This demo is made with the help from this guide: https://medium.com/@xavier.hahn/adding-authorization-to-asp-net-core-app-using-keycloak-c6c96ee0e655
- Deploy the Keycloak
docker-compose -f docker-compose-keycloak.yml up
or
docker stack deploy -c docker-compose-keycloak.yml keycloak-demo
- Open the Keycloak
Administration Consolefrom http://localhost:8080/
| Username | keycloak |
| Password | keycloak |
As written in the docker-compose-keycloak.yml file
- Create a new client
| Client ID | dotnet-demo |
| Client Protocol | openid-connect |
| Root URL | http://localhost:5161 |
- Edit the newly created client
Change the following properties and click save
| Access Type | Confidential |
| Implicit Flow Enabled | ON |
- Go to the Roles tab (inside the
dotnet-democlient) and create your roles
| Admin |
| Manager |
| Employer |
- Go to the Mappers (inside the
dotnet-democlient) and create the user client roles mapper
Change to the following values and click save
| Protocol | openid-connect |
| Name | User client roles |
| Mapper Type | User Client Role |
| Client ID | dotnet-demo |
| Client Role prefix | |
| Multivalued | ON |
| Token Claim Name | user_roles |
| Claim JSON Type | String |
| Add to ID token | ON |
| Add to access token | ON |
| Add to userinfo | ON |
-
Go to the Credentials (inside the
dotnet-democlient) and note down theSecretvalue -
Go to the Users tab under Manage section and add role(s) for your user or create a new user
You can add roles for your user by selecting your user and then going to the Role Mappings tab. From there select the dotnet-demo in the Client Roles section. Then move your role(s) from Available Roles to Assigned Roles
- Open the
launchSettings.jsonfrom theKeycloak-Demo\Properties\folder.
| KEYCLOAK_ENDPOINT | http://localhost:8080/realms/master | http://localhost:8080/auth/realms/master in versions before Keycloak 17.0 |
| KEYCLOAK_CLIENT_ID | dotnet-demo | The name of the client you created |
| KEYCLOAK_CLIENT_SECRET | m383YWl9QiOBOrgiM80xdzXyQK0JYWme | The secret from the step 7. in Keycloak Setup |
-
Run the Keycloak-Demo project (make sure you are running the
Keycloak_Demoprofile and not for example IIS Express) -
Check that the login works by going to http://localhost:5161/info/authenticated
If you are not already logged in to Keycloak, you should be redirected to Keycloak login page. If you are logged in/after login, you should see JSON data with "User has authenticated" and the user id.
- Check that the roles work
Depending on the roles you assigned, the following URLs will either redirect you to the AccessDenied page (not implemented, so an empty page) or show that you have the role.
| AdminPolicy | http://localhost:5161/info/adminOnly | Checks for the Admin role with the AdminOnly policy |
| Admin | http://localhost:5161/info/admin | Checks for the Admin role |
| Manager | http://localhost:5161/info/manager | Checks for the Manager role |
| Employer | http://localhost:5161/info/employer | Checks for the Employer role |