Prerequisite

1. Installation of Keycloak and set up the database and admin. Visit here.

2. ASP .NET Core MVC App. GitHub Link to MVC App

   • .NET SDK (6/7/8) installed (For this walkthrough version is 6.0.400)

   • Code Editor - VS Code

   • Basic knowledge of ASP.NET Core MVC

   • Basic understanding of authentication and authorization

Why Keycloak?

• Open-source identity and access management tool.

• Supports SSO, OIDC, OAuth2, SAML.

• Manages users, roles, and permissions.

• Useful in microservices and enterprise setups.

Keycloak configuration

• Creating a realm

• Adding a client for your ASP.NET app

Here we have current realm as myrealm.

Go to Clients>Create Client

In Capability config, turn on the client authentication. This is very important because it creates a secret key which we need to integrate later in our app.

Follow for the Root URL, Valid redirect URIs and logout ridirect URIs. Note your .NET application might be run in different port.

After that go to the list of clients and click the newly generated client. We are interested in credentials tab.

This is the Client Secret we need later.

Configuring ASP.NET Core MVC App

Please install all the necessary packages from the NuGet package installer.

Integrate the OIDC middleware.

In program.cs file

In appsettings.json file, add the following code. Note: Please careful with your realms name, client secret and client ID.

In HomeController.cs → Here we need to go through the keycloak to view the secure page.

• Our app outsources login to Keycloak.

• Users don't type passwords into our app — only into Keycloak.

• Once logged in, they can access protected pages in your app.

This is the secure view

In AccountController.cs → For login and logout action.

In Index.cshtml

In _Layout.cshtml

Then start the keycloak server.

sudo ./bin/kc.sh start-dev

Start the .NET Application.

dotnet run

Here we can see the demo that the user John Cena tries to log in and he redirects to the Keycloak login page and once authenticated successfully he is able to see the secure page output.

Set up TLS using OpenSSL

Let’s walk through how to set up TLS using OpenSSL for your Keycloak server on localhost. This will give you a self-signed TLS certificate so Keycloak can run securely over https://localhost, which is essential for modern browser security and proper SSO functionality.

Create a necessary folder and files.

sudo openssl req -newkey rsa:2048 -keyout /keycloak/keycloak-26.3.3/conf/certs/keycloak.key -out /keycloak/keycloak-26.3.3/conf/certs/keycloak.csr

sudo openssl x509 -req -in /keycloak/keycloak-26.3.3/conf/certs/keycloak.csr -signkey /keycloak/keycloak-26.3.3/conf/certs/keycloak.key -out /keycloak/keycloak-26.3.3/conf/certs/keycloak_decrypted.crt

Certificate and key has been created and can be seen with ls command.

After this open the keycloak.conf file and add these text and save it.

http-port=8080
https-port=8443
https-certificate-file=./conf/certs/keycloak.crt 
https-certificate-key-file=./conf/certs/keycloak_decrypted.key 
proxy-address-forwarding=true

Note: Make sure run the server with the sudo command as it uses the encrypted key.

sudo ./bin/kc.sh start-dev

Demo with http:// and https://

Securing Secrets with Vault

Hardcoding secrets is dangerous. Vault allows you to securely manage and access secrets like private keys or client secrets for Keycloak, especially in production environments.

First Install vault CLI

vault server -dev
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="YOUR_GENERATED_TOKEN"

vault kv put secret/database password="demo123"
vault kv get sectret/database

This starts vault in dev mode http://127.0.0.1:8200. It Will print a root token in the console, save it – you will need it to authenticate.

With Vault, you can:

• Store TLS private keys, DB passwords, and admin credentials securely

• Fetch secrets at runtime via an entrypoint script or external tool

• Avoid hardcoding secrets in keycloak.conf or Docker images

• Rotate secrets without redeploying Keycloak