This repo is for anyone interrested in adding Keycloak authorization to an ASP.NET Core app with OIDC.
I had troubles finding resources about the subject for ASP.NET Core and got quite a lot of grey hair in the process.
I ended up cracking the issue and created this solution and guide to help anyone having the same problem.
Feel free to edit the code, by submitting a PR.
May the code be with you
Clone the repo and open KeycloakAuth.sln in Visual Studio or VS Code.
In order to get the application to work, you need to configure the application.json with the appropriate Keycloak metadata from your environment.
Login to your Keycloak admin page, to get the the needed varibles.
| Name | Example Value | Docker env name |
|---|---|---|
| ServerRealm | https://keycloak.example.com/auth/realms/keycloak-realm" | Keycloak__ServerRealm |
| Metadata | "https://keycloak.example.com/auth/realms/keycloak-realm/.well-known/openid-configuration" | Keycloak__Metadata |
| ClientId |  |
Keycloak__ClientId |
| ClientSecret |  |
Keycloak__ClientSecret |
The code uses a policy example, but also comments on how to use roles within the code.
The major difference is that based on claims you can create certain policies, that only users with claim x, y and z can access.
If you have 15 different roles in your app, the authorize attribute can be quite confusing to read for each controller action.
Use whatever suit your needs, the examples should be there.
In order to get authorization to work with Keycloak, you will need to add a new role to Client Scopes.
- Login to Keycloak Admin page
- Goto Client Scopes
- Goto Roles
- Goto Mappers
- Click Create
- Give the new role a name
- Mapper Type = User Client Role
- Multivated must be on
- Token claim name must be "role"
- Add to access token must be on
I needed a silent authorization, there is no login or logout function built in.
You can probably find other examples on github, where they do this.
In the repo, there is a dockerfile that can be used to build an image.
If you are using http and not https, you will need to change the aspnetcore ports accordingly in the file.
Override environment variables with -e varName="someVar", see appsettings.json for the names to override.
Docker build . -t keycloakauth
Docker run -it --rm -p 5001:5001 keycloakauthKeycloak tells you "invalid redirect uri" - you need to add your apps uri ex: https://localhost:44556 to the valid redirect URIs and web origins.
You are presented with the access denied page.
Copy your access token from the HomeController to jwt.io and look for what claims you have.
They need to match the role names configured in Keycloak and in the policy.
If you use Active Directory, sometimes the sync is very slow, renew your kerberos token and restart Keycloak or force a sync.
