Integrating NodeBB Write API with Keycloak SSO – Handling express.sid and CSRF Tokens

balu@community.nodebb.org

Hi julian,
Thank you for your earlier response, and apologies for the late follow-up.

I was able to resolve the CORS issue using Nginx. Now, I’m focusing on integrating the NodeBB Write API with my React.js frontend, where authentication is handled by Keycloak for login and registration.

I have a question regarding the express.sid cookie:

After login, NodeBB normally generates express.sid and stores it in cookies.

I attempted to use this session ID to fetch the CSRF token by calling /api/config, but it doesn’t seem to work as expected.

My goals are:

Successfully retrieve a valid CSRF token.

Use this token to create topics or posts via the Write API.

Ensure that once I have the session + token, I can securely access NodeBB APIs from my frontend.

Could you please clarify the correct approach for:

Retrieving and using the CSRF token with the express.sid.

Authenticating API requests (e.g., creating topics or posts) when using Keycloak SSO instead of NodeBB’s built-in login.

Possible Approaches I’m Exploring:

API Call to Generate express.sid via Keycloak SSO

After successful Keycloak login, exchange the Keycloak access token with NodeBB to generate a valid express.sid.

Then, use that session cookie + CSRF token for Write API calls.

Alternative Session Handling Method

Use Keycloak JWT directly, and extend NodeBB’s authentication middleware to validate Keycloak-issued tokens instead of relying on express.sid.

This way, CSRF handling might be bypassed or adapted, depending on whether requests are authenticated via JWT.

Any guidance or best practices for choosing between these two approaches (or a better method) would be greatly appreciated.

Thanks in advance!