tvone-api/src/auth/keycloak.strategy.ts

import { Injectable } from "@nestjs/common";
import { PassportStrategy } from "@nestjs/passport";
import { ExtractJwt, Strategy } from "passport-jwt";
import * as jwksRsa from "jwks-rsa";

@Injectable()
export class KeycloakStrategy extends PassportStrategy(Strategy, "keycloak") {
  constructor() {
    super({
      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),

      // 🔑 Get signing key from Keycloak
      secretOrKeyProvider: jwksRsa.passportJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri:
          "https://keycloak.petermaquiran.xyz/realms/tvone/protocol/openid-connect/certs",
      }),

      //audience: "tvone-web", // your Keycloak clientId
      issuer: "https://keycloak.petermaquiran.xyz/realms/tvone",
      algorithms: ["RS256"],
    });
  }

  async validate(payload: any) {
    return {
      userId: payload.sub,
      email: payload.email,
      roles: payload.realm_access?.roles || [],
      raw: payload,
    };
  }
}