antosubash · antosubash · May 25, 2026 · May 25, 2026 · May 25, 2026 · May 25, 2026
diff --git a/.github/screenshots/01-landing-page.png b/.github/screenshots/01-landing-page.png
diff --git a/.github/screenshots/02-login-page.png b/.github/screenshots/02-login-page.png
diff --git a/.github/screenshots/03-dashboard.png b/.github/screenshots/03-dashboard.png
diff --git a/.github/screenshots/04-admin-hub.png b/.github/screenshots/04-admin-hub.png
diff --git a/.github/screenshots/05-admin-users.png b/.github/screenshots/05-admin-users.png
diff --git a/.github/screenshots/06-user-sessions.png b/.github/screenshots/06-user-sessions.png
diff --git a/.github/screenshots/07-keycloak-landing.png b/.github/screenshots/07-keycloak-landing.png
diff --git a/.github/screenshots/08-keycloak-local-login.png b/.github/screenshots/08-keycloak-local-login.png
diff --git a/.github/screenshots/09-keycloak-login-form.png b/.github/screenshots/09-keycloak-login-form.png
diff --git a/.github/screenshots/10-keycloak-credentials-filled.png b/.github/screenshots/10-keycloak-credentials-filled.png
diff --git a/.github/screenshots/11-keycloak-authenticated-dashboard.png b/.github/screenshots/11-keycloak-authenticated-dashboard.png
diff --git a/.github/screenshots/12-keycloak-user-dropdown.png b/.github/screenshots/12-keycloak-user-dropdown.png
diff --git a/.github/screenshots/13-keycloak-admin-hub.png b/.github/screenshots/13-keycloak-admin-hub.png
diff --git a/.github/screenshots/14-keycloak-admin-users.png b/.github/screenshots/14-keycloak-admin-users.png
diff --git a/.gitignore b/.gitignore
@@ -447,3 +447,7 @@ template/SimpleModule.Host/storage/
 # Temporary refactor baseline — not committed
 baseline/
 .claude/settings.local.json
+
+# Verification artifacts
+.verify/
+.qa/
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -34,6 +34,8 @@
     <PackageVersion Include="Microsoft.EntityFrameworkCore.SqlServer.NetTopologySuite" Version="10.0.3" />
     <PackageVersion Include="Microsoft.EntityFrameworkCore.Sqlite.NetTopologySuite" Version="10.0.3" />
     <!-- Identity -->
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.3" />
+    <PackageVersion Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="10.0.3" />
     <PackageVersion Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="10.0.3" />
     <!-- OpenIddict -->
     <PackageVersion Include="OpenIddict.AspNetCore" Version="6.3.0" />

diff --git a/Dockerfile b/Dockerfile
@@ -41,8 +41,11 @@ COPY modules/Dashboard/src/SimpleModule.Dashboard.Contracts/*.csproj modules/Das
 COPY modules/Dashboard/src/SimpleModule.Dashboard/*.csproj modules/Dashboard/src/SimpleModule.Dashboard/
 COPY modules/Users/src/SimpleModule.Users.Contracts/*.csproj modules/Users/src/SimpleModule.Users.Contracts/
 COPY modules/Users/src/SimpleModule.Users/*.csproj modules/Users/src/SimpleModule.Users/
+COPY modules/Identity/src/SimpleModule.Identity.Contracts/*.csproj modules/Identity/src/SimpleModule.Identity.Contracts/
 COPY modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/*.csproj modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/
 COPY modules/OpenIddict/src/SimpleModule.OpenIddict/*.csproj modules/OpenIddict/src/SimpleModule.OpenIddict/
+COPY modules/Keycloak/src/SimpleModule.Keycloak.Contracts/*.csproj modules/Keycloak/src/SimpleModule.Keycloak.Contracts/
+COPY modules/Keycloak/src/SimpleModule.Keycloak/*.csproj modules/Keycloak/src/SimpleModule.Keycloak/
 COPY modules/Permissions/src/SimpleModule.Permissions.Contracts/*.csproj modules/Permissions/src/SimpleModule.Permissions.Contracts/
 COPY modules/Permissions/src/SimpleModule.Permissions/*.csproj modules/Permissions/src/SimpleModule.Permissions/
 COPY modules/Admin/src/SimpleModule.Admin.Contracts/*.csproj modules/Admin/src/SimpleModule.Admin.Contracts/

