Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure multiple clients in single Realm #135

Open
grcontin opened this issue Aug 22, 2024 · 0 comments
Open

Configure multiple clients in single Realm #135

grcontin opened this issue Aug 22, 2024 · 0 comments
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@grcontin
Copy link

grcontin commented Aug 22, 2024
edited
Loading

I can have multiple clients within a Realm, and these clients may or may not have access to certain resources. Using Keycloak.AuthServices.Authentication, I noticed that it is not possible to configure more than one client for the same realm via configuration. As a result, I couldn't perform the necessary validations for my API resources.

Is there a way to configure Keycloak in .NET for multiple clients so that I can authorize access to specific resources through authentication with these multiple clients? Below are my configurations:

appsettings.json:

{
  "realm": "sample-realm",
  "auth-server-url": "http://localhost:8080/",
  "ssl-required": "none",
  "resource": "backend-client",
  "verify-token-audience": true,
  "credentials": {
    "secret": "TXheAgfJirMzDb2Mnr06mKhTMUtu5ulm"
  },
  "confidential-port": 0,
  "policy-enforcer": {
    "credentials": {}
  }
}

Configurations for Keycloak.AuthServices.Authentication and Keycloak.AuthServices.Authorization:

public static IServiceCollection AddKeycloakAuthN(this IServiceCollection services, IConfiguration configuration)
{
    services.AddKeycloakWebApiAuthentication(configuration, options =>
    {
        options.IncludeErrorDetails = true;
    });

    return services;
}

public static IServiceCollection AddKeycloakAuthZ(this IServiceCollection services, IConfiguration configuration)
{
    services.AddAuthorization(configurations =>
    {
        configurations.FallbackPolicy = BuildDefaultPolicy();

        // client X has access to this resource
        configurations.AddPolicy(AuthorizationPolicyConstants.Sample, policyBuilder =>
        {
            policyBuilder.RequireRealmRoles(AuthorizationRoleConstants.User);
            policyBuilder.RequireProtectedResource(AuthorizationResourceConstants.Sample.Item1, AuthorizationResourceConstants.Sample.Item2);
        });

        // client X does NOT have access to this resource
        configurations.AddPolicy(AuthorizationPolicyConstants.SampleTwo, policyBuilder =>
        {
            policyBuilder.RequireRealmRoles(AuthorizationRoleConstants.Administrator, AuthorizationRoleConstants.User);
            policyBuilder.RequireProtectedResource(AuthorizationResourceConstants.SampleTwo.Item1, AuthorizationResourceConstants.SampleTwo.Item2);
        });

    })
    .AddKeycloakAuthorization(configuration)
    .AddAuthorizationServer(configuration);

    return services;
}

private static AuthorizationPolicy BuildDefaultPolicy() 
    => new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
@NikiforovAll NikiforovAll added enhancement New feature or request help wanted Extra attention is needed labels Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NikiforovAll @grcontin