Cătălin Popinciuc

Software Development Engineer II

1 Mastering API Access Control with Keycloak

2 Setting Up Keycloak for Fine-Grained Authorization

3 How to Implement Fine-Grained Access Control with Keycloak

Share on:

Want to stay on top of everything?

Get updates on industry developments and the software solutions we can now create for a smooth digital transformation.

How to authorize your .NET Web APIs using Keycloak

July 30, 2025

8 min read

1 Mastering API Access Control with Keycloak

2 Setting Up Keycloak for Fine-Grained Authorization

3 How to Implement Fine-Grained Access Control with Keycloak

1 Mastering API Access Control with Keycloak

This article builds upon the insightful work of my colleague Sebastian Fulga; you can read his original piece here.

When it comes to securing Web APIs, authentication is only half the story. Authorization — knowing who can do what is just as critical, yet often receives less attention. In this follow-up, I’ll walk you through implementing fine-grained authorization using Keycloak, empowering you to manage access precisely. Whether you're just starting with authorization or already working with Keycloak, these steps are clear, practical, and designed with developers in mind.

Keycloak is an open-source single sign-on (SSO) solution licensed under Apache-2.0. Its implementation is publicly available on GitHub. Keycloak offers robust features including strong authentication, user management, identity provider integration, user federation, session control, event logging, and more. It’s highly configurable and has detailed official documentation on its website.

https://www.keycloak.org

2 Setting Up Keycloak for Fine-Grained Authorization

If you’ve already installed and configured Keycloak using the Docker file mentioned in Sebastian Fulga’s original article, you can begin working with your Keycloak server.

In this guide, we'll use the default master realm for simplicity. However, you’re free to create a new realm if preferred, this won’t impact the core behavior, but it will result in URL paths different from those shown here.

Once deployed, Keycloak should be accessible at: http://localhost:7011/

You can log in using the admin credentials defined in your Docker Compose file.

Important Version Note:
At the time of writing, the current Keycloak version is 26.2.5. Future versions may introduce interface changes or new features, so always refer to the official Keycloak documentation and release notes to stay updated. It's best practice to use the latest stable version to take advantage of ongoing improvements from the development team.

2.1 Create New User

After creating a new user in Keycloak, the next step is to set up user credentials. To do this, navigate to the "Credentials" tab within the user's detail page in the Keycloak admin console.

2.2 Creating a New Client and Enabling Authorization in Keycloak

Now that you’ve created a user, the next step is to create a new client in Keycloak and enable the Authorization feature. Creating a client is very similar to creating a user.

To get started, navigate to the “Clients” menu in the Keycloak admin console and click the “Create Client” button.

This client represents the application or backend service that will authenticate via the Keycloak API. In our example, we’ve named the client MyApp, but you can choose any name that fits your project.

Here are the essential settings to configure for the client:

Client Authentication: ON
Authorization: ON
Direct Access Grant: Enabled

These settings ensure that your client is fully equipped to handle secure authentication and fine-grained authorization using Keycloak.

2.3 Creating User Roles for Your Keycloak Client

For our MyApp client, we need to define user roles. Keycloak has two role types: realm roles and client roles.

Realm roles can be assigned across the entire realm and all clients.
Client roles are limited to the specific client where they are created.

In this tutorial, we’ll use client roles. To create them, go to the Roles tab under your client’s details page.

We’ll apply the Role-Based Access Control (RBAC) approach to show Keycloak’s flexibility in handling fine-grained permissions.

Create the following roles, which will later be used to control access to backend APIs:

2.4 Configure client Authorization

To enable fine-grained access control, navigate to the Authorization tab under the MyApp client page, just as you did for roles.

Keycloak may auto-generate default resources, policies, and permissions. These can be safely deleted to keep your configuration clean. While setting up the Authorization module may take some time, this guide will walk you through each step.

Configure Scopes

Scopes define the specific actions a user can perform and are essential for fine-grained authorization in Keycloak. In this example, we’ll use standard scopes like:

manage
query
view

You can also define custom scopes to match your application's needs.