diff --git a/Dockerfile.worker b/Dockerfile.worker
@@ -49,8 +49,11 @@ COPY modules/Dashboard/src/SimpleModule.Dashboard.Contracts/*.csproj modules/Das
 COPY modules/Dashboard/src/SimpleModule.Dashboard/*.csproj modules/Dashboard/src/SimpleModule.Dashboard/
 COPY modules/Users/src/SimpleModule.Users.Contracts/*.csproj modules/Users/src/SimpleModule.Users.Contracts/
 COPY modules/Users/src/SimpleModule.Users/*.csproj modules/Users/src/SimpleModule.Users/
+COPY modules/Identity/src/SimpleModule.Identity.Contracts/*.csproj modules/Identity/src/SimpleModule.Identity.Contracts/
 COPY modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/*.csproj modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/
 COPY modules/OpenIddict/src/SimpleModule.OpenIddict/*.csproj modules/OpenIddict/src/SimpleModule.OpenIddict/
+COPY modules/Keycloak/src/SimpleModule.Keycloak.Contracts/*.csproj modules/Keycloak/src/SimpleModule.Keycloak.Contracts/
+COPY modules/Keycloak/src/SimpleModule.Keycloak/*.csproj modules/Keycloak/src/SimpleModule.Keycloak/
 COPY modules/Permissions/src/SimpleModule.Permissions.Contracts/*.csproj modules/Permissions/src/SimpleModule.Permissions.Contracts/
 COPY modules/Permissions/src/SimpleModule.Permissions/*.csproj modules/Permissions/src/SimpleModule.Permissions/
 COPY modules/Admin/src/SimpleModule.Admin.Contracts/*.csproj modules/Admin/src/SimpleModule.Admin.Contracts/

diff --git a/SimpleModule.AppHost/AppHost.cs b/SimpleModule.AppHost/AppHost.cs
@@ -1,4 +1,4 @@
-var builder = DistributedApplication.CreateBuilder(args);
+var builder = DistributedApplication.CreateBuilder(args);
 
 var postgres = builder
     .AddPostgres("postgres")
@@ -8,12 +8,51 @@
 
 var db = postgres.AddDatabase("simplemoduledb");
 
-builder
+// Keycloak identity provider (opt-in via --launch-profile Keycloak)
+var useKeycloak = builder.Configuration["Identity:Provider"] == "Keycloak";
+
+IResourceBuilder<ContainerResource>? keycloak = null;
+if (useKeycloak)
+{
+    var realmImportPath = Path.Combine(builder.AppHostDirectory, "keycloak");
+
+    keycloak = builder
+        .AddContainer("keycloak", "quay.io/keycloak/keycloak", "26.2")
+        .WithHttpEndpoint(port: 8080, targetPort: 8080, name: "http")
+        .WithEnvironment("KC_BOOTSTRAP_ADMIN_USERNAME", "admin")
+        .WithEnvironment("KC_BOOTSTRAP_ADMIN_PASSWORD", "admin")
+        .WithEnvironment("KC_HTTP_ENABLED", "true")
+        .WithEnvironment("KC_HOSTNAME_STRICT", "false")
+        .WithEnvironment("KC_HEALTH_ENABLED", "true")
+        .WithBindMount(realmImportPath, "/opt/keycloak/data/import", isReadOnly: true)
+        .WithArgs("start-dev", "--import-realm")
+        .WithLifetime(ContainerLifetime.Persistent);
+}
+
+var host = builder
     .AddProject<Projects.SimpleModule_Host>("simplemodule-host")
     .WithExternalHttpEndpoints()
     .WithReference(db)
     .WaitFor(db);
 
+if (keycloak is not null)
+{
+    host.WithReference(keycloak.GetEndpoint("http"))
+        .WaitFor(keycloak)
+        .WithEnvironment("Identity__Provider", "Keycloak")
+        .WithEnvironment("Keycloak__Authority", "http://localhost:8080/realms/simplemodule")
+        .WithEnvironment("Keycloak__ClientId", "simplemodule-app")
+        .WithEnvironment("Keycloak__ClientSecret", "simplemodule-dev-secret")
+        .WithEnvironment("Keycloak__Realm", "simplemodule")
+        .WithEnvironment(
+            "Keycloak__AdminApiBaseUrl",
+            "http://localhost:8080/admin/realms/simplemodule"
+        )
+        .WithEnvironment("Keycloak__AdminClientId", "simplemodule-admin")
+        .WithEnvironment("Keycloak__AdminClientSecret", "simplemodule-admin-secret")
+        .WithEnvironment("Keycloak__RequireHttpsMetadata", "false");
+}
+
 builder
     .AddProject<Projects.SimpleModule_Worker>("simplemodule-worker")
     .WithReference(db)

