Do you want to simplify your development process? Grab my free Clean Architecture template here: bit.ly/3Andaly Want to master Clean Architecture? Go here: bit.ly/3PupkOJ Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
I'm writing to you from Colombia. You solved a problem I had been dealing with for several days while trying to integrate a small .NET project using Net Aspire Components
Great explanation of Keycloak for authentication and authorization! The setup and configuration steps were clear, and your examples made complex concepts easy to grasp. Looking forward to more in this series-super excited to dive deeper!
@MilanJovanovicTech it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter can't ask more
@MilanJovanovicTech well it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter, can't ask for more.
well it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter, can't ask for more.
@MilanJovanovicTech well it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter, can't ask for more. I'm considering for applying authorization using keyclock Do you think it's worth it?
Better to use cookie (http only) authentication for enhanced security, particularly when your client is a SPA. Utilise cookies for communication between the client and the API Gateway, and JWTs for interactions between the API Gateway and downstream services. Good content btw!
Hi Milan, great video as always. I have a question: Instead of having both the proxy and the api doing auth, do you think its a valid/feasible idea to have the gateway forward just the claims downstream when the authentication is successful? that way there is less duplication and the api could simply process the relevant header for claims info.
Yes, this makes sense. But we have to make sure that the internal APIs can't be accessed from the outside world. Otherwise, we'd be introducing a security risk.
Great video as usual! Do you use Implicit flow for the sake of simplicity ? I know that it is not recommended to use the implicit flow for security reason
Great video! Could you implement an extra field in the user record?, gender, for example. Another interesting topic, although outside the C# scope, could be "Custom Themes". I would like to see more Keyclok videos. Thank you so much!
Super usefulll! Any plans on creating a guide for Azure AD B2C authentication? I've seen lots of companies migrating to 2FA auth these last months so im curious: is it Azure AD B2C the best option? Thank's for the content!
I'm curious if Keycloak can point to an external IDP (AAD, PingId,...) for authentication and automatically sync the users from the external IDP to Keycloak. It would help a lot for enterprise applications.
Both the API and Keycloak are running inside Docker Compose, which automatically sets up an internal Docker network. Within this network, each container (in this case, the API and Keycloak) has its own isolated "localhost" that refers only to itself. To enable communication between containers, you need to use the service names defined in the Docker Compose file. These service names act as hostnames, allowing the containers to find and communicate with each other. So instead of using "localhost" to connect to Keycloak, we need to use the Keycloak service name from the Docker Compose file. This is because "localhost" within the API container refers only to the API itself, not to other containers like Keycloak. Enjoy this visual representation: Host Machine → [ Docker Network { API Container Keycloak Container } ]
OK. Thanks. I also guess that 'iss' address (localhost:18080) in token keycloak takes automatically from client request, because it has no access to this adress itself.
Love the series, I am trying to setup according to your video but I have fought for hours with this issue, after getting the bearer token and requesting from the /me endpoint. Bearer error="invalid_token", error_description="The signature key was not found"
just wanted clarification on authentication, so if i had multiple microservices each offering different api calls how would i use the authentication to make sure that all the api calls have a valid authentication/ authorization? Would i use the proxy approach just a little confused.
12:56 you said let's navigate to the SwaggerUI when navigating to the JaegerUI 14:16 you said let's open up swagger when opening postman You see Swagger everywhere 🤣
I’m not sure the essence of this is for a user to be redirected back to keyCloak to register or sign up. There has to be a way an api authenticates with keyCloak and returns a token. It’s a poor user Experience to have an app that authenticates on another interface(keyCloak).
Ok this might be slightly ot, but I've noriced something,in every toturuazl where and postgresql is involved it spins up it's own posrgres container, which is fine if you have only one application running on a host, but what happens if you have 10, now all of a sudden you are runing 10 instances of postgresql, I might be stubid, but doeasn't this chew up a significant amount of ram ? Wouuldn't ir be better to gave a common postgresql container for all apps, where each app has their own db and postgresql user?
Hi Milan, I am developing an application using Keycloak and Spring Boot. I have implemented OTP login and Google Sign-In, but there is an issue. If a user has previously logged in with OTP and then tries to log in with Google using the same email, I get a "user already exists" error (federated identity account exists). In this case, I want the accounts to be merged. In other words, the user should be able to log in using both OTP and Google Sign-In with the same email. Could you help me with this?
Nice 👍.. Can you make videos on Keycloak 2 factor authentication via email and sms ? I was working on it and its required custom providers in java for this functionality and i was jot able to complete that ..
Had an issue where the JWT did not get returned correctly to the dotnet authentication system. Something about a mismatch in models in the Token / JsonWebToken namespaces. I had to assign SignatureValidator in the TokenValidationParameters to return a new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken from the encoded JWT parameter to that SignatureValidator delegate. Don't know why this happened, I followed your solution step by step.
