From 35b51c6b962516a9ab4c75b80ebd3c1bc52de2c6 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Sun, 7 Dec 2025 14:52:51 +0100
Subject: [PATCH 1/8] bit Boilerplate now retrieves keycloak claims dynamically
 (#11837)

---
 ...DemoIcon.razor => EnterpriseSsoIcon.razor} |  0
 .../Pages/Identity/Components/SocialRow.razor |  6 +-
 .../Identity/Components/SocialRow.razor.cs    |  2 +-
 .../IdentityController.SocialSignIn.cs        | 20 ++++++-
 .../Program.Services.cs                       | 28 ++++++---
 .../Identity/AppUserClaimsPrincipalFactory.cs | 60 ++++++++++++++++++-
 .../Boilerplate.Server.Api/appsettings.json   |  7 ++-
 .../Realms/README.md                          | 13 ++--
 .../Realms/demo-realm.json                    | 27 +++------
 .../Boilerplate.Server.Web/appsettings.json   |  4 ++
 .../src/Shared/Resources/AppStrings.ar.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.de.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.es.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.fa.resx   |  4 +-
 .../src/Shared/Resources/AppStrings.fr.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.hi.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.nl.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.resx      |  4 +-
 .../src/Shared/Resources/AppStrings.sv.resx   |  6 +-
 .../src/Shared/Resources/AppStrings.zh.resx   |  6 +-
 20 files changed, 152 insertions(+), 71 deletions(-)
 rename src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/{IdentityServerDemoIcon.razor => EnterpriseSsoIcon.razor} (100%)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/IdentityServerDemoIcon.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/EnterpriseSsoIcon.razor
similarity index 100%
rename from src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/IdentityServerDemoIcon.razor
rename to src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/EnterpriseSsoIcon.razor
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor
index af7cfe23f3..cf213b2137 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor
@@ -11,10 +11,10 @@
         }
         else
         {
-            @if (supportedProviders.Contains("IdentityServerDemo"))
+            @if (supportedProviders.Contains("EnterpriseSso"))
             {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleIdentityServerDemo)" Title="@Localizer[AppStrings.IdentityServerDemoSignInButtonText]">
-                    <IdentityServerDemoIcon />
+                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleEnterpriseSso)" Title="@Localizer[AppStrings.EnterpriseSsoSignInButtonText]">
+                    <EnterpriseSsoIcon />
                 </SocialButton>
             }
             @if (supportedProviders.Contains("Google"))
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs
index b5aeeb79c0..aef2bdb870 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs
@@ -33,5 +33,5 @@ protected override async Task OnInitAsync()
     private async Task HandleApple() => await OnClick.InvokeAsync("Apple");
     private async Task HandleAzureAD() => await OnClick.InvokeAsync("AzureAD");
     private async Task HandleFacebook() => await OnClick.InvokeAsync("Facebook");
-    private async Task HandleIdentityServerDemo() => await OnClick.InvokeAsync("IdentityServerDemo");
+    private async Task HandleEnterpriseSso() => await OnClick.InvokeAsync("EnterpriseSso");
 }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs
index f8cffb98fb..d079fb6bc6 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs
@@ -87,6 +87,24 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
                 await userManager.UpdateAsync(user);
             }
 
+            // Using these tokens (if provided by external provider) for further API calls to the provider on behalf of the user.
+            // Example: Getting more profile data from the provider, posting on behalf of the user or getting user claims updates, etc.
+            var accessToken = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "access_token")?.Value;
+            var refreshToken = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "refresh_token")?.Value;
+            var expiresAt = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "expires_at")?.Value;
+            if (string.IsNullOrEmpty(refreshToken) is false)
+            {
+                await userManager.SetAuthenticationTokenAsync(user, info.LoginProvider, "refresh_token", refreshToken);
+            }
+            if (string.IsNullOrEmpty(accessToken) is false)
+            {
+                await userManager.SetAuthenticationTokenAsync(user, info.LoginProvider, "access_token", accessToken);
+            }
+            if (string.IsNullOrEmpty(expiresAt) is false)
+            {
+                await userManager.SetAuthenticationTokenAsync(user, info.LoginProvider, "expires_at", expiresAt);
+            }
+
             (_, signInPageUri) = await GenerateAutomaticSignInLink(user, returnUrl, originalAuthenticationMethod: "Social"); // Sign in with a magic link, and 2FA will be prompted if already enabled.
         }
         catch (Exception exp)
@@ -101,7 +119,7 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
 
         var redirectRelativeUrl = $"{PageUrls.WebInteropApp}?actionName=SocialSignInCallback&url={Uri.EscapeDataString(signInPageUri!)}&localHttpPort={localHttpPort}";
 
-        if (localHttpPort is not null) 
+        if (localHttpPort is not null)
             return Redirect(new Uri(new Uri($"http://localhost:{localHttpPort}"), redirectRelativeUrl).ToString()); // Check out Client.web/wwwroot/web-interop-app.html's comments.
 
         return Redirect(new Uri(Request.HttpContext.Request.GetWebAppUrl(), redirectRelativeUrl).ToString());
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
index 3586b7d5dd..571e5202a2 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
@@ -398,6 +398,12 @@ void AddDbContext(DbContextOptionsBuilder options)
             //#endif
         });
 
+        services.AddHttpClient("Keycloak", c =>
+        {
+            c.BaseAddress = new Uri(configuration["KEYCLOAK_HTTP"] ?? throw new InvalidOperationException("KEYCLOAK_HTTP configuration is required"));
+            c.DefaultRequestVersion = HttpVersion.Version11;
+        });
+
         services.AddFido2(options =>
         {
 
@@ -637,16 +643,23 @@ private static void AddIdentity(WebApplicationBuilder builder)
 
