'Keycloak with ASP.NET: API returns 401 with authorize attribute

I am trying to set up Keycloak in my ASP.NET application.

The intended flow is: Frontend (Vue.js) redirects to Keycloak login page, and only when authenticated allows the user to proceed. It then requests the data from the ASP.NET API.

The Vue.JS part seems to be working and the bearer token is manually placed in the request to the ASP.NET API. The network tab proves that the bearer token is included. Nonetheless, the API always returns 401.

My suspicion is that the backend configuration is not correct.

services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddOpenIdConnect(options => SetOpenIdConnectOptions(options))
    .AddJwtBearer();

private void SetOpenIdConnectOptions(OpenIdConnectOptions options)
{
    options.SignInScheme = JwtBearerDefaults.AuthenticationScheme;
    options.Authority = Configuration.GetSection("Keycloak")["ServerRealm"];
    options.ClientId = Configuration.GetSection("Keycloak")["ClientId"];
    options.ClientSecret = Configuration.GetSection("Keycloak")["ClientSecret"];
    options.MetadataAddress = Configuration.GetSection("Keycloak")["Metadata"];
    options.RequireHttpsMetadata = false;
    options.GetClaimsFromUserInfoEndpoint = true;
    options.SaveTokens = true;
    options.ResponseType = OpenIdConnectResponseType.Token;
    options.Scope.Add("openid");
    options.Scope.Add("profile");
    options.TokenValidationParameters = new TokenValidationParameters()
    {
        ValidateAudience = true,
        ValidAudience = "test_audience",

        ValidateIssuer = true,
        ValidIssuers = new[] { options.Authority },

        ValidateIssuerSigningKey = false,
        //IssuerSigningKeys = openidconfig.SigningKeys,

        RequireExpirationTime = true,
        ValidateLifetime = true,
        RequireSignedTokens = false,
    };
}

What have I tried and important notes

I have tried to debug the authorization by creating events on the OpenIdConnectionOptions. None of the events are triggered. However, when I do the same thing on the .AddJwtBearer(), the events are triggered and complain about the "kid" (Signature validation failed. Unable to match key: kid:). I've understood that the .AddJwtBearer() call is required, but it seems a bit dodgy.

I have also tried this with similar settings, such as without the TokenvalidationParameters.

asp.netkeycloak


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Passing data from database containing new line breaks jquery

Creating .ICS files, adding to outlook

ASP.NET: HTTP Error 500.19 – Internal Server Error 0x8007000d

The configuration section cannot contain a CDATA or text element

Attempting to make enter button 'clickable'

automapper map interface to interface or object

How to show or hide contents of an aspx page based on current user's roles

The server response was: 5.7.0 Must issue a STARTTLS command first. i16sm1806350pag.18 - gsmtp

IIS 8.0 Detailed 500.0 Internal Server Error - IsapiModule Not Found

EntityDataSource - how to do WHERE Clause from different table

No authentication handler is registered for the scheme 'Cookies'. The registered schemes are: Application, Bearer, ASOS

How to use jquery in ASP.​NET Core

Create HTML table from a list

How to change Text of button in FileUpload control and set value to textbox

How to add project reference to ASP.NET Core 1.0 MVC project