Do you want to simplify your development process? Grab my free Clean Architecture template here: bit.ly/3Andaly
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
I'm writing to you from Colombia. You solved a problem I had been dealing with for several days while trying to integrate a small .NET project using Net Aspire Components
Ha! I'm glad this was helpful to unblock you 😁
Please more series on keyclock. In the past i tried to implement this but I was defeated. Thank you for sharing your knowledge.
Will do! I have a few more ideas for topics to cover
@@MilanJovanovicTech Awsome. Please show how to connect to a postgres database and manage user roles/permissions
Great explanation of Keycloak for authentication and authorization! The setup and configuration steps were clear, and your examples made complex concepts easy to grasp. Looking forward to more in this series-super excited to dive deeper!
Great to hear!
This is a great video series! I remember in the past searching for content about Keycloak, but nothing compares to this.
Glad it was helpful! And I'm glad some results are coming up for Keycloak now 😁
More of Keycloak please. I'm excited for the series! 😊
More to come!
Awesome as usual, I'd love to refresh auth code flow and claims transformations knowledge. It's been a while, you're best for this:))
I think I covered refresh token in previous Keycloak video, and I have a separate one on claims transformation
excited for keycloack series 🔥
What do you think about it?
@MilanJovanovicTech it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter can't ask more
@MilanJovanovicTech well it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter, can't ask for more.
well it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter, can't ask for more.
@MilanJovanovicTech well it's offering so many benefits and suitable for microservices imo while everyone struggling with clouds alternative, it's free and could be run as a isolated containter, can't ask for more.
I'm considering for applying authorization using keyclock
Do you think it's worth it?
Another nice video on Keyclock, keep em coming
Much appreciated!
Better to use cookie (http only) authentication for enhanced security, particularly when your client is a SPA. Utilise cookies for communication between the client and the API Gateway, and JWTs for interactions between the API Gateway and downstream services. Good content btw!
That could be something I cover in a future video
@@MilanJovanovicTech cookie based jwt authentication, if you could. It gives us all the security of cookie auth with the statelessness of JWTs
thanks for sharing Milan, it helped to me also..
You're welcome!
This was fantastic. Thanks!
Sure thing!
Awesome series!
Glad you think so!
Nice video. Waiting for more microservice scenario on Keycloak. Cheers :)
Working on it
Great video, congrats!
Thanks!
Hello Milan,
What do you think about making video where you implement your own IdentityServer ?
For example with Duende IdentityServer.
Perhaps, we'll see
Awesome video as always. Please do a video using microsoft entra as identity provider. There are few examples about it online.
Great suggestion!
Hi Milan, great video as always. I have a question:
Instead of having both the proxy and the api doing auth, do you think its a valid/feasible idea to have the gateway forward just the claims downstream when the authentication is successful? that way there is less duplication and the api could simply process the relevant header for claims info.
Yes, this makes sense. But we have to make sure that the internal APIs can't be accessed from the outside world. Otherwise, we'd be introducing a security risk.
Would love to see how you set this up for production and deploy to Azure (or any other cloud provider).
Azure Container Apps?
Great video as usual! Do you use Implicit flow for the sake of simplicity ? I know that it is not recommended to use the implicit flow for security reason
Yes, could've also used auth code flow just the same
Great video! Could you implement an extra field in the user record?, gender, for example.
Another interesting topic, although outside the C# scope, could be "Custom Themes".
I would like to see more Keyclok videos. Thank you so much!
That's a good idea for a future video
Thank you so much
Any time
Super usefulll! Any plans on creating a guide for Azure AD B2C authentication? I've seen lots of companies migrating to 2FA auth these last months so im curious: is it Azure AD B2C the best option? Thank's for the content!
It's probably the best option if you're on Azure
What should I do if the repository needs to be associated with a user table, and I don't need to create a user table locally?
I'm not sure what you're asking here
How can I connect keycloack to a sql sever db? I’m still stuck with this Identity provider. Thanx
Check here: www.keycloak.org/server/db
@@MilanJovanovicTech thanks! btw do you know if there is a way to custumize the view screen where keycloak asks for credentials?
Could you add the requests as http files next time?
I'm neither using Swashbuckler nor Postman and getting the basic request was not clear for me.
Yeah, good suggestion. Thanks!
Thank you 🙏
You bet
I'm curious if Keycloak can point to an external IDP (AAD, PingId,...) for authentication and automatically sync the users from the external IDP to Keycloak. It would help a lot for enterprise applications.
Not sure, let's me check
why in "MetadataAddress" localhost:18080 not working? And must be docker address?
Because these containers are in a docker network
Both the API and Keycloak are running inside Docker Compose, which automatically sets up an internal Docker network. Within this network, each container (in this case, the API and Keycloak) has its own isolated "localhost" that refers only to itself. To enable communication between containers, you need to use the service names defined in the Docker Compose file. These service names act as hostnames, allowing the containers to find and communicate with each other.
