Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a sample that shows how to use the Keycloak integration #416

Open
3 of 9 tasks
DamianEdwards opened this issue Aug 15, 2024 · 2 comments
Open
3 of 9 tasks

Create a sample that shows how to use the Keycloak integration #416

DamianEdwards opened this issue Aug 15, 2024 · 2 comments
Assignees
@DamianEdwards
Labels
area-samples

Comments

@DamianEdwards
Copy link
Member

DamianEdwards commented Aug 15, 2024
edited
Loading

Should show how to configure the following app types to use a Keycloak instance to manage authentication (user, app -> api), and authorization:

  • APIs
    • Minimal APIs
    • Controllers
  • Razor Pages
  • MVC with Razor Views
  • Blazor
    • SSR
    • Server
    • ASP.NET Core hosted WebAssembly
@DamianEdwards DamianEdwards self-assigned this Aug 15, 2024
@BartoGabriel
Copy link

BartoGabriel commented Sep 4, 2024
edited
Loading

Hi @DamianEdwards

I was reviewing the example with Keycloak, and it was really helpful for the implementation I'm currently working on.

In the example, I noticed that the Blazor SSR application is using the application token (client credentials). While it makes sense that the API only allows authenticated applications to make requests, I think it would be better to use another flow, since user-based authentication is more common in many scenarios.

It would be beneficial for the API to know which user is making the request, what role they have, etc.

Although I have limited experience with Keycloak, I think simplifying the example would help users achieve the following:

  • Authenticate from the front end.
  • Have the API handle an authenticated user, including user identification and roles.
  • Handle token storage and refresh tokens, as access tokens have a short lifespan by default. To simplify the example, I believe using cookies to store tokens would be a good approach.

Regarding the Client Credentials flow, while it's useful, it might be better as a secondary example. For instance, you could show how a console application could call the API using this flow.

As mentioned, I don’t have much experience with Keycloak, but I’d be happy to help in any way I can.

Thanks again for the example—it has been very helpful.

@DamianEdwards
Copy link
Member Author

Thanks for the suggestion. I specifically didn't want to have the API require tokens from end users as it has no need for it in this example. The eShop workshop does what you're suggesting, as the backend APIs actually deal with user-specific data. I could see this example be expanded to show both flows via different backend APIs, e.g. one that deals with user data and another that doesn't.

Ultimately there's no "one size fits all" solution when dealing with distributed app identity, authentication, and authorization concerns. This sample is really only intended to showcase how the Keycloak integration can be used with Aspire, but not to be an exhaustive reference for Keycloak itself, or ASP.NET Core authentication/authorization in general.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DamianEdwards DamianEdwards

Labels
area-samples
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

damianedwards/keycloak-sample dotnet/aspire-samples
2 participants
@DamianEdwards @BartoGabriel