feat: Add Keycloak authentication and authorization

- Integrated Keycloak via Aspire.Hosting.Keycloak package
- Added OpenID Connect authentication to BlazorApp with Keycloak provider
- Configured home page as public, all other pages require authentication
- Added Login/Logout UI components in top-right corner
- Configured id_token_hint for proper logout flow
- Added comprehensive Keycloak setup documentation
- Updated .gitignore to exclude Development settings files

This implements private website access control where only selected users
can authenticate through Keycloak.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: fboucher

.gitignore

@@ -490,6 +490,7 @@ NoteBookmark.Api/obj/
 NoteBookmark.Api/appsettings.Development.json
 
 NoteBookmark.BlazorApp/appsettings.Development.json
+src/NoteBookmark.BlazorApp/appsettings.Development.json
 .azure
 
 NoteBookmark.AppHost/appsettings.Development.json

Directory.Packages.props

@@ -1,12 +1,11 @@
 <Project>
   <ItemGroup>
     <!-- Aspire packages -->
-    <PackageVersion Include="Aspire.Hosting.AppHost" Version="13.0.2" />
-    <PackageVersion Include="Aspire.Hosting.Azure.Storage" Version="13.0.2" />
-    <PackageVersion Include="Aspire.Hosting.Docker" Version="13.0.2-preview.1.25603.5" />
-    <PackageVersion Include="Aspire.Hosting.Keycloak" Version="13.1.0-preview.1.25616.3" />
-    <PackageVersion Include="Aspire.Azure.Data.Tables" Version="13.0.2" />
-    <PackageVersion Include="Aspire.Azure.Storage.Blobs" Version="13.0.2" />
+    <PackageVersion Include="Aspire.Hosting.Azure.Storage" Version="13.1.1" />
+    <PackageVersion Include="Aspire.Hosting.Docker" Version="13.1.1-preview.1.26105.8" />
+    <PackageVersion Include="Aspire.Hosting.Keycloak" Version="13.1.1-preview.1.26105.8" />
+    <PackageVersion Include="Aspire.Azure.Data.Tables" Version="13.1.1" />
+    <PackageVersion Include="Aspire.Azure.Storage.Blobs" Version="13.1.1" />
     <!-- Azure packages -->
     <PackageVersion Include="Azure.Data.Tables" Version="12.11.0" />
     <PackageVersion Include="Azure.Storage.Blobs" Version="12.26.0" />

README.md

@@ -49,6 +49,11 @@ Next time you will navigate to the app, you will be prompt a to login with your
 
 Voila! Your app is now secure.
 
+## Documentation
+
+For detailed setup guides and configuration information:
+- [Keycloak Authentication Setup](/docs/KEYCLOAK_AUTH.md) - Complete guide for setting up Keycloak authentication
+
 ## Contributing
 
 Your contributions are welcome! Take a look at [CONTRIBUTING](/CONTRIBUTING.md) for details.

src/NoteBookmark.AppHost/NoteBookmark.AppHost.csproj

@@ -1,12 +1,10 @@
-<Project Sdk="Microsoft.NET.Sdk">
-  <Sdk Name="Aspire.AppHost.Sdk" Version="13.0.2" />
+<Project Sdk="Aspire.AppHost.Sdk/13.1.1">
   <PropertyGroup>
     <OutputType>Exe</OutputType>
     <IsAspireHost>true</IsAspireHost>
     <UserSecretsId>0784f0a9-b1e6-4e65-8d31-00f1369f6d75</UserSecretsId>
   </PropertyGroup>
   <ItemGroup>
-    <PackageReference Include="Aspire.Hosting.AppHost" />
     <PackageReference Include="Aspire.Hosting.Azure.Storage" />
     <PackageReference Include="Aspire.Hosting.Docker" />
     <PackageReference Include="Aspire.Hosting.Keycloak" />

src/NoteBookmark.BlazorApp/Components/Layout/MainLayout.razor

@@ -8,10 +8,12 @@
     <FluentHeader>
         Note Bookmark
         <FluentSpacer />
-        <LoginDisplay />
-        <FluentAnchor Href="/settings" aria-label="Settings">
-            <FluentIcon Value="@(new Icons.Filled.Size16.AppsSettings())" />
-        </FluentAnchor>
+        <FluentStack Orientation="Orientation.Horizontal" HorizontalGap="12" VerticalAlignment="VerticalAlignment.Center" HorizontalAlignment="HorizontalAlignment.Right">
+            <LoginDisplay />
+            <FluentAnchor Href="/settings" aria-label="Settings">
+                <FluentIcon Value="@(new Icons.Filled.Size16.AppsSettings())" />
+            </FluentAnchor>
+        </FluentStack>
     </FluentHeader>
     <FluentStack Class="main" Orientation="Orientation.Horizontal" Width="100%">
         <NavMenu />

src/NoteBookmark.BlazorApp/Components/Pages/Home.razor

@@ -1,4 +1,6 @@
 @page "/"
+@attribute [AllowAnonymous]
+@using Microsoft.AspNetCore.Authorization
 @using Microsoft.FluentUI.AspNetCore.Components
 @inject NavigationManager Navigation
 