         // While Google, GitHub, Twitter(X), Apple and AzureAD needs configuration in their corresponding developer portals,
         // the following OpenID Connect configuration would connect to your own Keycloak, Auth0, Okta, Duende IdentityServer, etc.
+        // It has been enabled only for dev environment, until you prepare your own production ready Keycloak server.
         if (builder.Environment.IsDevelopment())
         {
-            authenticationBuilder.AddOpenIdConnect("IdentityServerDemo", options =>
+            authenticationBuilder.AddOpenIdConnect("EnterpriseSso", options =>
             {
+                configuration.GetRequiredSection("Authentication:EnterpriseSso").Bind(options);
+
                 var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"]; // Boilerplate.Server.AppHost (Aspire) would pass this value automatically,
                                                                       // you could also use your own Keycloak URL here.
                 if (string.IsNullOrEmpty(keycloakBaseUrl) is false)
                 {
-                    // Keycloak requires the full authority URL including the realm
-                    options.Authority = $"{keycloakBaseUrl.TrimEnd('/')}/realms/demo"; // Checkout src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
+                    // The user would sign-in using Keycloak, just like other providers such as Google.
+                    // IdentityController.SocialSignIn's SocialSignInCallback would store refresh token provided by Keycloak
+                    // Laster, AppUserClaimsPrincipalFactory would use the refresh token to retrieve claims (roles etc) from Keycloak.
+                    // This allows seamless integration with Keycloak, that way you could manage users, roles and claims from Keycloak admin console.
+                    // Checkout src/Server/Boilerplate.Server.AppHost/Realms/README.md for more information.
+                    options.Authority = $"{keycloakBaseUrl.TrimEnd('/')}/realms/demo";
                 }
                 else
                 {
@@ -654,22 +667,19 @@ private static void AddIdentity(WebApplicationBuilder builder)
                     options.Authority = "https://demo.duendesoftware.com";
                 }
 
-                options.ClientId = "interactive.confidential";
-                options.ClientSecret = "secret";
                 options.ResponseType = "code";
                 options.ResponseMode = "query";
 
                 options.Scope.Clear();
                 options.Scope.Add("openid");
                 options.Scope.Add("profile");
-                options.Scope.Add("api"); // Custom API access scope for accessing protected resources
-                options.Scope.Add("offline_access");
                 options.Scope.Add("email");
+                options.Scope.Add("offline_access"); // To get refresh tokens
+                options.Scope.Add("api"); // Sample API scope
 
-                options.MapInboundClaims = false;
+                options.MapInboundClaims = true;
                 options.GetClaimsFromUserInfoEndpoint = true;
                 options.SaveTokens = true;
-                options.DisableTelemetry = true;
 
                 options.Prompt = "login"; // Force login every time
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
index ac355756f0..346e6fad16 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
@@ -1,8 +1,10 @@
-using Boilerplate.Server.Api.Models.Identity;
+using System.IdentityModel.Tokens.Jwt;
+using Boilerplate.Server.Api.Models.Identity;
 
 namespace Boilerplate.Server.Api.Services.Identity;
 
-public partial class AppUserClaimsPrincipalFactory(UserClaimsService userClaimsService, UserManager<User> userManager, RoleManager<Role> roleManager, IOptions<IdentityOptions> optionsAccessor)
+public partial class AppUserClaimsPrincipalFactory(UserClaimsService userClaimsService, UserManager<User> userManager, RoleManager<Role> roleManager,
+        IOptions<IdentityOptions> optionsAccessor, IConfiguration configuration, IServiceProvider serviceProvider)
     : UserClaimsPrincipalFactory<User, Role>(userManager, roleManager, optionsAccessor)
 {
     /// <summary>
@@ -20,9 +22,63 @@ protected override async Task<ClaimsIdentity> GenerateClaimsAsync(User user)
                 result.AddClaim(sessionClaim);
         }
 
+        await RetrieveKeycloakClaims(user, result);
+
         return result;
     }
 
+    /// <summary>
+    /// Retrieves additional claims from Keycloak and adds them to the user's claims.
+    /// </summary>
+    private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity result)
+    {
+        var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"];
+        if (string.IsNullOrEmpty(keycloakBaseUrl) is false)
+        {
+            var keycloakRefreshToken = await UserManager.GetAuthenticationTokenAsync(user, "EnterpriseSso", "refresh_token");
+            if (string.IsNullOrEmpty(keycloakRefreshToken) is false)
+            {
+                var keycloakTokenExpiryDate = DateTimeOffset.Parse(await UserManager.GetAuthenticationTokenAsync(user, "EnterpriseSso", "expires_at") ?? throw new InvalidOperationException("expires_at token is missing"));
+                var keycloakAccessToken = await UserManager.GetAuthenticationTokenAsync(user, "EnterpriseSso", "access_token") ?? throw new InvalidOperationException("access_token token is missing");
+                if (DateTimeOffset.UtcNow >= keycloakTokenExpiryDate)
+                {
+                    var httpClient = serviceProvider.GetRequiredService<IHttpClientFactory>().CreateClient("Keycloak");
+                    var refreshRequestPayload = new FormUrlEncodedContent(new Dictionary<string, string>
+                    {
+                        { "grant_type", "refresh_token" },
+                        { "client_id", configuration["Authentication:EnterpriseSso:ClientId"]! },
+                        { "client_secret", configuration["Authentication:EnterpriseSso:ClientSecret"]! },
+                        { "refresh_token", keycloakRefreshToken }
+                    });
+                    using var response = await httpClient.PostAsync($"realms/demo/protocol/openid-connect/token", refreshRequestPayload);
+                    if (response.IsSuccessStatusCode is false)
+                    {
+                        var errorDetails = await response.Content.ReadFromJsonAsync<Dictionary<string, object?>>();
+                        if (errorDetails?.Any(i => i.Key == "error" && i.Value?.ToString() is "invalid_grant") is true)
+                            throw new UnauthorizedException(errorDetails["error_description"]!.ToString()!).WithData(errorDetails);
+                        throw new InvalidOperationException("Failed to refresh Keycloak access token").WithData(errorDetails ?? []);
+                    }
+                    var responseBody = await response.Content.ReadFromJsonAsync<JsonElement>();
+                    keycloakAccessToken = responseBody!.GetProperty("access_token").GetString();
+                }
+                var handler = new JwtSecurityTokenHandler();
+                var parsedKeycloakAccessToken = handler.ReadJwtToken(keycloakAccessToken);
+                var keycloakClaims = parsedKeycloakAccessToken.Claims
+                    .Select(claim => new Claim(
+                        JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.TryGetValue(claim.Type, out var mapped)
+                            ? mapped
+                            : claim.Type,
+                        claim.Value))
+                    .ToList();
+
+                foreach (var claim in keycloakClaims)
+                {
+                    result.AddClaim(claim);
+                }
+            }
+        }
+    }
+
     /// <summary>
     /// aspnetcore identity's code to retrieve claims is not performant enough,
     /// because it doesn't have access to navigation properties and has to query the database for user claims, user roles and role claims separately,
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
index 3f72f9ca7f..d9cd1f7505 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
@@ -186,7 +186,12 @@
             "ClientSecret": null,
             "CallbackPath": "/signin-oidc"
         },
-        "AzureAD_Comment": "Azure ADB2C/Azure Entra"
+        "AzureAD_Comment": "Azure ADB2C/Azure Entra",
+        "EnterpriseSso": {
+            "ClientId": "interactive.confidential",
+            "ClientSecret": "secret"
+        },
+        "EnterpriseSso_Comment": "Configure your Enterprise Sso such as Keycloak or Duende Identity Server"
     },
     "AllowedHosts": "*",
     "TrustedOrigins": [],
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
index 6ad2a8378f..8a4fb2767c 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
@@ -30,11 +30,11 @@ The realm supports multiple languages for localized user interfaces:
 
 ### 👥 Pre-configured Users
 
-| Username | Email | Password | Role | Description |
+| Username | Email | Password |
 |----------|-------|----------|------|-------------|
-| `alice` | AliceSmith@email.com | `alice` | Standard User | Basic realm user with default permissions |
-| `bob` | BobSmith@email.com | `bob` | Standard User | Basic realm user with default permissions |
-| `test` | test@bitplatform.dev | `123456` | Super Admin | Administrative user with elevated privileges |
+| `alice` | AliceSmith@email.com | `alice` |
+| `bob` | BobSmith@email.com | `bob` |
+| `test` | test@bitplatform.dev | `123456` |
 
 ### 🔗 Client Configuration
 
@@ -49,7 +49,7 @@ The realm supports multiple languages for localized user interfaces:
 - **`openid`**: Core OpenID Connect identity
 - **`profile`**: User profile information (name, username)
 - **`email`**: Email address and verification status
-- **`api`**: Custom API access scope for protected resources
+- **`api`**: Sample API scope
 - **`offline_access`**: Refresh token support
 
 ### ⚙️ Token Configuration
@@ -79,6 +79,7 @@ When running the Boilerplate application with Aspire:
 2. **Realm is imported** from this JSON file
 3. **Users are immediately available** for testing
 4. **Admin Console**: Access at `http://localhost:8080` (admin/P@ssw0rd)
+Note: Keycloak's admin panel opens master realm by default; switch to `demo` realm to manage users.
 
 ## Security Notes
 
@@ -89,7 +90,7 @@ For production deployments:
 - Restrict redirect URIs to specific domains
 - Use proper SSL certificates
 - Configure appropriate session timeouts
-- Enable additional security features (2FA, account lockout policies)
+- Enable additional security features for admin user (e.g., 2FA)
 - Review and minimize granted permissions
 - Use strong client secrets and rotate them regularly
 - Enable SMTP server
\ No newline at end of file
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
index d857635c0e..0259ff4781 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
@@ -331,33 +331,20 @@
                 "display.on.consent.screen": "true",
                 "consent.screen.text": "${rolesScopeConsentText}"
             },
+
             "protocolMappers": [
                 {
-                    "id": "client-roles-mapper",
-                    "name": "client roles",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-client-role-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "user.attribute": "foo",
-                        "access.token.claim": "true",
-                        "claim.name": "resource_access.${client_id}.roles",
-                        "jsonType.label": "String",
-                        "multivalued": "true"
-                    }
-                },
-                {
-                    "id": "realm-roles-mapper",
-                    "name": "realm roles",
+                    "name": "realm roles mapper",
                     "protocol": "openid-connect",
                     "protocolMapper": "oidc-usermodel-realm-role-mapper",
                     "consentRequired": false,
                     "config": {
-                        "user.attribute": "foo",
-                        "access.token.claim": "true",
-                        "claim.name": "realm_access.roles",
+                        "claim.name": "roles",
                         "jsonType.label": "String",
-                        "multivalued": "true"
+                        "multivalued": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "userinfo.token.claim": "true"
                     }
                 }
             ]
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
index aee46d131d..87afe8b2a7 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
@@ -122,6 +122,10 @@
             "ClientId": null,
             "ClientSecret": null,
             "CallbackPath": "/signin-oidc"
+        },
+        "EnterpriseSso": {
+            "ClientId": "interactive.confidential",
+            "ClientSecret": "secret"
         }
     },
     "Cloudflare": {
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx
index 6bad0b2ab1..b6d9b0b7a6 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>تسجيل الدخول بـ Apple</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>تسجيل الدخول بخادم الاختبار</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>تسجيل الدخول بـ SSO المؤسسي</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>تسجيل الدخول بـ Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx
index 515c95e4db..f9b64d0d0f 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@ Nach Erreichen von {0} haben zusätzliche Anmeldungen reduzierte Funktionen.</va
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Mit Apple anmelden</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>Mit Testserver anmelden</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>Mit Enterprise SSO anmelden</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Mit Azure Entra anmelden</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx
index 2d6cc55d46..4fec8894bb 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@ Después de alcanzar {0}, los inicios de sesión adicionales tendrán funciones
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Iniciar sesión con Apple</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>Iniciar sesión con servidor de prueba</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>Iniciar sesión con SSO empresarial</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Iniciar sesión con Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx
index 7119dc3c93..492c4776d6 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx
@@ -636,8 +636,8 @@
     <data name="SignOut" xml:space="preserve">
     <value>خروج از سیستم</value>
   </data>
-    <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>ورود با سرور تستی</value>
+    <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>ورود با SSO سازمانی</value>
   </data>
     <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>ورود با Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx
index 7d4398b1e9..a69dd76c2b 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@ Après avoir atteint {0}, les connexions supplémentaires auront des fonctions r
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Se connecter avec Apple</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>Se connecter avec le serveur de test</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>Se connecter avec SSO d'entreprise</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Se connecter avec Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx
index bf112627e3..2642fb07ef 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Apple से साइन इन करें</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>टेस्ट सर्वर से साइन इन करें</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>एंटरप्राइज़ SSO से साइन इन करें</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Azure Entra से साइन इन करें</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx
index b11d1bbb6c..d6b75c7313 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@ Na het bereiken van {0} zullen extra aanmeldingen verminderde functies hebben.</
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Aanmelden met Apple</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>Aanmelden met Testserver</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>Aanmelden met Enterprise SSO</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Aanmelden met Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx
index 53eebfd675..a7e9e5b40e 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx
@@ -633,8 +633,8 @@ After reaching {0}, extra sign-ins will have reduced functions.</value>
     <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Sign in with Apple</value>
   </data>
-    <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>Sign in with Test server</value>
+    <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>Sign in with Enterprise SSO</value>
   </data>
     <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Sign in with Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx
index 6b919c5e34..d8e5d456b2 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@ Efter att ha nått {0} kommer extra inloggningar att ha reducerade funktioner.</
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Logga in med Apple</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>Logga in med Testserver</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>Logga in med Enterprise SSO</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>Logga in med Azure Entra</value>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx
index ef93333585..94ba0fb912 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx
@@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <!-- +:cnd:noEmit -->
 <root>
   <!-- 
@@ -633,8 +633,8 @@
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>使用 Apple 登录</value>
   </data>
-  <data name="IdentityServerDemoSignInButtonText" xml:space="preserve">
-    <value>使用测试服务器登录</value>
+  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <value>使用企业SSO登录</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
     <value>使用 Azure Entra 登录</value>

From f953aa9ebdabcf79d7f424c0c5cb60e1a8573b44 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 13:01:09 +0100
Subject: [PATCH 2/8] fix

---
 .../.template.config/template.json            |   3 +-
 .../Components/Pages/Authorize.razor          |  12 -
 .../Components/Pages/Authorize.razor.cs       |  70 ----
 .../Components/EnterpriseSsoIcon.razor        |  11 -
 .../ExternalIdentityProviders.razor           |  58 ++++
 ....cs => ExternalIdentityProviders.razor.cs} |   6 +-
 ...s => ExternalIdentityProviders.razor.scss} |   2 +-
 ...utton.razor => ExternalSignInButton.razor} |   2 +-
 .../Identity/Components/KeycloakIcon.razor    |   6 +
 .../Pages/Identity/Components/SocialRow.razor |  58 ----
 .../Pages/Identity/SignIn/SignInPanel.razor   |   2 +-
 .../Identity/SignIn/SignInPanel.razor.cs      |  10 +-
 .../Pages/Identity/SignUp/SignUpPage.razor    |   2 +-
 .../Pages/Identity/SignUp/SignUpPage.razor.cs |   8 +-
 .../Scripts/WebInteropApp.ts                  |  10 +-
 .../Services/ClientAppMessages.cs             |   6 +-
 .../DefaultExternalNavigationService.cs       |   4 +-
 .../Services/SignInModalService.cs            |   2 +-
 .../Platforms/Android/MainActivity.cs         |   2 +-
 .../Services/MauiLocalHttpServer.cs           |   4 +-
 .../wwwroot/web-interop-app.html              |   6 +-
 .../Services/WindowsLocalHttpServer.cs        |   4 +-
 ...s => IdentityController.ExternalSignIn.cs} |  38 ++-
 .../Identity/RoleManagementController.cs      |   2 +-
 .../Controllers/Identity/UserController.cs    |   2 +-
 .../Chatbot/SystemPromptConfiguration.cs      |   2 +-
 .../Extensions/SignInManagerExtensions.cs     |   6 +-
 .../Program.Services.cs                       |  68 ++--
 .../Identity/AppUserClaimsPrincipalFactory.cs |  19 +-
 .../Boilerplate.Server.Api/appsettings.json   |   9 +-
 .../Realms/README.md                          |  41 ++-
 .../Realms/demo-realm.json                    | 317 +++++-------------
 .../ServerSharedSettings.cs                   |   2 +-
 .../ServerWebSettings.cs                      |   2 +-
 .../Boilerplate.Server.Web/appsettings.json   |   7 +-
 .../Identity/IIdentityController.cs           |   4 +-
 .../Bit.Boilerplate/src/Shared/PageUrls.cs    |   2 -
 .../src/Shared/Resources/AppStrings.ar.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.de.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.es.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.fa.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.fr.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.hi.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.nl.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.resx      |   2 +-
 .../src/Shared/Resources/AppStrings.sv.resx   |   2 +-
 .../src/Shared/Resources/AppStrings.zh.resx   |   2 +-
 .../src/Shared/Services/AppClaimTypes.cs      |   7 +-
 48 files changed, 327 insertions(+), 509 deletions(-)
 delete mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor
 delete mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor.cs
 delete mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/EnterpriseSsoIcon.razor
 create mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor
 rename src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/{SocialRow.razor.cs => ExternalIdentityProviders.razor.cs} (86%)
 rename src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/{SocialRow.razor.scss => ExternalIdentityProviders.razor.scss} (85%)
 rename src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/{SocialButton.razor => ExternalSignInButton.razor} (92%)
 create mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/KeycloakIcon.razor
 delete mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor
 rename src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/{IdentityController.SocialSignIn.cs => IdentityController.ExternalSignIn.cs} (75%)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/.template.config/template.json b/src/Templates/Boilerplate/Bit.Boilerplate/.template.config/template.json
index 8450bbfd9c..89bc9c641b 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/.template.config/template.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/.template.config/template.json
@@ -233,7 +233,8 @@
             "parameters": {
                 "source": "name",
                 "toLower": true
-            }
+            },
+            "replaces": "boilerplate"
         },
         "nameToAppId": {
             "type": "generated",
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor
deleted file mode 100644
index 4a6c201cff..0000000000
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor
+++ /dev/null
@@ -1,12 +0,0 @@
-@attribute [Authorize]
-
-@* This route is disabled by default. Uncomment and enable it only if necessary,  
-   as it may expose authentication-related endpoints. *@
-@*
-@attribute [Route(Urls.Authorize)]
-@attribute [Route("{culture?}" + Urls.Authorize)]
-*@
-
-@inherits AppComponentBase
-
-<LoadingComponent />
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor.cs
deleted file mode 100644
index d6d097446a..0000000000
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Authorize.razor.cs
+++ /dev/null
@@ -1,70 +0,0 @@
-namespace Boilerplate.Client.Core.Components.Pages;
-
-/// <summary>
-/// If you need an authentication process similar to SSO/OAuth, navigate to /authorize with `client_id`, 
-/// an appropriately encoded `redirect_uri`, and `state`.
-/// 
-/// The user can sign in (or sign up if necessary) using various authentication methods provided by project template, 
-/// such as social sign-in, 2FA, magic link, and OTP. After authentication, the system redirects to the specified app 
-/// with an access token and other relevant authentication details.
-/// 
-/// Example Usage:
-/// Opening:
-///     http://localhost:5030/authorize?client_id=SampleClient&redirect_uri=https://sampleclient.azurewebsites.net/signInCallback&state=/carts
-///     http://localhost:5030/authorize?client_id=NopClient&redirect_uri=https%3A%2F%2Fsampleclient.azurewebsites.net%2FsignInCallback&state=%2Fcarts
-/// 
-/// Redirects to:
-///     https://sampleclient.azurewebsites.net/signInCallback?access_token=di1d98cxh913fh29ufhnfunxw9&token_type=Bearer&expires_in=3600&state=/carts
-///
-/// Note:
-/// This route is **disabled by default** for security reasons.  
-/// To enable it, **uncomment the route definition in the corresponding Razor page** (`@attribute [Route(Urls.Authorize)]`)  
-/// </summary>
-public partial class Authorize
-{
-    [AutoInject] private AuthManager authManager = default!;
-    [AutoInject] private IAuthTokenProvider authTokenProvider = default!;
-
-    [Parameter, SupplyParameterFromQuery(Name = "client_id")] public string? ClientId { get; set; }
-    [Parameter, SupplyParameterFromQuery(Name = "redirect_uri")] public string? RedirectUri { get; set; }
-    [Parameter, SupplyParameterFromQuery(Name = "state")] public string? State { get; set; }
-
-    private Dictionary<string, string[]> clients = new(StringComparer.OrdinalIgnoreCase) // Client configurations; can also be fetched from a server API.
-    {
-        {
-            "SampleClient",
-            [
-                "https://sampleclient.azurewebsites.net/signInCallback"
-            ]
-        }
-    };
-
-    protected override async Task OnAfterFirstRenderAsync()
-    {
-        await base.OnAfterFirstRenderAsync();
-
-        if (clients.TryGetValue(ClientId!, out var clientAllowedRedirectUrls) is false)
-        {
-            NavigationManager.NavigateTo($"{RedirectUri}#error=invalid_missing_client_id&state={Uri.EscapeDataString(State ?? "")}");
