ASPNET Core MVC Web App authentication while using .NET Aspire

[ekomsctr]

Hello,

i'm trying to use the library to authenticate my MVC Web App against a keycloak server. I could do so successfully (and it was very simple) with a Web Api project, but even following the sample i could not get it to work. Either i'm getting a "missing clientid in configuration" or a "missing authority, metadatahttps in the configuration".

Is this scenario supported? I have to specify something more in the .NET Aspire registration?

Edit: I manually added the Keycloak__ClientId env variables and now it's requiring https, is there any parameter to set this on the web app or should i add another env variable? Error: The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false

Thanks in advance

[NikiforovAll]

Hello,

Here is an example of MVC project. ref: https://nikiforovall.github.io/keycloak-authorization-services-dotnet/examples/web-app-mvc.html

Aspire provides some variables, but not all, you still need to complete the configuration by providing missing variables, like here (we provide clientId because Aspire don't know about your client registrations): https://nikiforovall.github.io/keycloak-authorization-services-dotnet/examples/aspire-web-api.html

I think combining these two example will do what you need

[ekomsctr]

Thank you for the clear answer, by combining concepts from both the samples i got it working! Here's what i've ended up doing:

1. Define a parameter in Aspire

var clientId = builder.AddParameter("ClientId", false);

2. Add the parameter's reference to the environment variables

var project = builder.AddProject<Projects.Your_Project_Name>("management")
    .WithExternalHttpEndpoints()
    .WithReference(keycloak)
    .WithEnvironment("Keycloak__ClientId", clientId)

3. Wired up the parameter inside the WebApp authentication setup

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddKeycloakWebApp(
    configureKeycloakOptions: options =>
    {
        builder.Configuration.GetSection(KeycloakAuthenticationOptions.Section).Bind(options);
    },
    configureOpenIdConnectOptions: options =>
    {
        // Other code omitted for brevity...

        options.ClientId = builder.Configuration.GetValue<string>("KeyCloak:ClientId");
        options.RequireHttpsMetadata = false;
        
        // Other code omitted for brevity...
    }
);

Doing so i hope i can (almost) seamlessy use the KeyCloak section when deploying the projects while still using .NET Aspire configuration perks.
If you have any suggestions to improve this implementation, it would be greatly appreciated!

[NikiforovAll]

@ekomsctr looks good to me. However, you may consider the following suggestions:

1. Read typed keycloak options instead of using "KeyCloak:ClientId": https://nikiforovall.github.io/keycloak-authorization-services-dotnet/qa/recipes.html#how-to-get-options-outside-of-iserviceprovider (you might not need it if you apply 2. suggestion)
2. Configure ClientId by adding Keycloak__Resource (and maybe Keycloak__Credentials__Secret if you need it), ref:

   keycloak-authorization-services-dotnet/src/Keycloak.AuthServices.Authentication/WebAppExtensions/KeycloakWebAppAuthenticationBuilderExtensions.cs

   Line 265 in 3933381

   options.ClientId = keycloakOptions.Resource;