi @JLegendz. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
Here are answers to your questions about multi-tenant authentication and the onBeforeOAuthRedirect hook in Wasp, based strictly on the provided knowledge sources:
1. Are onBeforeOAuthRedirect hooks supported for Keycloak OAuth method, or only for social providers like Google/GitHub?
The knowledge sources do not explicitly mention the onBeforeOAuthRedirect hook or its support for Keycloak or other providers. The available documentation for Keycloak focuses on configFn and userSignupFields overrides, but does not reference this hook or its usage with any provider, including Google or GitHub. Therefore, I cannot confirm support for this hook with Keycloak or other providers based on the current documentation. 2. Do auth hooks require server restart after adding them to main.wasp, or should they hot-reload?
There is no information in the provided sources about whether adding or modifying auth hooks (such as onBeforeOAuthRedirect) requires a server restart or if they are hot-reloaded. The documentation does not address the development workflow for hooks. 3. What's the exact format/signature expected for the onBeforeOAuthRedirect hook return value?
The knowledge sources do not document the onBeforeOAuthRedirect hook, its expected signature, or the required format of its return value. There is no example or reference to this hook in the Keycloak or general auth documentation. 4. Are there any console logs or debugging methods to verify auth hooks are being registered and called?
The documentation does not mention any built-in console logs, debugging methods, or recommended practices for verifying that auth hooks are registered or invoked. There is no troubleshooting section for hooks in the provided sources. 5. Does the hook fire before the initial redirect to Keycloak, or at a different point in the OAuth flow?
The sources do not describe the lifecycle or timing of the onBeforeOAuthRedirect hook, nor do they specify when (or if) it is called in the OAuth flow for Keycloak or other providers. Summary:
The current Wasp documentation and related sources do not provide information about the onBeforeOAuthRedirect hookโits support, usage, signature, or debugging. If you are not seeing console logs from your hook, it may be due to lack of support or a registration issue, but the documentation does not provide enough detail to confirm or troubleshoot this. For further assistance, you may want to reach out to the Wasp community or check for updates in the official documentation. If you need more details on configuring Keycloak or customizing user fields, those are well-documented (e.g., using configFn and userSignupFields) Keycloak Auth Setup, but hooks like onBeforeOAuthRedirect are not covered in the available sources. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @JLegendz, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
The knowledge sources do not explicitly mention the onBeforeOAuthRedirect hook or its support for Keycloak or other providers. The available documentation for Keycloak focuses on configFn and userSignupFields overrides, but does not reference this hook or its usage with any provider, including Google or GitHub. Therefore, I cannot confirm support for this hook with Keycloak or other providers based on the current documentation. 2. Do auth hooks require server restart after adding them to main.wasp, or should they hot-reload?
There is no information in the provided sources about whether adding or modifying auth hooks (such as onBeforeOAuthRedirect) requires a server restart or if they are hot-reloaded. The documentation does not address the development workflow for hooks. 3. What's the exact format/signature expected for the onBeforeOAuthRedirect hook return value?
The knowledge sources do not document the onBeforeOAuthRedirect hook, its expected signature, or the required format of its return value. There is no example or reference to this hook in the Keycloak or general auth documentation. 4. Are there any console logs or debugging methods to verify auth hooks are being registered and called?
The documentation does not mention any built-in console logs, debugging methods, or recommended practices for verifying that auth hooks are registered or invoked. There is no troubleshooting section for hooks in the provided sources. 5. Does the hook fire before the initial redirect to Keycloak, or at a different point in the OAuth flow?
The sources do not describe the lifecycle or timing of the onBeforeOAuthRedirect hook, nor do they specify when (or if) it is called in the OAuth flow for Keycloak or other providers. Summary:
The current Wasp documentation and related sources do not provide information about the onBeforeOAuthRedirect hookโits support, usage, signature, or debugging. If you are not seeing console logs from your hook, it may be due to lack of support or a registration issue, but the documentation does not provide enough detail to confirm or troubleshoot this. For further assistance, you may want to reach out to the Wasp community or check for updates in the official documentation. If you need more details on configuring Keycloak or customizing user fields, those are well-documented (e.g., using configFn and userSignupFields) Keycloak Auth Setup, but hooks like onBeforeOAuthRedirect are not covered in the available sources. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @JLegendz, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
@kapa.ai What auth hooks ARE currently supported and documented in
Wasp? I've seen references to onBeforeSignup, onAfterSignup,
onBeforeLogin, and onAfterLogin - can you confirm which of these
exist and provide their signatures?
