Easy Authentication and Authorization with Keycloak in .NET and ASP.NET Core.
| Package | Version | Description |
|---|---|---|
Keycloak.AuthServices.Authentication |
 |
Keycloak Authentication JWT + OICD |
Keycloak.AuthServices.Authorization |
 |
Authorization Services. Use Keycloak as authorization server |
Keycloak.AuthServices.Sdk |
 |
HTTP API integration with Keycloak |
Demonstrates how to add JWT-based authentication and custom authorization policy.
var builder = WebApplication.CreateBuilder(args);
var host = builder.Host;
var configuration = builder.Configuration;
var services = builder.Services;
host.ConfigureKeycloakConfigurationSource();
// conventional registration from keycloak.json
services.AddKeycloakAuthentication(configuration);
services.AddAuthorization(options =>
{
options.AddPolicy("RequireWorkspaces", builder =>
{
builder.RequireProtectedResource("workspaces", "workspaces:read") // HTTP request to Keycloak to check protected resource
.RequireRealmRoles("User") // Realm role is fetched from token
.RequireResourceRoles("Admin"); // Resource/Client role is fetched from token
});
})
.AddKeycloakAuthorization(configuration);
var app = builder.Build();
app.UseAuthentication()
.UseAuthorization();
app.MapGet("/workspaces", () => "[]")
.RequireAuthorization("RequireWorkspaces");
app.Run();Keycloak.AuthServices.Authentication
Add OpenID Connect + JWT Bearer token authentication.
// add configuration from keycloak file
host.ConfigureKeycloakConfigurationSource("keycloak.json");
// add authentication services, OICD JwtBearerDefaults.AuthenticationScheme
services.AddKeycloakAuthentication(configuration, o =>
{
o.RequireHttpsMetadata = false;
});Client roles are automatically transformed into user role claims KeycloakRolesClaimsTransformation.
See Keycloak.AuthServices.Authentication - README.md
Keycloak installation file:
// confidential client
{
"realm": "<realm>",
"auth-server-url": "http:https://localhost:8088/auth/",
"ssl-required": "external", // external | none
"resource": "<clientId>",
"verify-token-audience": true,
"credentials": {
"secret": ""
}
}
// public client
{
"realm": "<realm>",
"auth-server-url": "http:https://localhost:8088/auth/",
"ssl-required": "external",
"resource": "<clientId>",
"public-client": true,
"confidential-port": 0
}Keycloak.AuthServices.Authorization
services.AddAuthorization(authOptions =>
{
authOptions.AddPolicy("<policyName>", policyBuilder =>
{
// configure policies here
});
}).AddKeycloakAuthorization(configuration);See Keycloak.AuthServices.Authorization - README.md
Keycloak API clients.
| Service | Description |
|---|---|
| IKeycloakClient | Unified HTTP client - IKeycloakRealmClient, IKeycloakProtectedResourceClient |
| IKeycloakRealmClient | Keycloak realm API |
| IKeycloakProtectedResourceClient | Protected resource API |
| IKeycloakProtectionClient | Authorization server API, used by AddKeycloakAuthorization |
// requires confidential client
services.AddKeycloakAdminHttpClient(keycloakOptions);
// based on token forwarding HttpClient middleware and IHttpContextAccessor
services.AddKeycloakProtectionHttpClient(keycloakOptions);See Keycloak.AuthServices.Sdk - README.md
dotnet cake --target build
dotnet pack -o ./Artefacts
- https://github.com/thinktecture-labs/webinar-keycloak
- https://github.com/thinktecture-labs/webinar-keycloak-authorization
- https://github.com/elmankross/Jboss.AspNetCore.Authentication.Keycloak/
- https://github.com/mikemir/AspNetCore.KeycloakAuthentication/
- https://github.com/lvermeulen/Keycloak.Net
- https://github.com/keycloak/keycloak-documentation/blob/main/authorization_services/topics/service-authorization-uma-authz-process.adoc
- https://www.keycloak.org/docs/latest/authorization_services/index.html