-            return;
-        }
-
-        if (clientAllowedRedirectUrls.Any(clientUrl => string.Equals(clientUrl, RedirectUri, StringComparison.InvariantCultureIgnoreCase)) is false)
-        {
-            NavigationManager.NavigateTo($"{RedirectUri}#error=invalid_redirect_uri&state={Uri.EscapeDataString(State ?? "")}");
-            return;
-        }
-
-        // Attempt to refresh the user's authentication token.
-        var accessToken = await authManager.RefreshToken(requestedBy: "AuthorizePage");
-
-        if (string.IsNullOrEmpty(accessToken))
-            return; // If the token is expired, the session is deleted, or the user is logged out, redirecting back to sign-in will occur.
-
-        // Parse the access token and calculate its expiration duration.
-        var token = IAuthTokenProvider.ParseAccessToken(accessToken, validateExpiry: false);
-        var expiresIn = long.Parse(token.FindFirst("exp")!.Value) - long.Parse(token.FindFirst("iat")!.Value);
-
-        NavigationManager.NavigateTo($"{RedirectUri}?access_token={accessToken}&token_type=Bearer&expires_in={expiresIn}&state={Uri.EscapeDataString(State ?? "")}");
-    }
-}
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/EnterpriseSsoIcon.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/EnterpriseSsoIcon.razor
deleted file mode 100644
index 66e9fc6b1c..0000000000
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/EnterpriseSsoIcon.razor
+++ /dev/null
@@ -1,11 +0,0 @@
-@inherits StaticComponent
-
-<svg width="34" height="34" viewBox="0 0 40 40" fill="var(--bit-clr-fg-pri)" xmlns="http://www.w3.org/2000/svg">
-    <path d="M21.5235 15.6968C21.5458 16.6059 21.4453 17.4926 21.2222 18.3573C21.0214 19.222 20.7201 20.0534 20.3185 20.8516C19.9168 21.6276 19.4147 22.3593 18.8121 23.0466C18.2319 23.7117 17.5624 24.2992 16.8037 24.8092C15.2193 25.8734 13.4786 26.4832 11.5819 26.6383C9.68503 26.7713 7.87745 26.4388 6.15914 25.6406C5.33346 25.2415 4.56357 24.7538 3.84946 24.1773C3.15768 23.5787 2.54399 22.9135 2.00841 22.1819C1.49515 21.4502 1.05999 20.6632 0.702945 19.8206C0.368209 18.956 0.156205 18.0692 0.0669474 17.1601C0.0446373 16.9827 0.0223101 16.8164 0 16.6612C0 16.4838 0 16.3065 0 16.1291V15.6968V2.06144C0 1.48498 0.200841 0.99722 0.602524 0.598137C1.00421 0.199054 1.49515 -0.000488281 2.07536 -0.000488281C2.65558 -0.000488281 3.14652 0.199054 3.5482 0.598137C3.94988 0.99722 4.15072 1.48498 4.15072 2.06144V7.54883V7.51557C5.28883 6.67306 6.53851 6.06336 7.89976 5.68644C9.28334 5.28736 10.6893 5.1765 12.1174 5.35387C13.5233 5.53125 14.8511 5.97466 16.1008 6.68415C17.3505 7.37146 18.4105 8.28048 19.2808 9.41122C19.9725 10.3203 20.5081 11.318 20.8875 12.4043C21.2669 13.4686 21.4788 14.566 21.5235 15.6968ZM16.2012 19.7209C17.0938 18.4792 17.4844 17.0824 17.3728 15.5305C17.3281 14.7102 17.1273 13.9342 16.7703 13.2025C16.4133 12.4487 15.9446 11.7836 15.3644 11.2071C15.0743 10.941 14.7618 10.7082 14.4271 10.5087C14.1146 10.3092 13.7799 10.1208 13.4229 9.94333C12.5749 9.56641 11.6935 9.37796 10.7785 9.37796C9.86354 9.37796 8.98208 9.55534 8.13408 9.91007C7.28608 10.287 6.54966 10.808 5.92482 11.4731C5.29999 12.1383 4.83136 12.8921 4.51893 13.7346C4.11725 14.8654 4.02799 16.0182 4.25114 17.1933C4.49662 18.3685 5.00987 19.4104 5.79093 20.3195C6.39345 21.029 7.10756 21.5611 7.93324 21.9158C8.13408 22.0267 8.33492 22.1265 8.53576 22.2151C8.75891 22.3038 8.98208 22.3926 9.20523 22.4812C9.0267 22.4147 8.84819 22.3482 8.66966 22.2816C8.49113 22.193 8.31261 22.1042 8.13408 22.0156C9.53997 22.6363 10.9905 22.7361 12.4856 22.3149C13.2443 22.1154 13.9362 21.7939 14.561 21.3504C15.2082 20.907 15.7548 20.3639 16.2012 19.7209Z" />
-    <path d="M28.7879 12.5904C28.7879 11.7897 27.9262 11.1406 26.8632 11.1406C25.8002 11.1406 24.9385 11.7897 24.9385 12.5904V25.1553C24.9385 25.956 25.8002 26.6051 26.8632 26.6051C27.9262 26.6051 28.7879 25.956 28.7879 25.1553V12.5904Z" />
-    <path d="M26.8632 9.14535C27.9262 9.14535 28.7879 8.28919 28.7879 7.23307C28.7879 6.17695 27.9262 5.3208 26.8632 5.3208C25.8002 5.3208 24.9385 6.17695 24.9385 7.23307C24.9385 8.28919 25.8002 9.14535 26.8632 9.14535Z" />
-    <path d="M36.6534 6.91713C36.6534 6.0355 35.8666 5.3208 34.896 5.3208C33.9255 5.3208 33.1387 6.0355 33.1387 6.91713V25.0089C33.1387 25.8905 33.9255 26.6052 34.896 26.6052C35.8666 26.6052 36.6534 25.8905 36.6534 25.0089V6.91713Z" />
-    <path d="M37.9917 11.1738H31.9664C30.8572 11.1738 29.958 11.9555 29.958 12.9198C29.958 13.8841 30.8572 14.6658 31.9664 14.6658H37.9917C39.1009 14.6658 40.0001 13.8841 40.0001 12.9198C40.0001 11.9555 39.1009 11.1738 37.9917 11.1738Z" />
-</svg>
-
-
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor
new file mode 100644
index 0000000000..1c1d56338f
--- /dev/null
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor
@@ -0,0 +1,58 @@
+@inherits AppComponentBase
+
+<section>
+    <BitStack Horizontal>
+        @if (isLoadingProviders)
+        {
+            @for (int i = 0; i < 4; i++)
+            {
+                <BitShimmer Height="60px" Width="60px" Shape="BitShimmerShape.Rectangle" Background="BitColor.SecondaryBackground" />
+            }
+        }
+        else
+        {
+            @if (supportedProviders.Contains("Keycloak"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleKeycloak)" Title="@Localizer[AppStrings.KeycloakSignInButtonText]">
+                    <KeycloakIcon />
+                </ExternalSignInButton>
+            }
+            @if (supportedProviders.Contains("Google"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleGoogle)" Title="@Localizer[AppStrings.GoogleSignInButtonText]">
+                    <GoogleIcon />
+                </ExternalSignInButton>
+            }
+            @if (supportedProviders.Contains("GitHub"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleGitHub)" Title="@Localizer[AppStrings.GitHubSignInButtonText]">
+                    <GitHubIcon />
+                </ExternalSignInButton>
+            }
+            @if (supportedProviders.Contains("Twitter"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleTwitter)" Title="@Localizer[AppStrings.TwitterSignInButtonText]">
+                    <TwitterIcon />
+                </ExternalSignInButton>
+            }
+            @if (supportedProviders.Contains("Apple"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleApple)" Title="@Localizer[AppStrings.AppleSignInButtonText]">
+                    <AppleIcon />
+                </ExternalSignInButton>
+            }
+            @if (supportedProviders.Contains("AzureAD"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleAzureAD)" Title="@Localizer[AppStrings.AzureEntraSignInButtonText]">
+                    <AzureEntraIcon />
+                </ExternalSignInButton>
+            }
+            @if (supportedProviders.Contains("Facebook"))
+            {
+                <ExternalSignInButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleFacebook)" Title="@Localizer[AppStrings.FacebookSignInButtonText]">
+                    <FacebookIcon />
+                </ExternalSignInButton>
+            }
+        }
+    </BitStack>
+</section>
\ No newline at end of file
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor.cs
similarity index 86%
rename from src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs
rename to src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor.cs
index aef2bdb870..3bdbc2d48a 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor.cs
@@ -2,7 +2,7 @@
 
