-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathappsettings.Keycloak.json
53 lines (53 loc) · 3.11 KB
/
appsettings.Keycloak.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
{
// This configuration section is provided for Identity Framework, in order to validate access tokens (JWTs) being passed to it
// from the external Identity Provider (IdP) via the Admin SPA. This lets Identity Framework establish that these JWTs are
// from a trusted source, and valid and untampered with.
//
// This configuration section maps directly onto the "Microsoft.AspNetCore.Authentication.OpenIdConnect" configuration options
// class and its subclasses.
"OpenIdConnectIdentityFramework": {
// This ClientId identifies to the external IdP that the source of users logging in and requesting tokens is the Admin SPA.
"ClientId": "ees-admin-client",
// This Authority value identifies the external IdP as the location from which users will authenticate.
"Authority": "https://ees.local:5031/auth/realms/ees-realm",
"MetadataAddress": "http://ees.local:5030/auth/realms/ees-realm/.well-known/openid-configuration",
"RequireHttpsMetadata": false,
"TokenValidationParameters": {
// Keycloak by default always returns an audience claim of "account".
"ValidAudience": "account",
// This ValidIssuers value identifies the external IdP as the valid issuer of access tokens for the Admin API.
"ValidIssuers": [
"https://ees.local:5031/auth/realms/ees-realm"
]
},
// This is necessary because Keycloak only returns scopes in a "scope" claim but
// Microsoft Identity Web only checks for a "scp" or
// "http://schemas.microsoft.com/identity/claims/scope" Claim to determine the scopes
// that the user has been presented with. See
// MicrosoftIdentityWebApiAuthenticationBuilderExtensions.ChainOnTokenValidatedEventForClaimsValidation().
//
// This does not prevent the Identity Framework from validating that the correct "access-admin-api" scope is
// present on the JWTs being passed in Admin API requests - it simply gives us an opportunity to transfer the "scope"
// Claim from "scope" into "scp" prior to the scope validation from occurring. We do this in
// ClaimsPrincipalTransformationService.TransferUnsupportedClaims().
"AllowWebApiToBeAuthorizedByACL": true
},
// This configuration section is provided to the Admin SPA when it is first loaded, and provides it with details
// as to how to log its users in with the external IdP.
"OpenIdConnectSpaClient": {
"ClientId": "ees-admin-client",
"Authority": "https://ees.local:5031/auth/realms/ees-realm",
"KnownAuthorities": [
"https://ees.local:5031/auth/realms/ees-realm",
"ees.local:5031"
],
"AdminApiScope": "access-admin-api",
"AuthorityMetadata": {
"AuthorizationEndpoint": "https://ees.local:5031/auth/realms/ees-realm/protocol/openid-connect/auth",
"TokenEndpoint": "https://ees.local:5031/auth/realms/ees-realm/protocol/openid-connect/token",
"Issuer": "https://ees.local:5031/auth/realms/ees-realm",
"UserInfoEndpoint": "https://ees.local:5031/auth/realms/ees-realm/protocol/openid-connect/userinfo",
"EndSessionEndpoint": "https://ees.local:5031/auth/realms/ees-realm/protocol/openid-connect/logout"
}
}
}