Add KeycloakWebAppAuthenticationBuilder

src/Keycloak.AuthServices.Authentication/Keycloak.AuthServices.Authentication.csproj

@@ -5,17 +5,17 @@
   </PropertyGroup>
 
   <PropertyGroup Label="Package">
-    <Product>Keycloak.AuthServices.Authorization</Product>
-    <Description>OICD + JWT Authentication provider. JWT Bearer Authentication for Keycloak</Description>
+    <Product>Keycloak.AuthServices.Authentication</Product>
+    <Description>OICD Authentication; JWT Bearer Authentication for Keycloak</Description>
     <PackageTags>Keycloak;Authentication;Authrorization;authserver;JWT;OICD;jwt-authentication</PackageTags>
   </PropertyGroup>
 
   <ItemGroup>
     <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" />
     <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect"/>
-    <PackageReference Include="Microsoft.Extensions.Configuration.Json" />
   </ItemGroup>
 
   <ItemGroup>

src/Keycloak.AuthServices.Authentication/KeycloakAuthenticationOptions.cs

@@ -8,7 +8,22 @@
 public class KeycloakAuthenticationOptions : KeycloakInstallationOptions
 {
     /// <summary>
-    /// Default section name
+    /// Default section name.
     /// </summary>
     public const string Section = ConfigurationConstants.ConfigurationPrefix;
+
+    /// <summary>
+    /// Gets or sets the audience for the authentication. Takes priority over Resource
+    /// </summary>
+    public string? Audience { get; set; }
+
+    /// <summary>
+    /// Gets or sets the claim type used for roles.
+    /// </summary>
+    public string RoleClaimType { get; set; } = "role";
+
+    /// <summary>
+    /// Gets or sets the claim type used for the name.
+    /// </summary>
+    public string NameClaimType { get; set; } = "preferred_username";
 }

src/Keycloak.AuthServices.Authentication/WebApiExtensions/KeycloakWebApiAuthenticationBuilderExtensions.cs

@@ -4,6 +4,8 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
 
 /// <summary>
 /// Extensions for <see cref="AuthenticationBuilder"/> for startup initialization of web APIs.
@@ -18,8 +20,6 @@ public static class KeycloakWebApiAuthenticationBuilderExtensions
     /// <param name="configuration">The configuration instance.</param>
     /// <param name="configSectionName">The configuration section with the necessary settings to initialize authentication options.</param>
     /// <param name="jwtBearerScheme">The JWT bearer scheme name to be used. By default it uses "Bearer".</param>
-    /// Set to true if you want to debug, or just understand the JWT bearer events.
-    /// </param>
     /// <returns>The authentication builder to chain.</returns>
     public static KeycloakWebApiAuthenticationBuilder AddKeycloakWebApi(
         this AuthenticationBuilder builder,
@@ -37,14 +37,12 @@ public static KeycloakWebApiAuthenticationBuilder AddKeycloakWebApi(
     }
 
     /// <summary>
-    /// Protects the web API with Microsoft identity platform (formerly Azure AD v2.0).
+    /// Protects the web API with Keycloak
     /// This method expects the configuration file will have a section, named "AzureAd" as default, with the necessary settings to initialize authentication options.
     /// </summary>
     /// <param name="builder">The <see cref="AuthenticationBuilder"/> to which to add this configuration.</param>
     /// <param name="configurationSection">The configuration second from which to fill-in the options.</param>
     /// <param name="jwtBearerScheme">The JWT bearer scheme name to be used. By default it uses "Bearer".</param>
-    /// Set to true if you want to debug, or just understand the JWT bearer events.
-    /// </param>
     /// <returns>The authentication builder to chain.</returns>
     public static KeycloakWebApiAuthenticationBuilder AddKeycloakWebApi(
         this AuthenticationBuilder builder,
@@ -71,13 +69,12 @@ public static KeycloakWebApiAuthenticationBuilder AddKeycloakWebApi(
     }
 
