Skip to content

Configure multiple clients in single Realm #135

New issue
New issue
Open
Open
Configure multiple clients in single Realm#135
Labels
enhancementNew feature or requesthelp wantedExtra attention is needed
@grcontin

Description

@grcontin
grcontin
opened on Aug 22, 2024

I can have multiple clients within a Realm, and these clients may or may not have access to certain resources. Using Keycloak.AuthServices.Authentication, I noticed that it is not possible to configure more than one client for the same realm via configuration. As a result, I couldn't perform the necessary validations for my API resources.

Is there a way to configure Keycloak in .NET for multiple clients so that I can authorize access to specific resources through authentication with these multiple clients? Below are my configurations:

appsettings.json:

{
  "realm": "sample-realm",
  "auth-server-url": "http://localhost:8080/",
  "ssl-required": "none",
  "resource": "backend-client",
  "verify-token-audience": true,
  "credentials": {
    "secret": "TXheAgfJirMzDb2Mnr06mKhTMUtu5ulm"
  },
  "confidential-port": 0,
  "policy-enforcer": {
    "credentials": {}
  }
}

Configurations for Keycloak.AuthServices.Authentication and Keycloak.AuthServices.Authorization:

public static IServiceCollection AddKeycloakAuthN(this IServiceCollection services, IConfiguration configuration)
{
    services.AddKeycloakWebApiAuthentication(configuration, options =>
    {
        options.IncludeErrorDetails = true;
    });

    return services;
}

public static IServiceCollection AddKeycloakAuthZ(this IServiceCollection services, IConfiguration configuration)
{
    services.AddAuthorization(configurations =>
    {
        configurations.FallbackPolicy = BuildDefaultPolicy();

        // client X has access to this resource
        configurations.AddPolicy(AuthorizationPolicyConstants.Sample, policyBuilder =>
        {
            policyBuilder.RequireRealmRoles(AuthorizationRoleConstants.User);
            policyBuilder.RequireProtectedResource(AuthorizationResourceConstants.Sample.Item1, AuthorizationResourceConstants.Sample.Item2);
        });

        // client X does NOT have access to this resource
        configurations.AddPolicy(AuthorizationPolicyConstants.SampleTwo, policyBuilder =>
        {
            policyBuilder.RequireRealmRoles(AuthorizationRoleConstants.Administrator, AuthorizationRoleConstants.User);
            policyBuilder.RequireProtectedResource(AuthorizationResourceConstants.SampleTwo.Item1, AuthorizationResourceConstants.SampleTwo.Item2);
        });

    })
    .AddKeycloakAuthorization(configuration)
    .AddAuthorizationServer(configuration);

    return services;
}

private static AuthorizationPolicy BuildDefaultPolicy() 
    => new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requesthelp wantedExtra attention is needed

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions