Start Keycloak Container in HTTPS

[damienbod]

I want to run the Keycloak container using HTTPS, not HTTP

Any ideas how to set this up?

var keycloak = builder.AddKeycloak("keycloak", 8081)
    .WithDataVolume();

[davidfowl]

With lots of pain, generating a certificate, and wiring it up appropriately. @DamianEdwards has a sample https://github.com/dotnet/aspire-samples/blob/b741f5e78a86539bc9ab12cd7f4a5afea7aa54c4/samples/Keycloak/Keycloak.AppHost/KeycloakExtensions.cs#L18

[DamianEdwards]

That sample just reuses the ASP.NET Core dev cert rather than generating another, as it's likely to already be trusted. It exports it to a file using dotnet dev-certs in a deterministic temp location, bind mounts it into the container, and uses the Keycloak container's existing support for supplying an HTTPS cert file path via environment variables to configure it.

[damienbod]

@DamianEdwards Works great thanks

I had to add an extra parameter to fix the port in the WithHttpsEndpoint method.

I can make a PR in the samples if you want

Greetings Damien

[damienbod]

I have one HTTPS problem left. The Keycloak server (inside the container) needs to call the web applications in the host env (backchannel logout). The host.docker.internal is used for this. Do you now if it is possible to configure this to work with HTTPS in .NET Aspire? This will work in production, but dev would be cool as well :)

I am thinking of using ngrok, make a public URL and use this for the backchannel post request, but this is not really practical.

Demo project: https://github.com/damienbod/keycloak-backchannel

Greetings Damien

[damienbod]

@rufer7 Provided this solution which works:

var keycloak = builder.AddKeycloakContainer("keycloak",
            userName: userName, password: password, port: 8080)
    .WithArgs("--features=preview")
    .WithArgs("--spi-connections-http-client-default-disable-trust-manager=true")
    .WithDataVolume()
    .RunWithHttpsDevCertificate(port: 8081);

[rufer7]

Just make sure to only use this setting in local dev env!

For more details about disable-trust-manager setting see here

[LethargicDeveloper]

I've setup the Keycloak container to use HTTPS in Aspire using the following extension method

public static IResourceBuilder<KeycloakResource> WithHttpsEndpointWithCertificate(this IResourceBuilder<KeycloakResource> builder, int port)
{
    builder
        .WithHttpsEndpoint(env: "KC_HTTPS_PORT", port: port, targetPort: 8443)
        .WithEnvironment("KC_HTTPS_CERTIFICATE_FILE", "/certs/cert.pem")
        .WithEnvironment("KC_HTTPS_CERTIFICATE_KEY_FILE", "/certs/key.pem")
        .WithEnvironment("KC_HOSTNAME", "localhost")
        .WithEnvironment("KC_HTTP_ENABLED", "false")
        .WithEnvironment("QUARKUS_HTTP_HTTP2", "false")
        .WithBindMount("../../.cert", "/certs");

    return builder;
}

An HTTPS endpoint shows up in the aspire dashboard and that works. In my api project I've set up keycloak like this:

services.AddKeycloakWebApiAuthentication(
    builder.Configuration,
    auth =>
    {
        auth.Audience = "hypercube";
    });
    
services.AddOpenApiDocument(options =>
{
    options.Title = "Hypercube API";
    options.Version = "v1";
    options.DocumentName = "v1";

    var keycloakOptions = builder.Configuration.GetKeycloakOptions<KeycloakAuthenticationOptions>()!;

    options.AddSecurity("oauth2", new NSwag.OpenApiSecurityScheme
    {
        Type = NSwag.OpenApiSecuritySchemeType.OAuth2,
        Description = "OAuth2 Implicit Grant",
        OpenIdConnectUrl = $"{config["Keycloak:AuthServerUrl"]}/realms/hypercube/.well-known/openid-configuration",
        Flows = new NSwag.OpenApiOAuthFlows
        {
            Implicit = new NSwag.OpenApiOAuthFlow
            {
                AuthorizationUrl = keycloakOptions.KeycloakTokenEndpoint.Replace("/token", "/auth"),
                Scopes = new Dictionary<string, string>
                {
                    { "openid", "OpenID Connect scope" },
                    { "profile", "Profile scope" },
                    { "email", "Email scope" },
                }
            }
        }
    });

    options.OperationProcessors.Add(new AspNetCoreOperationSecurityScopeProcessor("oauth2"));
});

The problem is the Keycloak:AuthServerUrl and the TokenEndpointUrl still return the HTTP endpoint NOT the HTTPS endpoint. How do I get Keycloak to default to the configured HTTPS endpoint instead of HTTP? Or what is the appropriate way to configure that on the api side of things?

[DamianEdwards]

Where is Keycloak:AuthServerUrl coming from? Can you show the code from the app host that sets that?

[LethargicDeveloper]

I feel silly. I wasn't even using Microsoft's keycloak aspire package (Aspire.Hosting.Keycloak). I was using a different one (Keycloak.AuthServices.Aspire.Hosting). It looks like the AuthServerUrl is hardcoded to http in the library I'm using. Not sure you can switch it...

When I try switching to Aspire.Hosting.Keycloak I have other issues, probably related to the aspire workload. I'll just wait until it gets officially released before I switch over to it.

[DamianEdwards]

If it helps, there's an in-progress Keycloak you can reference at https://github.com/dotnet/aspire-samples/tree/damianedwards/keycloak-sample/samples/Keycloak