| name | keycloak-auth-services |
| description | Implementation guide for Keycloak.AuthServices .NET library — authentication (JWT Bearer, OIDC, RFC 8414), authorization (RBAC, resource protection, Authorization Server, organizations, multi-tenancy), Admin REST API SDK, Protection API SDK, and developer experience tooling (.NET Aspire, templates, OpenTelemetry). Trigger phrases include Keycloak.AuthServices, ProtectedResource, Admin SDK, Protection API, organization, RFC 8414, token introspection. |
| user-invocable | true |
Keycloak.AuthServices Implementation Guide
Quick Start
Choose your task and load the appropriate reference:
- JWT Bearer Authentication (Web API) → Continue below
- OIDC Authentication (Web App) → Load authentication.md
- Authorization & RBAC → Load authorization.md
- Resource Protection & Authorization Server → Load resource-protection.md
- Admin REST API SDK → Load admin-sdk.md
- Protection API SDK → Load protection-api.md
- Developer Experience (Aspire, Templates) → Load devex.md
- Configuration Reference → Load configuration.md
- Recipes & Troubleshooting → Load troubleshooting.md
- Token Introspection (Lightweight Tokens) → Load authorization.md (see "Token Introspection" section)
- Organization Authorization (Multi-Tenancy) → Load organization-authorization.md
- RFC 8414 Server Metadata Discovery → Load authentication.md (see "Server Metadata Discovery" section)
- Custom Token Provider (IKeycloakAccessTokenProvider) → Load resource-protection.md (see "IKeycloakAccessTokenProvider" section)
- Extensible Policy Builder (IProtectedResourcePolicyBuilder) → Load resource-protection.md (see "IProtectedResourcePolicyBuilder" section)
- Pluggable Parameter Resolvers → Load resource-protection.md (see "Pluggable Parameter Resolvers" section)
Packages Overview
| Package | Purpose |
|---|
Keycloak.AuthServices.Authentication | JWT Bearer (Web API) and OpenID Connect (Web App) authentication |
Keycloak.AuthServices.Authorization | RBAC (realm/client roles), Authorization Server client, [ProtectedResource] attribute, organization authorization |
Keycloak.AuthServices.Sdk | Hand-written Admin REST API + Protection API HTTP clients |
Keycloak.AuthServices.Sdk.Kiota | Auto-generated (Kiota) Admin REST API client — full API coverage |
Keycloak.AuthServices.Common | Shared configuration (KeycloakInstallationOptions), claims utilities |
Keycloak.AuthServices.OpenTelemetry | Metrics and tracing instrumentation |
Keycloak.AuthServices.Aspire.Hosting | .NET Aspire KeycloakResource integration |
Keycloak.AuthServices.Templates | dotnet new project templates |
Minimal Web API Setup
dotnet add package Keycloak.AuthServices.Authentication
dotnet add package Keycloak.AuthServices.Common
using Keycloak.AuthServices.Authentication;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddKeycloakWebApiAuthentication(builder.Configuration);
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/", () => "Hello World!").RequireAuthorization();
app.Run();
{
"Keycloak": {
"realm": "Test",
"auth-server-url": "http://localhost:8080/",
"ssl-required": "none",
"resource": "test-client",
"verify-token-audience": true,
"credentials": {
"secret": "your-client-secret"
}
}
}
Configuration Section
All packages bind to "Keycloak" config section by default. Key properties:
| Property | Description |
|---|
realm | Keycloak realm name |
auth-server-url | Keycloak server URL (e.g., http://localhost:8080/) |
resource | Client ID |
ssl-required | none, external, or all |
verify-token-audience | Validate audience claim against resource |
credentials.secret | Client secret (confidential clients) |
Both kebab-case (Keycloak adapter format) and PascalCase are supported.
Adding Authorization (RBAC)
dotnet add package Keycloak.AuthServices.Authorization
builder.Services.AddKeycloakAuthorization(builder.Configuration)
.AddAuthorizationBuilder()
.AddPolicy("AdminOnly", policy => policy.RequireRealmRoles("admin"))
.AddPolicy("EditorOnly", policy => policy.RequireResourceRoles("editor"));
Adding Authorization Server (Resource Protection)
builder.Services
.AddKeycloakAuthorization()
.AddAuthorizationServer(builder.Configuration);
app.MapGet("/workspaces", () => "Hello World!")
.RequireProtectedResource("workspaces", "workspace:read");
Adding Admin SDK
dotnet add package Keycloak.AuthServices.Sdk
builder.Services.AddKeycloakAdminHttpClient(builder.Configuration);
app.MapGet("/users", async (IKeycloakUserClient client) =>
await client.GetUsers("my-realm"));
Essential Patterns
- Configuration section: defaults to
"Keycloak", override via configSectionName parameter
- IHttpClientBuilder: all HTTP clients return
IHttpClientBuilder for resilience, handlers, etc.
- Token management: use
Duende.AccessTokenManagement for service account tokens
- OpenTelemetry:
AddKeycloakAuthServicesInstrumentation() for metrics and tracing
- Aspire:
AddKeycloakContainer("keycloak") + AddRealm("Test") for local dev
Reference Documentation
- authentication.md — JWT Bearer and OIDC setup, all overloads, adapter file config, RFC 8414 server metadata discovery
- authorization.md — RBAC, realm/client roles, role claims transformation, token introspection
- organization-authorization.md — Organization-based multi-tenancy, membership requirements, parameter resolvers
- resource-protection.md — Authorization Server, Protected Resource Builder, dynamic resources, policy provider, IKeycloakAccessTokenProvider, IProtectedResourcePolicyBuilder, pluggable parameter resolvers
- admin-sdk.md — Admin REST API (hand-written + Kiota), access token management
- protection-api.md — UMA Protection API, resource/permission/policy management
- devex.md — .NET Aspire, templates, OpenTelemetry
- configuration.md — All configuration options, naming conventions, adapter file
- troubleshooting.md — Common issues, recipes, debugging
