This project is an implementation of OAuth 2.0 and OpenID Connect client protocol with PKCE (Proof Key for Code Exchange) using ASP.NET Core. The primary goal is to deepen understanding of the protocol by implementing it from scratch without using dedicated OAuth libraries. This approach enhances troubleshooting skills and aids in grasping when and how the protocol can be securely used in production environments.
- OAuth 2.0 Authorization Code Flow with PKCE: Ensures secure authentication by exchanging the authorization code for access, refresh, and ID tokens.
- Dynamic Configuration: Utilizes configuration settings from
appsettings.json
to manage Keycloak endpoints, enhancing flexibility and security. - Token Validation: Includes ID token verification to ensure the authenticity and integrity of the tokens received from the authorization server.
- .NET 8.0 MVC: Used for server-side handling of the OAuth flow and user sessions.
- Keycloak: As the OpenID Connect provider to authenticate and authorize users.
- Docker: For running the Keycloak server locally.
- C#: Main programming language.
- .NET SDK
- Docker
- Any IDE that supports .NET development (e.g., Visual Studio, VS Code)
- Start Keycloak using Docker:
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:21.1.0 start-dev
- Access the Keycloak admin console at http://localhost:8080/admin/ and login using the admin credentials.
- Under “Clients” in the sidebar, click “Create Client”.
- Set Client Type to "OpenID Connect" and fill in the necessary details like Client ID.
- Ensure that “Client authentication” is enabled.
- Add valid redirect URIs (e.g., http://localhost:5000/callback).
- From the terminal or command prompt, navigate to the project directory:
dotnet run
- Open a web browser and navigate to http://localhost:5000/ to access the application.
- Click on the login link to authenticate using Keycloak.
- After authentication, the user is redirected back to the application where the tokens are exchanged, and user information is fetched and displayed.
- All communication with the Keycloak server should be over HTTPS in production environments.
- Store sensitive information such as client secrets securely using environment variables or secure vault solutions.
- Detailed API documentation for Keycloak can be found here.
- For more information on implementing OAuth 2.0 and OpenID Connect, refer to the official OAuth 2.0 documentation.
Contributions to this project are welcome. Please fork the repository, make your changes, and submit a pull request.
This project is open-source and available under the MIT License.