So instead of using "localhost" to connect to Keycloak, we need to use the Keycloak service name from the Docker Compose file. This is because "localhost" within the API container refers only to the API itself, not to other containers like Keycloak.
Enjoy this visual representation:
Host Machine → [ Docker Network { API Container Keycloak Container } ]
OK. Thanks.
I also guess that 'iss' address (localhost:18080) in token keycloak takes automatically from client request, because it has no access to this adress itself.
Love the series, I am trying to setup according to your video but I have fought for hours with this issue, after getting the bearer token and requesting from the /me endpoint.
Bearer error="invalid_token", error_description="The signature key was not found"
Looks like Metadata endpoint is unreachable
@@MilanJovanovicTech Same issue, how to fix this? I have a dockerised setup
Thank you for the amazing video. Will you prefer to use Keycloak or Microsoft Identity Server where you use user manager, role manager etc. Thank you.
I mostly use Keycloak. I always had to "fight" with Identity to get it to do what I want.
Can you create video how would auth work in microservices architecture?
Yes. It'll be very similar to this, with just copying the auth config in a few services.
@@MilanJovanovicTechThat would be great
just wanted clarification on authentication, so if i had multiple microservices each offering different api calls how would i use the authentication to make sure that all the api calls have a valid authentication/ authorization? Would i use the proxy approach just a little confused.
Typically yes, you'd have a proxy/gateway in front all your services
Great! Thanks! What about passwordless approach, could we implement some sms code verification with Keyclock?
Yes we can, adding that to the list
Do part 2, where you will create an SPA that will send a request to the API
please
Sure, sure
12:56 you said let's navigate to the SwaggerUI when navigating to the JaegerUI
14:16 you said let's open up swagger when opening postman
You see Swagger everywhere 🤣
Ok ok get out of here 😂
I’m not sure the essence of this is for a user to be redirected back to keyCloak to register or sign up. There has to be a way an api authenticates with keyCloak and returns a token. It’s a poor user Experience to have an app that authenticates on another interface(keyCloak).
You can customize the login screen to make it look identical to your website. If not - you can implement the OAuth flow yourself
@MilanJovanovicTech Alright. Please try to cover this part in another keycloak video. It's indeed very robust
Ok this might be slightly ot, but I've noriced something,in every toturuazl where and postgresql is involved it spins up it's own posrgres container, which is fine if you have only one application running on a host, but what happens if you have 10, now all of a sudden you are runing 10 instances of postgresql, I might be stubid, but doeasn't this chew up a significant amount of ram ? Wouuldn't ir be better to gave a common postgresql container for all apps, where each app has their own db and postgresql user?
This is much simpler for demos
Why no confidential client?
We could use it, but we're still exposing the secret on the UI
posting before finishig to see the video, i have been stuck on it for 3 months.
Do you have it figured out now?
@@MilanJovanovicTech not yet. i'm trying to configure .net core back end and angular front but errors is confusing.
Is it possible to integrate Swagger into YARP?
Yes, but it's a bit tricky. You should be able to configure Swagger UI to fetch the Open API descriptions from the downstream APIs.
How to get this source of video?
Currently, all code is shared here: www.patreon.com/milanjovanovic
Hi Milan, I am developing an application using Keycloak and Spring Boot. I have implemented OTP login and Google Sign-In, but there is an issue. If a user has previously logged in with OTP and then tries to log in with Google using the same email, I get a "user already exists" error (federated identity account exists). In this case, I want the accounts to be merged. In other words, the user should be able to log in using both OTP and Google Sign-In with the same email. Could you help me with this?
Damn, that is a great question. I don't have an answer right now, but let's see if I can dig up some docs.
where to find Keycloak.Auth.Api.Extentions
NuGet
@@MilanJovanovicTech I did not find it
It's very nice tutorial! Thank you! Can you please share your code also?
Code is here: www.patreon.com/milanjovanovic
Nice 👍.. Can you make videos on Keycloak 2 factor authentication via email and sms ? I was working on it and its required custom providers in java for this functionality and i was jot able to complete that ..
As soon as possible!
requesting for the RBAC using keycloak
On my list
I'm sorry but it doesn't work error when trying to login Bearer error="invalid_token", error_description="The signature key was not found"
You must've done something different
Антон, как починил?)
а то я с этой штукой уже устал. Буду рад, если подскажешь)
Yeah I got the same
@goodgod17 have you managed to fix the issue
repo?
This code is Patreon-only
Had an issue where the JWT did not get returned correctly to the dotnet authentication system. Something about a mismatch in models in the Token / JsonWebToken namespaces. I had to assign SignatureValidator in the TokenValidationParameters to return a new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken from the encoded JWT parameter to that SignatureValidator delegate. Don't know why this happened, I followed your solution step by step.
That's quite unique 🤔