Also, are there any documented ways to customize the OAuth redirect
URL or state parameter for Keycloak authentication flows? I need to
preserve custom context (tenant information) through the OAuth
redirect cycle.
If OAuth URL customization isn't available through hooks, what are
the recommended approaches for maintaining application state across
OAuth authentication flows in Wasp?
Let me check the knowledge base for you again. One moment! :books:
----------------------
Based on the provided knowledge sources:
1. Supported and Documented Auth Hooks in Wasp
The knowledge sources do not document any auth hooks such as
Discord support thread - "We will be adding hooks where you will be able to run code after/before signup/login, but yeah we don't have that yet unfortunately!"
Discord support thread - There is a GitHub issue open for this feature, but it is not yet implemented. Conclusion:
There are currently no officially supported or documented auth hooks like
- No auth hooks like
onBeforeSignup, onAfterSignup, onBeforeLogin, or onAfterLogin as being currently available in Wasp. In fact, multiple sources explicitly state that such hooks do not exist yet:
- "We don't currently have onLogin and onSignup hooks. It's on our radar and we'll work on it in the future."Discord support thread - "We will be adding hooks where you will be able to run code after/before signup/login, but yeah we don't have that yet unfortunately!"
Discord support thread - There is a GitHub issue open for this feature, but it is not yet implemented. Conclusion:
There are currently no officially supported or documented auth hooks like
onBeforeSignup, onAfterSignup, onBeforeLogin, or onAfterLogin in Wasp.
---
2. Customizing the OAuth Redirect URL or State Parameter for Keycloak
The documentation for Keycloak integration in Wasp describes two main customization points:
- configFn: Used to customize provider configuration, such as scopes.
- userSignupFields: Used to map data from the provider to your user entity.
Example:
Keycloak API Reference
There is no mention of a hook or configuration option for customizing the OAuth redirect URL or injecting a custom state parameter for Keycloak or any other OAuth provider.
---
3. Recommended Approaches for Maintaining Application State Across OAuth Flows
Since there is no documented way to customize the OAuth URL or state parameter via hooks, the knowledge sources do not provide a recommended approach for preserving custom context (such as tenant information) through the OAuth redirect cycle.
---
Summary:- No auth hooks like
onBeforeSignup, onAfterSignup, onBeforeLogin, or onAfterLogin are currently supported or documented in Wasp.
- There is no documented way to customize the OAuth redirect URL or state parameter for Keycloak.
- No recommended approach for maintaining custom application state across OAuth flows is provided in the current documentation.
If you need this functionality, you may need to follow Wasp's development for future support or consider workarounds outside the documented features.
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @JLegendz, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?Hey @JLegendz, let me build on the bot's answers ๐
Do auth hooks require server restart after adding them to main.wasp, or should they hot-reloadThey should hot reload, but bugs are always possible. Why do you ask? Is it not working for you?
What's the exact format/signature expected for the onBeforeOAuthRedirect hook return value?Check the docs: https://wasp.sh/docs/auth/auth-hooks#the-onbeforeoauthredirect-hook It says: This hook's return value must be an object that looks like this: { url: URL }. Wasp uses the URL to redirect the user to the OAuth provider. ๐
Are there any console logs or debugging methods to verify auth hooks are being registered and called?Of course! You can
console.log and look at the server logs in your terminal.
Whatever you log on the server ends up in the terminal logs
Does the hook fire before the initial redirect to Keycloak, or at a different point in the OAuth flow?The docs also contain the lifecycle graph. Check here Let me know if that answers your questions ๐ @miho I'll tag you here in case the thread gets woken up when I'm gone