AuthorizationGettingStarted
cs
using System.Security.Claims;
using System.Text.Json.Serialization;
using Microsoft.AspNetCore.Http.Json;
using static Microsoft.Extensions.DependencyInjection.AuthorizationConstants.Policies;
var builder = WebApplication.CreateBuilder(args);
var configuration = builder.Configuration;
var services = builder.Services;
builder.AddSerilog();
services.AddApplicationSwagger(configuration).AddAuth(configuration);
services.Configure<JsonOptions>(opts =>
{
opts.SerializerOptions.ReferenceHandler = ReferenceHandler.Preserve;
opts.SerializerOptions.WriteIndented = true;
});
var app = builder.Build();
app.UseHttpsRedirection()
.UseApplicationSwagger(configuration)
.UseAuthentication()
.UseAuthorization();
// login with required aspnet core identity role
app.MapGet("/endpoint1", (ClaimsPrincipal user) => user)
.RequireAuthorization(RequireAspNetCoreRole);
// login with requireed realm role evaluated from corresponding claim
app.MapGet("/endpoint2", (ClaimsPrincipal user) => user).RequireAuthorization(RequireRealmRole);
// login with requireed client role evaluated from corresponding claim
app.MapGet("/endpoint3", (ClaimsPrincipal user) => user).RequireAuthorization(RequireClientRole);
// login based on remotely executed policy
// authorization is performed by Keycloak (Authorization Server)
app.MapGet("/endpoint4", (ClaimsPrincipal user) => user)
.RequireAuthorization(RequireToBeInKeycloakGroupAsReader);
await app.RunAsync();
cs
namespace Microsoft.Extensions.DependencyInjection;
using Keycloak.AuthServices.Authentication;
using Keycloak.AuthServices.Authorization;
using static AuthorizationConstants;
public static partial class ServiceCollectionExtensions
{
public static IServiceCollection AddAuth(
this IServiceCollection services,
IConfiguration configuration
)
{
services.AddKeycloakWebApiAuthentication(configuration);
services
.AddAuthorization(options =>
{
options.AddPolicy(
Policies.RequireAspNetCoreRole,
builder => builder.RequireRole(Roles.AspNetCoreRole)
);
options.AddPolicy(
Policies.RequireRealmRole,
builder => builder.RequireRealmRoles(Roles.RealmRole)
);
options.AddPolicy(
Policies.RequireClientRole,
builder => builder.RequireResourceRoles(Roles.ClientRole)
);
options.AddPolicy(
Policies.RequireToBeInKeycloakGroupAsReader,
builder =>
builder
.RequireAuthenticatedUser()
.RequireProtectedResource("workspace", "workspaces:read")
);
})
.AddKeycloakAuthorization(configuration)
.AddAuthorizationServer(configuration);
return services;
}
}
public static class AuthorizationConstants
{
public static class Roles
{
public const string AspNetCoreRole = "realm-role";
public const string RealmRole = "realm-role";
public const string ClientRole = "client-role";
}
public static class Policies
{
public const string RequireAspNetCoreRole = nameof(RequireAspNetCoreRole);
public const string RequireRealmRole = nameof(RequireRealmRole);
public const string RequireClientRole = nameof(RequireClientRole);
public const string RequireToBeInKeycloakGroupAsReader = nameof(
RequireToBeInKeycloakGroupAsReader
);
}
}
See sample source code: keycloak-authorization-services-dotnet/tree/main/samples/AuthGettingStarted