Configure Resources

Resources represent APIs or features you want to protect. These can range from single endpoints to entire application modules.

In this setup, we’ll create two resources:

users – linked to the query, view, and manage scopes
fetch-weather – without any scope, to demonstrate resource-based permissions

Note: Resources in Keycloak can have one, many, or no scopes.

Configure Policies

Policies in Keycloak define the rules that must be satisfied to grant access to a resource. They are evaluated during the authorization process and determine whether a user can access a specific resource.

Policies can be based on various conditions, such as:

User roles
Client applications
User groups
Attributes or context (e.g., time, regex patterns)

In this guide, we’ll create role-based policies for each of the client roles (user, admin, manager) defined earlier.

These policies will form the foundation for assigning permissions to protected resources.

There are a few key aspects to understand when configuring role-based policies in Keycloak:

Multiple Roles: A single policy can include various roles. The "Required" checkbox determines whether a role must be present for access. In our case, since each policy includes just one role, it will be required by default. For multi-role policies, be sure to define which roles are mandatory.
Fetch Roles: This option is disabled by default. When enabled, Keycloak fetches roles in real time from the database rather than relying solely on the roles present in the access token. This can be powerful for dynamic role evaluation. If left disabled, users will retain the roles from their current token until a new token is issued.
Logic Setting: The "Logic" configuration controls how decisions are applied:

Positive: The policy behaves as defined, permits access, and denies blocks it.
Negative: The result is inverted, the permit becomes denied, and vice versa.

By the end of this section, you should have a complete list of role-based policies, each linked to one of the roles created earlier.

Configure Permissions

The final step in setting up Keycloak fine-grained authorization is to configure permissions. This step must come last, as it depends on previously defined resources, scopes, and policies.

Permissions control what actions a user or client can perform on specific resources or scopes. They are a key part of Keycloak's authorization module, enabling precise access control by linking resources to the policies that govern access decisions.

Keycloak supports two types of permissions:

Scope-based permissions – applied to specific actions or scopes
Resource-based permissions – applied directly to a resource

For this demo, we’ll use both types:

Scope-Based Permissions:

permission_query-users
permission_view-users
permission_manage-users

Resource-Based Permission:

permission_fetch-weather

There are a few key points worth noting:

Permissions can simultaneously support one or more 'Authorization scopes'.
Similarly, multiple 'Policies' can be backed by Permissions at the same time.
The 'Decision strategy' dictates how the policies associated with a given permission are evaluated and how a final decision is reached. Here are the options:

'Affirmative' implies that at least one policy must be positive.
'Unanimous' means that all policies must be favorable.
'Consensus' means that the number of positive outcomes must outweigh the number of negative ones.

In the end we will have the following permissions:

We observe that we have one permission of the type 'Resource-Based'. This permission is much like the others, except that the scope is not a prerequisite.

Now that we have everything in place, we can delve into the code to investigate how we handle authorization. However, before we do that, roles must be assigned to our user; otherwise, we'll lack access to our APIs.

Navigate to the Users tab in Keycloak, and then proceed to our user to assign all the roles from our MyApp client, just as illustrated:

3 How to Implement Fine-Grained Access Control with Keycloak

Let's start with the project structure, although this is not very important since you can create your own file structure. Since this is just a demo project, we will keep it simple.

Dependencies required from NuGet gallery:

- Microsoft.AspNetCore.Authentication.JwtBearer

Appsettings.json:

To validate JSON Web Tokens (JWT) in your ASP.NET Core application, you typically configure a JwtSettings section in appsettings.json. When using Keycloak, you don't need to set a secret key manually. Instead, Keycloak simplifies JWT signature verification by exposing a MetadataAddress endpoint.

This metadata endpoint (/.well-known/openid-configuration) provides Keycloak’s OpenID Connect configuration. It includes essential information such as:

The issuer (iss)
Supported scopes and response types
Authorization and token endpoints
Public keys for JWT signature validation
Logout endpoints and supported algorithms

With this built-in support, Keycloak enables secure and standardized token validation with minimal manual setup.