     /// <summary>
-    /// Protects the web API with Microsoft identity platform (formerly Azure AD v2.0).
+    /// Protects the web API with Keycloak
     /// </summary>
     /// <param name="builder">The <see cref="AuthenticationBuilder"/> to which to add this configuration.</param>
     /// <param name="configureJwtBearerOptions">The action to configure <see cref="JwtBearerOptions"/>.</param>
     /// <param name="configureKeycloakOptions">The action to configure the <see cref="KeycloakAuthenticationOptions"/>.</param>
     /// <param name="jwtBearerScheme">The JWT bearer scheme name to be used. By default it uses "Bearer".</param>
-    /// Set to true if you want to debug, or just understand the JWT bearer events.</param>
     /// <returns>The authentication builder to chain.</returns>
     public static KeycloakWebApiAuthenticationBuilder AddKeycloakWebApi(
         this AuthenticationBuilder builder,
@@ -107,8 +104,45 @@ private static void AddKeycloakWebApiImplementation(
         string jwtBearerScheme
     )
     {
-        // TODO: add merging logic
+        builder.AddJwtBearer(jwtBearerScheme, _ => { });
+
+        builder
+            .Services.AddOptions<JwtBearerOptions>(jwtBearerScheme)
+            .Configure<IServiceProvider, IOptionsMonitor<KeycloakAuthenticationOptions>>(
+                (options, serviceProvider, keycloakOptionsMonitor) =>
+                {
+                    var keycloakOptions = keycloakOptionsMonitor.Get(jwtBearerScheme);
+
+                    // Ensure a well-formed authority was provided
+                    if (!string.IsNullOrWhiteSpace(keycloakOptions.KeycloakUrlRealm))
+                    {
+                        options.Authority = keycloakOptions.KeycloakUrlRealm;
+                    }
+
+                    var sslRequired =
+                        string.IsNullOrWhiteSpace(keycloakOptions.SslRequired)
+                        || keycloakOptions.SslRequired.Equals(
+                            "external",
+                            StringComparison.OrdinalIgnoreCase
+                        );
+                    options.RequireHttpsMetadata = sslRequired;
+
+                    var validationParameters = new TokenValidationParameters
+                    {
+                        ClockSkew = keycloakOptions.TokenClockSkew,
+                        ValidateAudience = keycloakOptions.VerifyTokenAudience ?? true,
+                        ValidateIssuer = true,
+                        NameClaimType = keycloakOptions.NameClaimType,
+                        RoleClaimType = keycloakOptions.RoleClaimType,
+                    };
+                    options.Audience = keycloakOptions.Audience ?? keycloakOptions.Resource;
+                    options.TokenValidationParameters = validationParameters;
+                    options.SaveToken = true;
+
+                    options.Events ??= new JwtBearerEvents();
 
-        builder.AddJwtBearer(jwtBearerScheme, configureJwtBearerOptions);
+                    configureJwtBearerOptions?.Invoke(options);
+                }
+            );
     }
 }

src/Keycloak.AuthServices.Authentication/WebAppExtensions/KeycloakWebAppAuthenticationBuilderExtensions.cs

@@ -51,7 +51,7 @@ public static KeycloakWebAppAuthenticationBuilder AddKeycloakWebApp(
     }
 
     /// <summary>
-    /// Add authentication with Microsoft identity platform.
+    /// Add authentication with Keycloak
     /// This method expects the configuration file will have a section, named "AzureAd" as default, with the necessary settings to initialize authentication options.
     /// </summary>
     /// <param name="builder">The <see cref="AuthenticationBuilder"/> to which to add this configuration.</param>
@@ -82,7 +82,7 @@ public static KeycloakWebAppAuthenticationBuilder AddKeycloakWebApp(
     }
 
     /// <summary>
-    /// Add authentication with Microsoft identity platform.
+    /// Add authentication with Keycloak
     /// </summary>
     /// <param name="builder">The <see cref="AuthenticationBuilder"/> to which to add this configuration.</param>
     /// <param name="configureKeycloakOptions">The action to configure <see cref="KeycloakAuthenticationOptions"/>.</param>
@@ -112,7 +112,7 @@ public static KeycloakWebAppAuthenticationBuilder AddKeycloakWebApp(
     }
 
     /// <summary>
-    /// Add authentication with Microsoft identity platform.
+    /// Add authentication with Keycloak
     /// </summary>
     /// <param name="builder">The <see cref="AuthenticationBuilder"/> to which to add this configuration.</param>
     /// <param name="configureKeycloakOptions">The action to configure <see cref="KeycloakAuthenticationOptions"/>.</param>
@@ -150,7 +150,7 @@ IConfigurationSection configurationSection
     }
 
     /// <summary>
-    /// Add authentication with Microsoft identity platform.
+    /// Add authentication with Keycloak
     /// </summary>
     /// <param name="builder">The <see cref="AuthenticationBuilder"/> to which to add this configuration.</param>
     /// <param name="configureKeycloakOptions">The action to configure <see cref="KeycloakAuthenticationOptions"/>.</param>
@@ -201,13 +201,12 @@ private static void AddKeycloakWebAppInternal(
 
         if (!string.IsNullOrEmpty(cookieScheme))
         {
-            Action<CookieAuthenticationOptions> emptyOption = option => { };
-            builder.AddCookie(cookieScheme, configureCookieAuthenticationOptions ?? emptyOption);
+            builder.AddCookie(cookieScheme, configureCookieAuthenticationOptions ?? (_ => { }));
         }
 
         if (!string.IsNullOrEmpty(displayName))
         {
-            builder.AddOpenIdConnect(openIdConnectScheme, displayName: displayName, options => { });
+            builder.AddOpenIdConnect(openIdConnectScheme, displayName: displayName, _ => { });
         }
         else
         {