I have a dotnet application which uses keycloak as login method. When deploying the app to production, if I have set user client roles as protocol mapper for the clien in the admin console, I get a 502 bad gateway:
Firstly, here is my source code:
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
using Microsoft.AspNetCore.Http;
using System.Threading.Tasks;
using System.Net.Http;
using System;
using App;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using System.Security.Claims;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddControllers();
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();
builder.Services.AddAuthentication(options =\>
{
// Store the session to cookies
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
// OpenId authentication
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =\>
{
// Configure cookie options
options.Cookie.Name = ".AspNetCore.Cookies";
options.Cookie.SameSite = SameSiteMode.None;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.ExpireTimeSpan = TimeSpan.FromMinutes(15); // Adjust expiration time as needed
options.SlidingExpiration = true;
})
.AddOpenIdConnect("oidc", options =\>
{
options.SignInScheme = "Cookies";
options.Authority = "https://sts.govcloud.dk/auth/realms/sik";
options.ClientId = "keycloak-app";
options.MetadataAddress = "https://sts.govcloud.dk/auth/realms/sik/.well-known/openid-configuration";
options.Prompt = "login";
options.RequireHttpsMetadata = true;
options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
options.GetClaimsFromUserInfoEndpoint = true;
options.ResponseType = OpenIdConnectResponseType.Code;
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
});
builder.Services.AddAuthorization(options =\>
{
//Create policy with more than one claim
options.AddPolicy("users", policy =\>
policy.RequireAssertion(context =\>
context.User.HasClaim(c =\>
(c.Value == "user") || (c.Value == "admin"))));
//Create policy with only one claim
options.AddPolicy("admins", policy =\>
policy.RequireClaim(ClaimTypes.Role, "admin"));
//Create a policy with a claim that doesn't exist or you are unauthorized to
options.AddPolicy("noaccess", policy =\>
policy.RequireClaim(ClaimTypes.Role, "noaccess"));
});
var app = builder.Build();
app.UseAuthentication();
app.UseMiddleware\<SwaggerOAuthMiddleware\>();
app.UseSwagger();
app.UseSwaggerUI(c =\> c.SwaggerEndpoint("/swagger/v1/swagger.json", "SecureSwagger v1"));
app.UseStaticFiles();
app.UseHttpsRedirection();
app.MapGet(
"/",
(HttpContext context) =\>
{
context.Response.Redirect("/swagger");
}
);
app.MapGet(
"/logout",
async (HttpContext context) =\>
{
var redirect_uri = builder.Environment.EnvironmentName == "Production" ? "http://keycloak-example-development.sik.govcloud.dk/": "https://localhost:52511/";
var issuerUrl = builder.Configuration.GetSection("Keycloak")\["ServerRealm"\];
if (context.User.Identity?.IsAuthenticated == true)
{
await context.SignOutAsync();
context.Response.Cookies.Delete(".AspNetCore.Cookies");
}
context.Response.Redirect(
$"{issuerUrl}/protocol/openid-connect/logout?redirect_uri={redirect_uri}"
);
}
);
app.UseRouting();
app.UseAuthorization();
app.MapControllers();
app.MapFallback(context =\>
{
context.Response.Redirect("/");
return Task.CompletedTask;
});
app.Run()
I really don't understand what is wrong
something to note:
The development environment uses https. In production http is used
