search

NikiforovAll / keycloak-authorization-services-dotnet

Authentication and Authorization with Keycloak and ASP.NET Core 🔐
https://nikiforovall.github.io/keycloak-authorization-services-dotnet/
MIT License
438 stars 105 forks source link

ASPNET Core MVC Web App authentication while using .NET Aspire #133

Open ekomsctr opened 3 weeks ago

ekomsctr commented 3 weeks ago

Hello,

i'm trying to use the library to authenticate my MVC Web App against a keycloak server. I could do so successfully (and it was very simple) with a Web Api project, but even following the sample i could not get it to work. Either i'm getting a "missing clientid in configuration" or a "missing authority, metadatahttps in the configuration".

Is this scenario supported? I have to specify something more in the .NET Aspire registration?

Edit: I manually added the Keycloak__ClientId env variables and now it's requiring https, is there any parameter to set this on the web app or should i add another env variable? Error: The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false

Thanks in advance

NikiforovAll commented 3 weeks ago

Hello,

Here is an example of MVC project. ref: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/examples/web-app-mvc.html

Aspire provides some variables, but not all, you still need to complete the configuration by providing missing variables, like here (we provide clientId because Aspire don't know about your client registrations): https://nikiforovall.github.io/keycloak-authorization-services-dotnet/examples/aspire-web-api.html

I think combining these two example will do what you need

ekomsctr commented 3 weeks ago

Thank you for the clear answer, by combining concepts from both the samples i got it working! Here's what i've ended up doing:

  1. Define a parameter in Aspire 
    var clientId = builder.AddParameter("ClientId", false);
  2. Add the parameter's reference to the environment variables 
    var project = builder.AddProject<Projects.Your_Project_Name>("management")
.WithExternalHttpEndpoints()
.WithReference(keycloak)
.WithEnvironment("Keycloak__ClientId", clientId)

  3. Wired up the parameter inside the WebApp authentication setup

    builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddKeycloakWebApp(
configureKeycloakOptions: options =>
{
    builder.Configuration.GetSection(KeycloakAuthenticationOptions.Section).Bind(options);
},
configureOpenIdConnectOptions: options =>
{
    // Other code omitted for brevity...

    options.ClientId = builder.Configuration.GetValue<string>("KeyCloak:ClientId");
    options.RequireHttpsMetadata = false;

    // Other code omitted for brevity...
}
);

Doing so i hope i can (almost) seamlessy use the KeyCloak section when deploying the projects while still using .NET Aspire configuration perks. If you have any suggestions to improve this implementation, it would be greatly appreciated!

NikiforovAll commented 3 weeks ago

@ekomsctr looks good to me. However, you may consider the following suggestions:

  1. Read typed keycloak options instead of using "KeyCloak:ClientId": https://nikiforovall.github.io/keycloak-authorization-services-dotnet/qa/recipes.html#how-to-get-options-outside-of-iserviceprovider (you might not need it if you apply 2. suggestion)
  2. Configure ClientId by adding Keycloak__Resource (and maybe Keycloak__Credentials__Secret if you need it), ref: https://github.com/NikiforovAll/keycloak-authorization-services-dotnet/blob/39333813c7ac188fdb02a4981adb2ca652dc1292/src/Keycloak.AuthServices.Authentication/WebAppExtensions/KeycloakWebAppAuthenticationBuilderExtensions.cs#L265