.NET Aspire Keycloak integration

In this article, you learn how to use the .NET Aspire Keycloak integration. The Aspire.Keycloak.Authentication library registers JwtBearer and OpenId Connect authentication handlers in the DI container for connecting to a Keycloak server.

Prerequisites

  • A Keycloak server instance.
  • A Keycloak realm.
  • For JwtBearer authentication, a configured audience in the Keycloak realm.
  • For OpenId Connect authentication, the ID of a client configured in the Keycloak realm.

Get started

To get started with the .NET Aspire Keycloak integration, install the Aspire.Keycloak.Authentication NuGet package in the client-consuming project, i.e., the project for the application that uses the Keycloak client.

dotnet add package Aspire.Keycloak.Authentication

For more information, see dotnet add package or Manage package dependencies in .NET applications.

Jwt bearer authentication usage example

In the Program.cs file of your ASP.NET Core API project, call the AddKeycloakJwtBearer extension method to add JwtBearer authentication, using a connection name, realm and any required JWT Bearer options:

builder.Services.AddAuthentication()
                .AddKeycloakJwtBearer("keycloak", realm: "WeatherShop", options =>
                {
                    options.Audience = "weather.api";
                });

You can set many other options via the Action<JwtBearerOptions> configureOptions delegate.

OpenId Connect authentication usage example

In the Program.cs file of your Blazor project, call the AddKeycloakOpenIdConnect extension method to add OpenId Connect authentication, using a connection name, realm and any required OpenId Connect options:

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
                .AddKeycloakOpenIdConnect(
                    "keycloak", 
                    realm: "WeatherShop", 
                    options =>
                    {
                        options.ClientId = "WeatherWeb";
                        options.ResponseType = OpenIdConnectResponseType.Code;
                        options.Scope.Add("weather:all");
                    });

You can set many other options via the Action<OpenIdConnectOptions>? configureOptions delegate.

App host usage

To model the Keycloak resource in the app host, install the Aspire.Hosting.Keycloak NuGet package in the app host project.

dotnet add package Aspire.Hosting.Keycloak

Then, in the Program.cs file of AppHost, register a Keycloak server and consume the connection using the following methods:

var keycloak = builder.AddKeycloak("keycloak", 8080);

var apiService = builder.AddProject<Projects.Keycloak_ApiService>("apiservice")
                        .WithReference(keycloak);

builder.AddProject<Projects.Keycloak_Web>("webfrontend")
       .WithExternalHttpEndpoints()
       .WithReference(keycloak)
       .WithReference(apiService);

Tip

For local development use a stable port for the Keycloak resource (8080 in the example above). It can be any port, but it should be stable to avoid issues with browser cookies that will persist OIDC tokens (which include the authority URL, with port) beyond the lifetime of the app host.

The WithReference method configures a connection in the Keycloak.ApiService and Keycloak.Web projects named keycloak.

In the Program.cs file of Keycloak.ApiService, the Keycloak connection can be consumed using:

builder.Services.AddAuthentication()
                .AddKeycloakJwtBearer("keycloak", realm: "WeatherShop");

In the Program.cs file of Keycloak.Web, the Keycloak connection can be consumed using:

var oidcScheme = OpenIdConnectDefaults.AuthenticationScheme;

builder.Services.AddAuthentication(oidcScheme)
                .AddKeycloakOpenIdConnect(
                    "keycloak",
                    realm: "WeatherShop",
                    oidcScheme);

See also