src/NoteBookmark.BlazorApp/Components/Pages/Login.razor

@@ -1,11 +1,27 @@
 @page "/login"
+@attribute [AllowAnonymous]
+@using Microsoft.AspNetCore.Authorization
 @using Microsoft.AspNetCore.Authentication
 @using Microsoft.AspNetCore.Authentication.OpenIdConnect
 @inject NavigationManager Navigation
+@inject IHttpContextAccessor HttpContextAccessor
 @code {
     protected override async Task OnInitializedAsync()
     {
-        // Redirect to Keycloak login
-        Navigation.NavigateTo($"/authentication/login?returnUrl={Uri.EscapeDataString(Navigation.Uri)}", forceLoad: true);
+        // Get the return URL from query string or default to home
+        var uri = new Uri(Navigation.Uri);
+        var query = System.Web.HttpUtility.ParseQueryString(uri.Query);
+        var returnUrl = query["returnUrl"] ?? "/";
+        
+        // Trigger authentication challenge via HttpContext
+        var httpContext = HttpContextAccessor.HttpContext;
+        if (httpContext != null)
+        {
+            var authProperties = new AuthenticationProperties
+            {
+                RedirectUri = returnUrl
+            };
+            await httpContext.ChallengeAsync(OpenIdConnectDefaults.AuthenticationScheme, authProperties);
+        }
     }
 }

src/NoteBookmark.BlazorApp/Components/Pages/Logout.razor

@@ -1,12 +1,22 @@
 @page "/logout"
+@attribute [AllowAnonymous]
+@using Microsoft.AspNetCore.Authorization
 @using Microsoft.AspNetCore.Authentication
 @using Microsoft.AspNetCore.Authentication.Cookies
 @using Microsoft.AspNetCore.Authentication.OpenIdConnect
-@inject NavigationManager Navigation
+@inject IHttpContextAccessor HttpContextAccessor
 @code {
     protected override async Task OnInitializedAsync()
     {
-        // Redirect to logout endpoint
-        Navigation.NavigateTo("/authentication/logout", forceLoad: true);
+        var httpContext = HttpContextAccessor.HttpContext;
+        if (httpContext != null)
+        {
+            var properties = new AuthenticationProperties
+            {
+                RedirectUri = "/"
+            };
+            await httpContext.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, properties);
+            await httpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+        }
     }
 }

src/NoteBookmark.BlazorApp/Components/Shared/LoginDisplay.razor

@@ -1,19 +1,18 @@
+@rendermode InteractiveServer
 @using Microsoft.AspNetCore.Components.Authorization
 @inject NavigationManager Navigation
 
 <AuthorizeView>
     <Authorized>
-        <FluentStack Orientation="Orientation.Horizontal" HorizontalGap="8">
+        <FluentStack Orientation="Orientation.Horizontal" HorizontalGap="8" HorizontalAlignment="HorizontalAlignment.Right" VerticalAlignment="VerticalAlignment.Center">
             <span>Hello, @context.User.Identity?.Name</span>
-            <FluentButton Appearance="Appearance.Lightweight" OnClick="Logout">
-                <FluentIcon Value="@(new Icons.Regular.Size16.ArrowExit())" />
+            <FluentButton Appearance="Appearance.Lightweight" OnClick="Logout" IconStart="@(new Icons.Regular.Size16.ArrowExit())">
                 Logout
             </FluentButton>
         </FluentStack>
     </Authorized>
     <NotAuthorized>
-        <FluentButton Appearance="Appearance.Accent" OnClick="Login">
-            <FluentIcon Value="@(new Icons.Regular.Size16.Person())" />
+        <FluentButton Appearance="Appearance.Accent" OnClick="Login" IconStart="@(new Icons.Regular.Size16.Person())">
             Login
         </FluentButton>
     </NotAuthorized>
@@ -22,11 +21,16 @@
 @code {
     private void Login()
     {
-        Navigation.NavigateTo("/login", forceLoad: true);
+        var returnUrl = Navigation.ToBaseRelativePath(Navigation.Uri);
+        if (string.IsNullOrEmpty(returnUrl))
+        {
+            returnUrl = "/";
+        }
+        Navigation.NavigateTo($"/login?returnUrl={Uri.EscapeDataString(returnUrl)}", forceLoad: false);
     }
 
     private void Logout()
     {
-        Navigation.NavigateTo("/logout", forceLoad: true);
+        Navigation.NavigateTo("/logout", forceLoad: false);
     }
 }

src/NoteBookmark.BlazorApp/Program.cs

@@ -87,10 +87,26 @@
         NameClaimType = "preferred_username",
         RoleClaimType = "roles"
     };
+    
+    // Configure logout to properly pass id_token_hint to Keycloak
+    options.Events = new OpenIdConnectEvents
+    {
+        OnRedirectToIdentityProviderForSignOut = context =>
+        {
+            // Get the id_token from saved tokens
+            var idToken = context.HttpContext.GetTokenAsync("id_token").Result;
+            if (!string.IsNullOrEmpty(idToken))
+            {
+                context.ProtocolMessage.IdTokenHint = idToken;
+            }
+            return Task.CompletedTask;
+        }
+    };
 });
 
 builder.Services.AddAuthorization();
 builder.Services.AddCascadingAuthenticationState();
+builder.Services.AddHttpContextAccessor();
 
 // Add services to the container.
 builder.Services.AddRazorComponents()