Next, you’ll define a custom authorization requirement by creating a new class: PermissionRequirement.cs. This record should implement Microsoft's IAuthorizationRequirement interface.AspNetCore.Authorization namespace.

This class forms the foundation for a custom authorization policy, allowing you to enforce fine-grained access control based on your application’s logic, such as user roles, scopes, or specific permissions.

Then we need to create a new file named ApplicationPolicies.cs that will contain two classes:

In our code, we have defined a static class known as DependencyInjection. The purpose of this class is to house our helper methods for dependency injection. These helper methods are designed as extension methods and these are being invoked in the Program.cs file.

In this section, we're setting up Authentication and Authorization for our service. We're also adding http clients. As an extra step, we're setting up a reverse proxy, which we'll discuss in more detail later.

We need to specify the previously defined necessary policies within the AddAuthorization method.

For simplicity, we stick with minimal APIs, which are the examples in the Program.cs file:

All API requests in this demo are GET requests, designed to return simple messages that confirm Keycloak authorization is functioning correctly.

Protected Endpoints and Required Policies:

/api/users → Requires the QueryUsers policy
/api/users/{id} → Requires the ViewUsers policy
/api/users/manage → Requires the ManageUsers policy

To enforce these policies, we’ve implemented a custom authorization handler called RequestBasedHandler. This handler sends a request to Keycloak on each API call to:

Verify the user's authentication
Validate the applied authorization policy

In our setup, the client (we’re using Postman) sends API requests with the Keycloak-issued access token, retrieved from: http://localhost:7011/realms/master/protocol/openid-connect/token.

This ensures each API request is checked in real time against the latest Keycloak roles and permissions.

RequestBasedHandler:

Let's now authenticate and get a new access token from Keycloak:

<pre><code class="language-bash">
curl --location 'http://localhost:7011/realms/master/protocol/openid-connect/token/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1aWQiOiIx...' \
--data-urlencode 'client_id=MyApp' \
--data-urlencode 'audience=MyApp' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'response_mode=permissions'
</code></pre>

This request returns a JSON object containing the list of all authorized resources and associated scopes for the authenticated user. This is useful for debugging, auditing, or dynamically adapting frontend behavior based on user permissions.


[
  {
    "rsid": "0d7d72a8-8cc8-47b0-a38b-b973d9b197da",
    "rsname": "fetch weather"
  },
  {
    "scopes": [
      "view",
      "manage"
    ],
    "rsid": "38ffed86-d128-4eff-a1f9-261727c9548e",
    "rsname": "users"
  }
]

Share on:

Want to stay on top of everything?

Get updates on industry developments and the software solutions we can now create for a smooth digital transformation.

Latest Technology Insights

View more insights

Leverage_your_automated_testing_framework_using_Playwright_TS_part2_ASSIST_Software

June 30, 2025

Dev Blog

Leverage your automated testing framework using Playwright TS - Part II

June 25, 2025

Dev Blog

Preparing Businesses for the European Accessibility Act and the Future of Dig...

June 23, 2025

Dev Blog

System Architecture Explained: Real-World Lessons in Managing Technical Debt

Frequently Asked Questions

1. Can you integrate AI into an existing software product?

Absolutely. Our team can assess your current system and recommend how artificial intelligence features, such as automation, recommendation engines, or predictive analytics, can be integrated effectively. Whether it's enhancing user experience or streamlining operations, we ensure AI is added where it delivers real value without disrupting your core functionality.

2. What types of AI projects has ASSIST Software delivered?

We’ve developed AI solutions across industries, from natural language processing in customer support platforms to computer vision in manufacturing and agriculture. Our expertise spans recommendation systems, intelligent automation, predictive analytics, and custom machine learning models tailored to specific business needs.

3. What is ASSIST Software's development process?

The Software Development Life Cycle (SDLC) we employ defines the following stages for a software project. Our SDLC phases include planning, requirement gathering, product design, development, testing, deployment, and maintenance.

