Configure cookie-based OIDC authentication with Keycloak for affolterNET.Web.Bff. Use when setting up login/logout, token refresh, or Keycloak integration.
Configures cookie-based OIDC authentication with Keycloak for affolterNET.Web.Bff. Use when setting up login/logout endpoints, token refresh, or configuring authentication modes for your application.
/plugin marketplace add Mcafee123/affolterNET.Web/plugin install affolternet-web-bff@affolternet-webThis skill inherits all available tools. When active, it can use any tool Claude has access to.
Configure cookie-based OIDC authentication with Keycloak.
For complete reference, see Library Guide.
{
"affolterNET": {
"Web": {
"Auth": {
"Provider": {
"Authority": "https://keycloak.example.com/realms/myrealm",
"ClientId": "my-bff-client",
"ClientSecret": "your-client-secret"
},
"CookieAuth": {
"CookieName": ".MyApp.Auth",
"ExpireTimeSpan": "01:00:00"
}
},
"BffOptions": {
"AuthMode": "Authenticate"
}
}
}
}
| Mode | Description |
|---|---|
None | No authentication required |
Authenticate | Valid session required, no permission checks |
Authorize | Valid session + Keycloak RPT permissions required |
The BFF provides these authentication endpoints:
| Endpoint | Method | Description |
|---|---|---|
/bff/account/login | GET | Initiates OIDC login flow |
/bff/account/logout | GET/POST | Logs out user |
/bff/account/user | GET | Returns current user info |
/bff/account/login?returnUrl=/dashboard
| Property | Description |
|---|---|
Authority | Keycloak realm URL |
ClientId | OIDC client identifier |
ClientSecret | OIDC client secret |
| Property | Type | Default | Description |
|---|---|---|---|
CookieName | string | .AspNetCore.Auth | Authentication cookie name |
ExpireTimeSpan | TimeSpan | 01:00:00 | Cookie expiration |
SlidingExpiration | bool | true | Extend cookie on activity |
The RefreshTokenMiddleware automatically refreshes tokens:
The BFF returns 401 instead of redirecting to Keycloak:
// Handle 401 in your SPA
if (response.status === 401) {
window.location.href = '/bff/account/login?returnUrl=' +
encodeURIComponent(window.location.pathname);
}
Authority URL is correctConfigure Static Application Security Testing (SAST) tools for automated vulnerability detection in application code. Use when setting up security scanning, implementing DevSecOps practices, or automating code vulnerability detection.