Integrate SS with Keycloak

tbednarz · September 3, 2021, 2:09pm

Does anybody have integrated the Keycloak IDP server with ServiceStack? Keycloak is from RedHat / JBoss and it has good support for Java. But for C# it seems to be a bit hard. Searching the net shows a lot of outdated stuff (not maintained for years).

Since SS supports OpenID / OAuth2 I just wonder if it is possible to integrate Keycloak. The idea is to have Keycloak as one single account repository and authentication provider for several applications. It should be usable similar to other IDPs like Google, Twitter & Co. We have a number of servers using ServiceStack against .NETCore 3.1 and also .Net5 running as Docker containers on RHEL. They provide public APIs to customers. These servers should be integrated with Keycloak. Customers consume the API’s in web, mobile and desktop applications.

Is there any way to do that? Is there any sample code to use as a starting point for a small test server?

mythz · September 3, 2021, 2:25pm

First thing to look for would be to see is if there is any C# implementation that authenticates against it? That should help determine how feasible it is to create an AuthProvider for it.

tbednarz · September 3, 2021, 6:05pm

Hi @mythz

I found a recent sample called ASP.NET Core - Keycloak authorization guide on GitHub which I may look at. But I am not sure if it covers what I am looking for.

As an alternative to Keycloak we were looking at IdentityServer 4 since that seems to integrate well with ServiceStack as described in your documentation. However this product seems to be discontinued in November 2022 and the new product has a different licensing which is pretty pricey. Since we also offer the APIs for OEMs and the customers can create as many clients as they want, we cannot afford this solution. We are in the process of building an application ourselves using Flutter and later plan to release this for several platforms (Web, iOS, Android, Windows, MacOS X, Linux). So this in fact will be one multi-platform application but seems to count like 6 clients for the Duende licensing. We cannot afford this…

So currently we are bit confused and stuck what to choose with a C#/ServiceStack/Docker backend. We know, that we must provide a central account management and authentication provider which follows the global standards like OAuth, OIDC, SASL etc.

mythz · September 3, 2021, 6:44pm

You’ll want to be careful with referring to that code since it’s GPLv3.

But it looks like the AddOpenIdConnect() is where it configures it against the KeyCloak server

github.com

tuxiem/AspNetCore-keycloak/blob/master/KeycloakAuth/Startup.cs#L49-L91


.AddOpenIdConnect(options =>
{
    /*
     * ASP.NET core uses the http://*:5000 and https://*:5001 ports for default communication with the OIDC middleware
     * The app requires load balancing services to work with :80 or :443
     * These needs to be added to the keycloak client, in order for the redirect to work.
     * If you however intend to use the app by itself then,
     * Change the ports in launchsettings.json, but beware to also change the options.CallbackPath and options.SignedOutCallbackPath!
     * Use LB services whenever possible, to reduce the config hazzle :)
    */


    //Use default signin scheme
    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    //Keycloak server
    options.Authority = Configuration.GetSection("Keycloak")["ServerRealm"];
    //Keycloak client ID
    options.ClientId = Configuration.GetSection("Keycloak")["ClientId"];
    //Keycloak client secret
    options.ClientSecret = Configuration.GetSection("Keycloak")["ClientSecret"];
    //Keycloak .wellknown config origin to fetch config

This file has been truncated. show original

What you can do is configure your app to use ASP.NET Identity Auth to register the NetCoreIdentityAuthProvider which will translate ASP .NET Identity Claims auth into an Authenticated ServiceStack Session.

tbednarz · September 3, 2021, 7:07pm

Thanks @mythz, I will give that a try.

dbrackett · January 18, 2022, 12:17pm

@tbednarz, did you ever have any luck with your Keycloak integration? We are also integrating ServiceStack auth with Keycloak, but your approach seems cleaner and I was curious if you were able to get your implementation working. If so, is this something you would consider open sourcing to the community? Thanks!

tbednarz · January 18, 2022, 7:11pm

Hi @dbrackett,

Unfortunately not. The customer decided to postpone IDP integration and if they want to integrate it later, they will use AAD (Azure Active Directory).

For my own software I go with the little sisters and brothers of the big IDPs (login with Google, Apple and Microsoft). That is sufficient for me for the moment since I currentlu have no need to manage roles and groups and tons of users in an external IDP.

I got the impression that Keycloak is not very good supported in the .NET / Microsoft world which is a bit unfortunate, since I prefer OSS over all those other products. But at the very moment it looks like I will not investigate any further…

dbrackett · January 18, 2022, 11:41pm

Thanks, @tbednarz! We’ll continue exploring this and, if we produce something useful, we may well contribute it back to the community.