Keycloak and google authentication - JU-DEV-Bootcamps/ERAS GitHub Wiki
VS. other cloud - based solution
- OpenID Connect
- OAuth 2.0
- SAML
Fine-grained authorization services and policies from admin console
docker run -p 8080:8080 -e KC_BOOTSTRAP_ADMIN_USERNAME=admin -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:26.0.7 start-dev- Keycloak server installed and running
- .NET project set up
- Google Cloud Console account
- NuGet package manager
Go to Google Cloud Console (https://console.cloud.google.com/) Create a new project or select existing one Enable the Google+ API Go to Credentials → Create Credentials → OAuth Client ID Configure the OAuth consent screen Set up OAuth 2.0 client with these settings:
Application Type: Web Application Authorized JavaScript origins: http://localhost:8080 Authorized redirect URIs: http://localhost:8080/auth/realms/[your-realm]/broker/google/endpoint
Note down the Client ID and Client Secret
- Log into Keycloak Admin Console
- Create or select your realm
- Go to Identity Providers
- Add provider → Google
- Configure the following settings: -- Client ID: (from Google) -- Client Secret: (from Google) -- Default Scopes: email profile
- Save the configuration
dotnet add package Keycloak.AuthServices.Authentication
dotnet add package Keycloak.AuthServices.Authorization
dotnet add package Microsoft.AspNetCore.Authentication.OpenIdConnect- Configure .NET Application Update appsettings.json
jsonCopy{
"Keycloak": {
"realm": "your-realm",
"auth-server-url": "http://localhost:8080/auth/",
"ssl-required": "external",
"resource": "your-client-id",
"verify-token-audience": true,
"credentials": {
"secret": "your-client-secret"
},
"confidential-port": 0
}
}Configure Program.cs
using Keycloak.AuthServices.Authentication;
using Keycloak.AuthServices.Authorization;
public class Program
{
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
// Add Keycloak authentication
builder.Services.AddKeycloakAuthentication(
builder.Configuration.GetSection("Keycloak"));
// Add authorization
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("RequireAuthenticatedUser",
policy => policy.RequireAuthenticatedUser());
});
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
// ... rest of your configuration
}
}[Authorize]
public class SecureController : Controller
{
[HttpGet]
public IActionResult Index()
{
return View();
}
}- Handle User Authentication in Views
@using Microsoft.AspNetCore.Authentication
@if (User.Identity.IsAuthenticated)
{
<p>Welcome @User.Identity.Name!</p>
<form asp-controller="Account" asp-action="Logout" method="post">
<button type="submit">Logout</button>
</form>
}
else
{
<a asp-controller="Account" asp-action="Login">Login with Google</a>
}Start your Keycloak server Run your .NET application Navigate to a protected endpoint You should be redirected to Keycloak login Select "Login with Google" Complete Google authentication You should be redirected back to your application
Common Issues and Troubleshooting
Redirect URI Mismatch
Ensure the redirect URI in Google Console matches exactly with Keycloak's endpoint Check for any trailing slashes or port numbers
Verify the realm name and auth-server-url in appsettings.json Ensure clocks are synchronized between services
Add appropriate CORS configuration if your frontend is separate Configure valid redirect URIs in both Google and Keycloak
In development, set ssl-required to "external" or "none" In production, ensure proper SSL certificates are configured
Always use HTTPS in production Regularly rotate client secrets Implement proper session management Configure appropriate token lifetimes Implement proper logout handling