.NET Core 2.1 Linux Keycloak integration\authentication (OpenID Connect + SSSD)

Question

I am kinda lost now, I want to implement centralised user management here, and we have .NET Core 2.1 Web MVC app hosted on Linux, which uses Identity.EntityFrameworkCore to store users' information. Also we have FreeIPA for user management which is basically Kerberos authentication on LDAP directory.

As it's deployed on Linux I can't use WindowsAuthentication to use Kerberos, and also there is no standard way to use LDAP without Windows Compatibility Pack. The only way that is left is to use third-party library, but unfortunately I'm really new to .NET Core and C#, so here's what I'm trying to do:

1. Store user information (roles\\claims\\credentials) inside LDAP to implement centralised user management (now using database tables)
2. I want to implement SSO, this is possible via Kerberos Negotiate authentication, but now I can't find a way to use this on Linux. Also it's possible with app-> redirect to Keycloak -> Kerberos->OpenID Connect -> app, but I'd be glad to find solution with Kerberos

Well, I found bunch of third-party libraries like this , this and the whole bunch of THIS , and they all look promising, but I didn't found any with enough documentation or examples to use with .NET Core Identity .

As I said, I'm complete newbie in C# and .NET overall, and I'm unfortunately don't have an idea about either which of this library is better or is there any for straightforward way to use them to store and authenticate users.

PS I know this question is dumb, but for learning purposes I had to make one. Any help with this would be appreciated!

Answer 1

Well, looks like I mostly found the answer, but it has some caveats anyway. I used the Keycloak OpenID Connect setup with SSSD federation, because LDAP is the wrong approach for my goals anyway. More about that setup you can read here , I faced some stupid moments over there, most of them are predicted and bypassed in this guide, but that's more a FreeIPA + Keycloak thread. Last Keycloak thing that should be noted: I had to add and allow HBAC "keycloak" service to make it work, because otherwise my SSSD authentication was denied. Going forward to the .NET Core part: my app is 2.1, and my setup looks like that:

I added the following into Startup.cs dependencies:

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using System.IdentityModel.Tokens;

Next, I added the configuration to appsettings.json

"Oidc": {
"ClientId": "<your client id here>",
"ClientSecret": "<your secret here>",
"Authority": "https://<ip:port of keycloak https>/auth/realms/<realm name>",
"ResponseType": "code"
}

Okay, heading to the configuration itself:

services.AddAuthentication(options => {
            options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
        })
            .AddCookie("Cookies")
            .AddOpenIdConnect(options =>
            {
                options.ClientId = Configuration["Oidc:ClientId"];
                options.ClientSecret = Configuration["Oidc:ClientSecret"];
                options.Authority = Configuration["Oidc:Authority"];
                options.SaveTokens = true;
                options.GetClaimsFromUserInfoEndpoint = true;
                options.ResponseType = Configuration["Oidc:ResponseType"];
                options.Scope.Add("claims");
                options.ClaimActions.Clear();
                options.ClaimActions.MapUniqueJsonKey("roles", "roles");
            }
        );;

I hope this short answer will help someone to set up FreeIPA+Keycloak and connect it to .NET Core, because I killed a week for this :D.