Integrate SS with Keycloak

Does anybody have integrated the Keycloak IDP server with ServiceStack? Keycloak is from RedHat / JBoss and it has good support for Java. But for C# it seems to be a bit hard. Searching the net shows a lot of outdated stuff (not maintained for years).

Since SS supports OpenID / OAuth2 I just wonder if it is possible to integrate Keycloak. The idea is to have Keycloak as one single account repository and authentication provider for several applications. It should be usable similar to other IDPs like Google, Twitter & Co. We have a number of servers using ServiceStack against .NETCore 3.1 and also .Net5 running as Docker containers on RHEL. They provide public APIs to customers. These servers should be integrated with Keycloak. Customers consume the API’s in web, mobile and desktop applications.

Is there any way to do that? Is there any sample code to use as a starting point for a small test server?

First thing to look for would be to see is if there is any C# implementation that authenticates against it? That should help determine how feasible it is to create an AuthProvider for it.

Hi @mythz

I found a recent sample called ASP.NET Core - Keycloak authorization guide on GitHub which I may look at. But I am not sure if it covers what I am looking for.

As an alternative to Keycloak we were looking at IdentityServer 4 since that seems to integrate well with ServiceStack as described in your documentation. However this product seems to be discontinued in November 2022 and the new product has a different licensing which is pretty pricey. Since we also offer the APIs for OEMs and the customers can create as many clients as they want, we cannot afford this solution. We are in the process of building an application ourselves using Flutter and later plan to release this for several platforms (Web, iOS, Android, Windows, MacOS X, Linux). So this in fact will be one multi-platform application but seems to count like 6 clients for the Duende licensing. We cannot afford this…

So currently we are bit confused and stuck what to choose with a C#/ServiceStack/Docker backend. We know, that we must provide a central account management and authentication provider which follows the global standards like OAuth, OIDC, SASL etc.

You’ll want to be careful with referring to that code since it’s GPLv3.

But it looks like the AddOpenIdConnect() is where it configures it against the KeyCloak server

What you can do is configure your app to use ASP.NET Identity Auth to register the NetCoreIdentityAuthProvider which will translate ASP .NET Identity Claims auth into an Authenticated ServiceStack Session.

Thanks @mythz, I will give that a try.

@tbednarz, did you ever have any luck with your Keycloak integration? We are also integrating ServiceStack auth with Keycloak, but your approach seems cleaner and I was curious if you were able to get your implementation working. If so, is this something you would consider open sourcing to the community? Thanks!

Hi @dbrackett,

Unfortunately not. The customer decided to postpone IDP integration and if they want to integrate it later, they will use AAD (Azure Active Directory).

For my own software I go with the little sisters and brothers of the big IDPs (login with Google, Apple and Microsoft). That is sufficient for me for the moment since I currentlu have no need to manage roles and groups and tons of users in an external IDP.

I got the impression that Keycloak is not very good supported in the .NET / Microsoft world which is a bit unfortunate, since I prefer OSS over all those other products. But at the very moment it looks like I will not investigate any further…

Thanks, @tbednarz! We’ll continue exploring this and, if we produce something useful, we may well contribute it back to the community.

1 Like