4. What software development methodology does ASSIST Software use?

ASSIST Software primarily leverages Agile principles for flexibility and adaptability. This means we break down projects into smaller, manageable sprints, allowing continuous feedback and iteration throughout the development cycle. We also incorporate elements from other methodologies to increase efficiency as needed. For example, we use Scrum for project roles and collaboration, and Kanban boards to see workflow and manage tasks. As per the Waterfall approach, we emphasize precise planning and documentation during the initial stages.

5. I'm considering a custom application. Should I focus on a desktop, mobile or web app?

We can offer software consultancy services to determine the type of software you need based on your specific requirements. Please explore what type of app development would suit your custom build product.

A web application runs on a web browser and is accessible from any device with an internet connection. (e.g., online store, social media platform)
Mobile app developers design applications mainly for smartphones and tablets, such as games and productivity tools. However, they can be extended to other devices, such as smartwatches.
Desktop applications are installed directly on a computer (e.g., photo editing software, word processors).
Enterprise software manages complex business functions within an organization (e.g., Customer Relationship Management (CRM), Enterprise Resource Planning (ERP)).

6. My software product is complex. Are you familiar with the Scaled Agile methodology?

We have been in the software engineering industry for 30 years. During this time, we have worked on bespoke software that needed creative thinking, innovation, and customized solutions.

Scaled Agile refers to frameworks and practices that help large organizations adopt Agile methodologies. Traditional Agile is designed for small, self-organizing teams. Scaled Agile addresses the challenges of implementing Agile across multiple teams working on complex projects.

SAFe provides a structured approach for aligning teams, coordinating work, and delivering value at scale. It focuses on collaboration, communication, and continuous delivery for optimal custom software development services.

7. How do I choose the best collaboration model with ASSIST Software?

We offer flexible models. Think about your project and see which models would be right for you.

Dedicated Team: Ideal for complex, long-term projects requiring high continuity and collaboration.
Team Augmentation: Perfect for short-term projects or existing teams needing additional expertise.
Project-Based Model: Best for well-defined projects with clear deliverables and a fixed budget.

1. Is ASSIST Software a reliable company for custom engineering?

Absolutely. Our partners have given us great recommendations and reviews, leading us to win The Manifest Award for Most Reviewed Software Developers. Further proof comes from our 97% employee retention rate and ongoing client partnerships for over 8 years.

2. Are the ASSIST Software Romanian software engineers certified?

Yes. 85% of our software programmers are certified.

At a company level, ASSIST Software is certified and recognized by industry players such as Microsoft, AWS, Google Cloud, Adobe, Drupal, Fujitsu, ISTQB, and others.

However, our employee certifications are tremendously important as they represent the shared desire to grow in the long run.

3. Why should I choose Romania for custom software development?

Romania has become a significant player in custom software development, attracting businesses worldwide. Romania boasts the highest number of certified IT specialists in Europe and ranks sixth globally, surpassing even the US in tech specialists per capita.

At ASSIST Software, we have a competitive advantage. Our engineers are not only certified and experienced but also flexible and open to dialogue. Our +2 GMT zone allows us to easily facilitate meetings with clients all over the world and accommodate multiple business hours.

4. What team will work on my project, and where will it be located?

ASSIST Software's headquarters is in Romania, a prime country for software development outsourcing. Our 350+ software engineers speak English and have a deep passion for innovation.

We provide regular project updates through reports, meetings, and online dashboards. Generally, you'll have access to a dedicated project manager who will be your point of contact for any questions or concerns.

5. How much will my project cost me?

Our prices are competitive, and as per our working model, we guarantee you will be satisfied with the result. Frequent meetings, check-ins, and a great communication structure will ensure this outcome.

Project costs depend on various factors, including complexity, scope, required technologies, and team size. We'll gather detailed information about your project during the initial consultation to provide a customized quote and we guarantee that you will be able to see the benefits of bespoke software.

1. What technologies do you work with?

ASSIST Software tackles your projects with a robust tech stack. We build native and cross-platform mobile apps, craft user-friendly web experiences, and create stunning visuals.

