Protection API
The Protection API provides a UMA-compliant set of endpoints providing:
Resource Management - With this endpoint, resource servers can manage their resources remotely and enable policy enforcers to query the server for the resources that need protection.
Permission Management - In the UMA protocol, resource servers access this endpoint to create permission tickets. Keycloak also provides endpoints to manage the state of permissions and query permissions.
Policy API - Keycloak leverages the UMA Protection API to allow resource servers to manage permissions for their users. In addition to the Resource and Permission APIs, Keycloak provides a Policy API from where permissions can be set to resources by resource servers on behalf of their users.
See documentation for more details: https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_api
Add to your code
Install Keycloak.AuthServices.Sdk:
dotnet add package Keycloak.AuthServices.Sdk
IMPORTANT
Protection API is protected so you need to acquire access token somehow. See Access Token Management
You can use IKeycloakProtectionClient
from Web APIs, Worker, Console apps, etc. It is fully integrated with IHttpClientFactory and therefore you don't need to worry about HttpClient
lifetime and the way you work with it.
To add it to DI, you can use convenience extensions method AddKeycloakProtectionHttpClient
:
public static IHttpClientBuilder AddKeycloakProtectionHttpClient(
this IServiceCollection services,
KeycloakProtectionClientOptions keycloakOptions,
Action<HttpClient>? configureClient = default
)
Here is how to use it:
var keycloakOptions = configuration.GetKeycloakOptions<KeycloakProtectionClientOptions>()!;
services.AddDistributedMemoryCache();
services
.AddClientCredentialsTokenManagement()
.AddClient(
tokenClientName,
client =>
{
client.ClientId = keycloakOptions.Resource;
client.ClientSecret = keycloakOptions.Credentials.Secret;
client.TokenEndpoint = keycloakOptions.KeycloakTokenEndpoint;
}
);
services
.AddKeycloakProtectionHttpClient(configuration)
.AddClientCredentialsTokenHandler(tokenClientName);
var sp = services.BuildServiceProvider();
var client = sp.GetRequiredService<IKeycloakProtectionClient>();
var resources = await client.GetResourcesAsync("Test");
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23