 namespace Boilerplate.Client.Core.Components.Pages.Identity.Components;
 
-public partial class SocialRow
+public partial class ExternalIdentityProviders
 {
     private bool isLoadingProviders = true;
     private string[] supportedProviders = [];
@@ -18,7 +18,7 @@ protected override async Task OnInitAsync()
     {
         try
         {
-            var providers = await IdentityController.GetSupportedSocialAuthSchemes(CurrentCancellationToken);
+            var providers = await IdentityController.GetSupportedExternalAuthSchemes(CurrentCancellationToken);
             supportedProviders = providers;
         }
         finally
@@ -33,5 +33,5 @@ protected override async Task OnInitAsync()
     private async Task HandleApple() => await OnClick.InvokeAsync("Apple");
     private async Task HandleAzureAD() => await OnClick.InvokeAsync("AzureAD");
     private async Task HandleFacebook() => await OnClick.InvokeAsync("Facebook");
-    private async Task HandleEnterpriseSso() => await OnClick.InvokeAsync("EnterpriseSso");
+    private async Task HandleKeycloak() => await OnClick.InvokeAsync("Keycloak");
 }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.scss b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor.scss
similarity index 85%
rename from src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.scss
rename to src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor.scss
index 67cc43d478..f5b42cc39d 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor.scss
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalIdentityProviders.razor.scss
@@ -3,7 +3,7 @@ section {
 }
 
 ::deep {
-    .social-button {
+    .external-sign-in-button {
         width: 60px;
         height: 60px;
         display: flex;
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialButton.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalSignInButton.razor
similarity index 92%
rename from src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialButton.razor
rename to src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalSignInButton.razor
index f22d4cdb2b..91c7a90590 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialButton.razor
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/ExternalSignInButton.razor
@@ -10,7 +10,7 @@
            OnClick="OnClick"
            Size="BitSize.Small"
            IsEnabled="IsWaiting is false"
-           Class="social-button"
+           Class="external-sign-in-button"
            Variant="BitVariant.Fill"
            ButtonType="BitButtonType.Button"
            Color="BitColor.SecondaryBackground">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/KeycloakIcon.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/KeycloakIcon.razor
new file mode 100644
index 0000000000..e96a232eae
--- /dev/null
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/KeycloakIcon.razor
@@ -0,0 +1,6 @@
+@inherits StaticComponent
+
+<svg xmlns="http://www.w3.org/2000/svg" width="34" height="34" viewBox="0 0 24 24" fill="var(--bit-clr-fg-pri)">
+    <path fill="var(--bit-clr-fg-pri)" d="m18.742 1.182l-12.493.002C4.155 4.784 2.079 8.393 0 12.002c2.071 3.612 4.162 7.214 6.252 10.816l12.49-.004l3.089-5.404h2.158v-.002H24L23.996 6.59h-2.168zM8.327 4.792h2.081l1.04 1.8l-3.12 5.413l3.117 5.403l-1.035 1.81H8.327a2048 2048 0 0 0-4.168-7.204zm6.241 0l2.086.003q2.088 3.608 4.166 7.222l-4.167 7.2h-2.08c-.382-.562-1.038-1.808-1.038-1.808l3.123-5.405l-3.124-5.413z" />
+</svg>
+
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor
deleted file mode 100644
index cf213b2137..0000000000
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/Components/SocialRow.razor
+++ /dev/null
@@ -1,58 +0,0 @@
-@inherits AppComponentBase
-
-<section>
-    <BitStack Horizontal>
-        @if (isLoadingProviders)
-        {
-            @for (int i = 0; i < 4; i++)
-            {
-                <BitShimmer Height="60px" Width="60px" Shape="BitShimmerShape.Rectangle" Background="BitColor.SecondaryBackground" />
-            }
-        }
-        else
-        {
-            @if (supportedProviders.Contains("EnterpriseSso"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleEnterpriseSso)" Title="@Localizer[AppStrings.EnterpriseSsoSignInButtonText]">
-                    <EnterpriseSsoIcon />
-                </SocialButton>
-            }
-            @if (supportedProviders.Contains("Google"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleGoogle)" Title="@Localizer[AppStrings.GoogleSignInButtonText]">
-                    <GoogleIcon />
-                </SocialButton>
-            }
-            @if (supportedProviders.Contains("GitHub"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleGitHub)" Title="@Localizer[AppStrings.GitHubSignInButtonText]">
-                    <GitHubIcon />
-                </SocialButton>
-            }
-            @if (supportedProviders.Contains("Twitter"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleTwitter)" Title="@Localizer[AppStrings.TwitterSignInButtonText]">
-                    <TwitterIcon />
-                </SocialButton>
-            }
-            @if (supportedProviders.Contains("Apple"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleApple)" Title="@Localizer[AppStrings.AppleSignInButtonText]">
-                    <AppleIcon />
-                </SocialButton>
-            }
-            @if (supportedProviders.Contains("AzureAD"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleAzureAD)" Title="@Localizer[AppStrings.AzureEntraSignInButtonText]">
-                    <AzureEntraIcon />
-                </SocialButton>
-            }
-            @if (supportedProviders.Contains("Facebook"))
-            {
-                <SocialButton IsWaiting="IsWaiting" OnClick="WrapHandled(HandleFacebook)" Title="@Localizer[AppStrings.FacebookSignInButtonText]">
-                    <FacebookIcon />
-                </SocialButton>
-            }
-        }
-    </BitStack>
-</section>
\ No newline at end of file
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor
index a2ef195b85..648e491bd6 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor
@@ -25,7 +25,7 @@
                                 </BitText>
                             </BitStack>
 
