Adrian Hall

PM/Architect at Microsoft Developer Division. All opinions expressed are my own and may not reflect my employer.

4 minute read

In my last article, I introduced the Keycloak identity service and showed how the development version can be easily integrated into a project. Development services get you started quickly and allow you to defer the details until later on. At some point, however, you need to take control of your service and start working towards production. There are a number of things that the development version of the Keycloak identity service doesn’t do that you need in production. These include SSL/TLS support, database storage, and proper configuration of the flows.

In short, you need to be able to customize the identity service in code.

Fortunately, Keycloak has many options for configuring the identity service via the container. You do need to build a new version of the container to do this. In this article, I’m going to show you how you can go from the original use of Keycloak to a custom container that you control.

Using a custom Dockerfile

Aspire (and most other complex applications) rely on extension methods to hide the details of how a service is configured, allowing you to concentrate on what it is actually providing for you. Keycloak is no different. Let’s take the code I introduced in the last article:

var keycloak = builder
  .AddKeycloakContainer("keycloak")
  .WithDataVolume()
  .WithImport("./KeycloakConfiguration/Test-realm.json")
  .WithImport("./KeycloakConfiguration/Test-users-0.json");

var realm = keycloak.AddRealm("Test");

This code is in the Program.cs file of the AppHost project and sets up the Keycloak container for you. You can write a custom Dockerfile and use it to build a new version of the service from that Dockerfile. For example, the Keycloak documentation contains a guide for running as a container with an example Dockerfile. I placed a similar Dockerfile within the ./KeycloakConfiguration directory:

FROM quay.io/keycloak/keycloak:latest AS builder

# Enable health and metrics support
ENV KC_HEALTH_ENABLED=true
ENV KC_METRICS_ENABLED=true

WORKDIR /opt/keycloak

# for demonstration purposes only, please make sure to use proper certificates in production instead
RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 \
	-dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
	-keystore conf/server.keystore

RUN /opt/keycloak/bin/kc.sh build

FROM quay.io/keycloak/keycloak:latest
COPY --from=builder /opt/keycloak/ /opt/keycloak/

ENV KC_HOSTNAME=localhost

ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]

The Aspire hosting model uses Keycloak v24.0.3. The version is embedded in the image tag that is used to download the container. This Dockerfile uses the latest tag, which is v25.0.6. Now that I have the Dockerfile, I need to update the resource definition in Program.cs:

var keycloak = builder
    .AddKeycloakContainer("keycloak")
    .WithDockerfile("./KeycloakConfiguration", "Dockerfile")
    .WithDataVolume()
    .WithImport("./KeycloakConfiguration/Test-realm.json")
    .WithImport("./KeycloakConfiguration/Test-users-0.json");

When you run this, you can see the container image being built. When you log into the console, check the Server info tab to see the version.

Adding a HTTPS endpoint

Let’s start providing remedies for the list of deficiencies that I mentioned in my last article. First up, I wanted to ensure logins were handled via a secure HTTPS request. The following line in the Dockerfile is of interest:

RUN keytool -genkeypair -storepass password -storetype PKCS12 -keyalg RSA -keysize 2048 \
	-dname "CN=server" -alias server -ext "SAN:c=DNS:localhost,IP:127.0.0.1" \
	-keystore conf/server.keystore

This creates a certificate for development purposes and allows us to expose the HTTPS endpoint. This is another update to the definition:

var keycloak = builder
    .AddKeycloakContainer("keycloak")
    .WithDockerfile("./KeycloakConfiguration", "Dockerfile")
    .WithHttpsEndpoint(port: 8443, targetPort: 8443, name: "https")
    .WithDataVolume()
    .WithImport("./KeycloakConfiguration/Test-realm.json")
    .WithImport("./KeycloakConfiguration/Test-users-0.json");

When you start the service back up, you will note that the additional endpoint has been added. Unfortunately, there isn’t a way of disabling the HTTP port unless you unwind the extension method for .AddKeycloakContainer() which I don’t recommend.

You will want to get a certificate from somewhere like Let’s Encrypt. You can read about the process here. Ideally, you would be storing the certificate in Azure Key Vault. However, the setup for this is beyond this article and involves additional changes to the Dockerfile.

Updating the test realm

As part of the definition, I’ve included a test realm that is minimally configured. This also allows me to define a new realm. Log onto the Keycloak service, then use the drop-down in the left hand menu and select Create realm. You’ll need to give it a name, then click on Create. At this point, you can configure the realm in any way that you want. Some things to do:

  • Configure all the Realm settings. The Login tab allows you to set up user registration, forgotton password flows, and email confirmation settings.
  • Configure the Identity providers to add support for social media providers like Facebook, Google, LinkedIn, and Microsoft accounts.
  • Create your Clients.

You can use this in conjunction with your app development to make sure things work once the work is done. When you are happy with your configuration, you can export your definition.

  • Go to Realm settings.
  • In the top right corner, use the Action pull-down to select Partial export.
  • Choose what you want to export (likely everything), then select Export.

The file realm-export.json is generated. This can be used in place of Test-realm.json with the .WithImport() method. You can (and should) remove the Test-users-0.json import when running in production. You can use builder.ExecutionContext.IsRunMode for this.

if (builder.ExecutionContext.IsRunMode)
{
    keycloak.WithImport("./KeycloakConfiguration/Test-users-0.json");
}

Final thoughts

I’ve covered most of my concerns with the development version of the Keycloak server. I’ve got two concerns left to deal with:

  • Storing the identity data in a SQL database like PostgreSQL.
  • Adding a theme so that the web forms look like a part of the application.

Aside from these topics, you should be able to configure the Keycloak service for your application and integrate it fully into your application using the documentation from Keycloak itself together with a solid understanding of OAuth2.0 and OIDC principals. Some of this is relatively complex, so I’ll cover the remaining topics at a later date.

It also looks like the Keycloak hosting model for Aspire is going to become an official part of Aspire soon. You can check out the code here

Further reading

Leave a comment

You may also enjoy

Customizing Keycloak with Aspire - Part 3

7 minute read

This is the last article in a trio of articles about incorporating Keycloak into .NET Aspire applications. Thus far, I’ve covered the basics and some common customizations. This part covers what you need to do if you want to store the identity information within a PostgreSQL database. I’ve chosen PostgreSQL for this because it seems to be the database of choice for Aspire when you want to ru...

Integrating Keycloak with Aspire - Part 1

8 minute read

In my series on ASP.NET Identity, I mentioned (several times) that you should be using Keycloak, Auth0, Corbado, or another identity service instead of rolling your own. That’s all good, but I left it up to you to figure out exactly how to do that. I thought it would be a good idea to configure an Aspire project from the beginning and show how authentication and authorization with a service w...

Local development for the cloud: Transitioning to .NET Aspire

13 minute read

I’ve been working on a new project recently. It requires that I work with microservices and containers as it will eventually be runnable on either Kubernetes or (more likely) Azure Container Apps. My latest bit is to get ASP.NET identity working with PostgreSQL. And here lies a problem. In order to properly debug the code, I need the ASP.NET bits to be running locally. But to integrate wit...

Build a Blog: Deploy Azure Infrastructure three ways

14 minute read

For most developers, dealing with the infrastructure part of the job is hard. I like to say “give me a database and a web site” and prefer not to get into the other requirements. My web sites and other cloud projects (including this one) are pretty open. So, what’s the minimum I need to know to deploy stuff on Azure? This post is part of a sequence showing how to deploy a blog on Azure Sta...