Our wide-ranging expertise starts from Java, Python, and JavaScript frameworks to cutting-edge solutions like AR/VR, blockchain, and AI/ML. We also manage databases, leverage cloud platforms, and ensure flawless project execution. We're your one-stop shop for exceptional software development from concept to deployment. You can view our expertise for more details.

2. Are you an experienced in AI/ML development?

Yes. We have extensive experience in data engineering and machine learning operations (MLOps). We can employ neural networks, computer vision, and AI models to benefit your ideas.

You can trust our long-term experience with big data, NLP, and sentiment analyzing as, for the past 3 years, we led a European security project with 15 partners in detecting radicalization on social media and the dark web.

3. Do you have a research and development department and work on European Projects?

We know R&D is crucial for businesses to stay competitive and thrive in dynamic markets. Successful R&D efforts lead to developing exceptional products or services, improved efficiency and effectiveness in operations, and enhanced market positioning.

We have established solid partnerships with 160+ European research companies, universities, and research centers (e.g., Fraunhofer, TWI, University of Heidelberg, REWE Group, SINTEF, etc.) and have participated as technical partners in over 25 EU-funded projects.

4. Besides custom software solutions, what other services do you offer?

Design Thinking for Breakthrough Products:
We craft user experiences that resonate. Our design process is an immersive collaboration, starting with workshops to uncover your vision and user needs. We conduct market research, analyze the competition, and guide you toward cutting-edge solutions in accordance with your business requirements.
Digital Transformation to Reimagine Your Business:
Digital transformation is nothing less than a strategic shift. We empower you to become more agile and data-driven, optimizing core processes for the digital age.
Scale with Confidence as We Build for Growth:
We understand that business success and development mean new challenges. Our solutions are built to scale seamlessly, accommodating increasing user bases and data volumes without sacrificing performance or security.

5. As a company, does ASSIST have its own software products?

Yes, ASSIST Software teams have been involved in designing and developing innovative products that answer community needs. One such example is the web and mobile platform Autisma. This therapy assistant enables continued learning for children diagnosed with autism spectrum disorder.

Our extensive knowledge of the Unity and Unreal engines has allowed us to develop two mobile games, Elly and the Ruby Atlas and Hooman Invaders, and various Unity Assets, such as the Real-Time Weather PRO and Easy Sky. The two Unity assets allow Unity developers to control the weather and sky in their projects.

1. Is ASSIST Software hiring right now?

We are always looking for great people to join our team, whether you're a senior software engineer or a new talent seeking an IT career. Please check our careers page and contact us. Our HR department will contact you as soon as possible.

2. Is ASSIST Software organizing internships?

Yes. Each year, we organize individual and group internships for students. Our long-term partnership with the Stefan cel Mare University of Suceava allows us to put together great events for students and help them get started in the industry.

3. What type of learning culture does ASSIST Software encourage?

Our focus on innovation comes from a 'can do' attitude and the continuous learning we encourage our colleagues to pursue. We frequently organize workshops, learning sessions, presentations, and masterclasses. All these events are free and open to our colleagues and aim to support their professional and personal development.

4. How does ASSIST Software focus on teamwork?

The key to stellar teamwork is the quality time we spend together. ASSIST employees and their families are frequently invited to participate in all activities. We encourage a healthy lifestyle by promoting and organizing hikes, bike riding sessions, marathons, volleyball, football and tennis matches, ping-pong championships, and many more.

We show our care for the environment through reforestation campaigns and forest cleaning activities.

We also have an English-speaking club, e-sports gaming nights, tech discussions, networking parties, and board game sessions.

5. How does ASSIST Software give back to the community?

Volunteering and charity are essential to us, which is why we founded the ASSIST Humanitarian Foundation. We genuinely care about our community and want to improve the future. We invest in IT equipment for schools and award excellent teachers. We also help hospitals and fire departments enter the 21st century.

We sponsor cultural events and deliver humanitarian aid to those in need. If you agree with our views, you can also donate.