Skill

keycloak-auth-services

Guides Keycloak.AuthServices .NET library implementation for JWT Bearer/OIDC authentication, RBAC/resource authorization, Admin/Protection API SDKs, multi-tenancy, and dev tooling like .NET Aspire/OpenTelemetry.

.NET

OpenTelemetry

authentication

security

npx claudepluginhub nikiforovall/keycloak-authorization-services-dotnet --plugin keycloak-authservices

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Choose your task and load the appropriate reference:

Supporting Assets

references/admin-sdk.mdreferences/authentication.mdreferences/authorization.mdreferences/configuration.mdreferences/devex.mdreferences/organization-authorization.mdreferences/protection-api.mdreferences/resource-protection.mdreferences/troubleshooting.md

SKILL.md

Similar Skills

authentication

188

Guides ASP.NET Core authentication and authorization with JWT bearer tokens, OpenID Connect, ASP.NET Identity, policies, roles, claims, and API keys. For login, endpoint protection, and auth rules.

dotnet-claude-kit

keycloak-administration

667

Guides Keycloak IAM administration: realm/user management, client configuration, authentication flows with OIDC/SAML, authorization policies, RBAC, security hardening, and troubleshooting.

9 files

keycloak-authservices

dotnet-api-security

Implementing API auth. Identity, OAuth/OIDC, JWT bearer, passkeys (WebAuthn), CORS, rate limiting.

dotnet-skills

Stats

Stars667

Forks131

Last CommitMar 27, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Keycloak.AuthServices Implementation Guide

Quick Start

Choose your task and load the appropriate reference:

JWT Bearer Authentication (Web API) → Continue below
OIDC Authentication (Web App) → Load authentication.md
Authorization & RBAC → Load authorization.md
Resource Protection & Authorization Server → Load resource-protection.md
Admin REST API SDK → Load admin-sdk.md
Protection API SDK → Load protection-api.md
Developer Experience (Aspire, Templates) → Load devex.md
Configuration Reference → Load configuration.md
Recipes & Troubleshooting → Load troubleshooting.md
Token Introspection (Lightweight Tokens) → Load authorization.md (see "Token Introspection" section)
Organization Authorization (Multi-Tenancy) → Load organization-authorization.md
RFC 8414 Server Metadata Discovery → Load authentication.md (see "Server Metadata Discovery" section)
Custom Token Provider (IKeycloakAccessTokenProvider) → Load resource-protection.md (see "IKeycloakAccessTokenProvider" section)
Extensible Policy Builder (IProtectedResourcePolicyBuilder) → Load resource-protection.md (see "IProtectedResourcePolicyBuilder" section)
Pluggable Parameter Resolvers → Load resource-protection.md (see "Pluggable Parameter Resolvers" section)

Packages Overview

Package	Purpose
`Keycloak.AuthServices.Authentication`	JWT Bearer (Web API) and OpenID Connect (Web App) authentication
`Keycloak.AuthServices.Authorization`	RBAC (realm/client roles), Authorization Server client, `[ProtectedResource]` attribute, organization authorization
`Keycloak.AuthServices.Sdk`	Hand-written Admin REST API + Protection API HTTP clients
`Keycloak.AuthServices.Sdk.Kiota`	Auto-generated (Kiota) Admin REST API client — full API coverage
`Keycloak.AuthServices.Common`	Shared configuration (`KeycloakInstallationOptions`), claims utilities
`Keycloak.AuthServices.OpenTelemetry`	Metrics and tracing instrumentation
`Keycloak.AuthServices.Aspire.Hosting`	.NET Aspire `KeycloakResource` integration
`Keycloak.AuthServices.Templates`	`dotnet new` project templates

Minimal Web API Setup

dotnet add package Keycloak.AuthServices.Authentication
dotnet add package Keycloak.AuthServices.Common

using Keycloak.AuthServices.Authentication;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddKeycloakWebApiAuthentication(builder.Configuration);
builder.Services.AddAuthorization();

var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();

app.MapGet("/", () => "Hello World!").RequireAuthorization();
app.Run();

// appsettings.json — "Keycloak" section (kebab-case from adapter config)
{
  "Keycloak": {
    "realm": "Test",
    "auth-server-url": "http://localhost:8080/",
    "ssl-required": "none",
    "resource": "test-client",
    "verify-token-audience": true,
    "credentials": {
      "secret": "your-client-secret"
    }
  }
}

Configuration Section

All packages bind to "Keycloak" config section by default. Key properties:

Property	Description
`realm`	Keycloak realm name
`auth-server-url`	Keycloak server URL (e.g., `http://localhost:8080/`)
`resource`	Client ID
`ssl-required`	`none`, `external`, or `all`
`verify-token-audience`	Validate audience claim against `resource`
`credentials.secret`	Client secret (confidential clients)

Both kebab-case (Keycloak adapter format) and PascalCase are supported.

Adding Authorization (RBAC)

dotnet add package Keycloak.AuthServices.Authorization

builder.Services.AddKeycloakAuthorization(builder.Configuration)
    .AddAuthorizationBuilder()
    .AddPolicy("AdminOnly", policy => policy.RequireRealmRoles("admin"))
    .AddPolicy("EditorOnly", policy => policy.RequireResourceRoles("editor"));

Adding Authorization Server (Resource Protection)

builder.Services
    .AddKeycloakAuthorization()
    .AddAuthorizationServer(builder.Configuration);

app.MapGet("/workspaces", () => "Hello World!")
    .RequireProtectedResource("workspaces", "workspace:read");

Adding Admin SDK

dotnet add package Keycloak.AuthServices.Sdk

builder.Services.AddKeycloakAdminHttpClient(builder.Configuration);

app.MapGet("/users", async (IKeycloakUserClient client) =>
    await client.GetUsers("my-realm"));

Essential Patterns

Configuration section: defaults to "Keycloak", override via configSectionName parameter
IHttpClientBuilder: all HTTP clients return IHttpClientBuilder for resilience, handlers, etc.
Token management: use Duende.AccessTokenManagement for service account tokens
OpenTelemetry: AddKeycloakAuthServicesInstrumentation() for metrics and tracing
Aspire: AddKeycloakContainer("keycloak") + AddRealm("Test") for local dev

Reference Documentation

authentication.md — JWT Bearer and OIDC setup, all overloads, adapter file config, RFC 8414 server metadata discovery
authorization.md — RBAC, realm/client roles, role claims transformation, token introspection
organization-authorization.md — Organization-based multi-tenancy, membership requirements, parameter resolvers
resource-protection.md — Authorization Server, Protected Resource Builder, dynamic resources, policy provider, IKeycloakAccessTokenProvider, IProtectedResourcePolicyBuilder, pluggable parameter resolvers
admin-sdk.md — Admin REST API (hand-written + Kiota), access token management
protection-api.md — UMA Protection API, resource/permission/policy management
devex.md — .NET Aspire, templates, OpenTelemetry
configuration.md — All configuration options, naming conventions, adapter file
troubleshooting.md — Common issues, recipes, debugging