diff --git a/SimpleModule.AppHost/Properties/launchSettings.json b/SimpleModule.AppHost/Properties/launchSettings.json
@@ -26,6 +26,20 @@
         "ASPIRE_DASHBOARD_MCP_ENDPOINT_URL": "http://localhost:18194",
         "ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL": "http://localhost:20023"
       }
+    },
+    "keycloak": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "https://localhost:17119;http://localhost:15076",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development",
+        "DOTNET_ENVIRONMENT": "Development",
+        "ASPIRE_DASHBOARD_OTLP_ENDPOINT_URL": "https://localhost:21159",
+        "ASPIRE_DASHBOARD_MCP_ENDPOINT_URL": "https://localhost:23210",
+        "ASPIRE_RESOURCE_SERVICE_ENDPOINT_URL": "https://localhost:22061",
+        "Identity__Provider": "Keycloak"
+      }
     }
   }
 }
diff --git a/SimpleModule.AppHost/keycloak/simplemodule-realm.json b/SimpleModule.AppHost/keycloak/simplemodule-realm.json
@@ -0,0 +1,120 @@
+{
+  "realm": "simplemodule",
+  "enabled": true,
+  "registrationAllowed": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "sslRequired": "none",
+  "roles": {
+    "realm": [
+      {
+        "name": "Admin",
+        "description": "Full administrative access"
+      },
+      {
+        "name": "User",
+        "description": "Standard user access"
+      }
+    ]
+  },
+  "clients": [
+    {
+      "clientId": "simplemodule-app",
+      "name": "SimpleModule Application",
+      "enabled": true,
+      "publicClient": false,
+      "secret": "simplemodule-dev-secret",
+      "redirectUris": [
+        "https://localhost:5001/keycloak/callback",
+        "http://localhost:5000/keycloak/callback",
+        "https://localhost:*/keycloak/callback",
+        "http://localhost:*/keycloak/callback"
+      ],
+      "webOrigins": ["*"],
+      "standardFlowEnabled": true,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": true,
+      "authorizationServicesEnabled": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256",
+        "post.logout.redirect.uris": "+"
+      },
+      "defaultClientScopes": [
+        "web-origins",
+        "acr",
+        "profile",
+        "roles",
+        "email"
+      ],
+      "protocolMappers": [
+        {
+          "name": "realm-roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "userinfo.token.claim": "true",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "clientId": "simplemodule-admin",
+      "name": "SimpleModule Admin Service Account",
+      "enabled": true,
+      "publicClient": false,
+      "secret": "simplemodule-admin-secret",
+      "serviceAccountsEnabled": true,
+      "standardFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "protocol": "openid-connect"
+    }
+  ],
+  "users": [
+    {
+      "username": "admin@simplemodule.dev",
+      "email": "admin@simplemodule.dev",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Admin",
+      "lastName": "User",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "Admin123!",
+          "temporary": false
+        }
+      ],
+      "realmRoles": ["Admin", "User"]
+    },
+    {
+      "username": "user@simplemodule.dev",
+      "email": "user@simplemodule.dev",
+      "emailVerified": true,
+      "enabled": true,
+      "firstName": "Test",
+      "lastName": "User",
+      "credentials": [
+        {
+          "type": "password",
+          "value": "User123!",
+          "temporary": false
+        }
+      ],
+      "realmRoles": ["User"]
+    }
+  ],
+  "defaultDefaultClientScopes": [
+    "web-origins",
+    "acr",
+    "profile",
+    "roles",
+    "email"
+  ]
+}
diff --git a/SimpleModule.slnx b/SimpleModule.slnx
@@ -37,11 +37,18 @@
     <Project Path="modules/Permissions/src/SimpleModule.Permissions/SimpleModule.Permissions.csproj" />
     <Project Path="modules/Permissions/tests/SimpleModule.Permissions.Tests/SimpleModule.Permissions.Tests.csproj" />
   </Folder>
+  <Folder Name="/modules/Identity/">
+    <Project Path="modules/Identity/src/SimpleModule.Identity.Contracts/SimpleModule.Identity.Contracts.csproj" />
+  </Folder>
   <Folder Name="/modules/OpenIddict/">
     <Project Path="modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/SimpleModule.OpenIddict.Contracts.csproj" />
     <Project Path="modules/OpenIddict/src/SimpleModule.OpenIddict/SimpleModule.OpenIddict.csproj" />
     <Project Path="modules/OpenIddict/tests/SimpleModule.OpenIddict.Tests/SimpleModule.OpenIddict.Tests.csproj" />
   </Folder>
+  <Folder Name="/modules/Keycloak/">
+    <Project Path="modules/Keycloak/src/SimpleModule.Keycloak.Contracts/SimpleModule.Keycloak.Contracts.csproj" />
+    <Project Path="modules/Keycloak/src/SimpleModule.Keycloak/SimpleModule.Keycloak.csproj" />
+  </Folder>
   <Folder Name="/modules/Admin/">
     <Project Path="modules/Admin/src/SimpleModule.Admin.Contracts/SimpleModule.Admin.Contracts.csproj" />
     <Project Path="modules/Admin/src/SimpleModule.Admin/SimpleModule.Admin.csproj" />