This post explores the implementation of an OpenID Connect client in ASP.NET Core with Keycloak to enforce a level of authentication (LoA) using Aspire hosting platform.
Keycloak is utilized to set up the OpenID Connect server and enforce authentication requirements, such as LoA1, LoA2, and LoA3.
The arc_values claim is employed to specify the LoA requirement to Keycloak, with the OnRedirectToIdentityProvider method used to set this value.
It's crucial to validate the returned level of authentication and the amr claim while implementing this setup to ensure compatibility with different identity providers.