-                            <SocialRow IsWaiting="isWaiting" OnClick="SocialSignIn" />
+                            <ExternalIdentityProviders IsWaiting="isWaiting" OnClick="ExternalSignIn" />
 
                             <BitSeparator Border="BitColorKind.Tertiary" Background="BitColorKind.Secondary" Class="lg-sep">@Localizer[AppStrings.Or]</BitSeparator>
                             <BitSeparator Border="BitColorKind.Secondary" Background="BitColorKind.Primary" Class="sm-sep">@Localizer[AppStrings.Or]</BitSeparator>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor.cs
index 56a08d128a..59b09158d2 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignIn/SignInPanel.razor.cs
@@ -107,7 +107,7 @@ private async Task DoSignIn()
         isWaiting = true;
         successfulSignIn = false;
 
-        await InvokeAsync(StateHasChanged); // Social sign-in callback will eventually call this method, so we need to update the UI immediately. See ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK references.
+        await InvokeAsync(StateHasChanged); // External sign-in callback will eventually call this method, so we need to update the UI immediately. See ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK references.
 
         try
         {
@@ -202,16 +202,16 @@ private async Task DoSignIn()
         finally
         {
             isWaiting = false;
-            await InvokeAsync(StateHasChanged); // Social sign-in callback will eventually call this method, so we need to update the UI immediately. See ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK references.
+            await InvokeAsync(StateHasChanged); // External sign-in callback will eventually call this method, so we need to update the UI immediately. See ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK references.
         }
     }
 
-    private async Task SocialSignIn(string provider)
+    private async Task ExternalSignIn(string provider)
     {
         try
         {
             pubSubUnsubscribe?.Invoke();
-            pubSubUnsubscribe = PubSubService.Subscribe(ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK, async (uriString) =>
+            pubSubUnsubscribe = PubSubService.Subscribe(ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK, async (uriString) =>
             {
                 // Check out SignInModalService for more details
                 var uri = uriString!.ToString();
@@ -245,7 +245,7 @@ private async Task SocialSignIn(string provider)
 
             var port = localHttpServer.EnsureStarted();
 
-            var redirectUrl = await identityController.GetSocialSignInUri(provider, GetReturnUrl(), port is -1 ? null : port, CurrentCancellationToken);
+            var redirectUrl = await identityController.GetExternalSignInUri(provider, GetReturnUrl(), port is -1 ? null : port, CurrentCancellationToken);
 
             await externalNavigationService.NavigateTo(redirectUrl);
         }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor
index 4f92cfac55..d807ae41e8 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor
@@ -17,7 +17,7 @@
                 </BitText>
             </BitStack>
 
-            <SocialRow IsWaiting="isWaiting" OnClick="SocialSignUp" />
+            <ExternalIdentityProviders IsWaiting="isWaiting" OnClick="ExternalSignUp" />
 
             <BitSeparator Border="BitColorKind.Tertiary" Background="BitColorKind.Secondary" Class="lg-sep">@Localizer[AppStrings.Or]</BitSeparator>
             <BitSeparator Border="BitColorKind.Secondary" Background="BitColorKind.Primary" Class="sm-sep">@Localizer[AppStrings.Or]</BitSeparator>
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor.cs
index f373100136..6ba1f2b6e6 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Components/Pages/Identity/SignUp/SignUpPage.razor.cs
@@ -86,19 +86,19 @@ private void NavigateToConfirmPage()
         NavigationManager.NavigateTo(confirmUrl, replace: true);
     }
 
-    private async Task SocialSignUp(string provider)
+    private async Task ExternalSignUp(string provider)
     {
         try
         {
-            pubSubUnsubscribe = PubSubService.Subscribe(ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK, async (uriString) =>
+            pubSubUnsubscribe = PubSubService.Subscribe(ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK, async (uriString) =>
             {
-                // Social sign-in creates a new user automatically, so we only need to navigate to the sign-in page to automatically sign-in the user by provided OTP.
+                // External sign-in creates a new user automatically, so we only need to navigate to the sign-in page to automatically sign-in the user by provided OTP.
                 NavigationManager.NavigateTo(uriString!.ToString()!, replace: true);
             });
 
             var port = localHttpServer.EnsureStarted();
 
-            var redirectUrl = await identityController.GetSocialSignInUri(provider, ReturnUrlQueryString, port is -1 ? null : port, CurrentCancellationToken);
+            var redirectUrl = await identityController.GetExternalSignInUri(provider, ReturnUrlQueryString, port is -1 ? null : port, CurrentCancellationToken);
 
             await externalNavigationService.NavigateTo(redirectUrl);
         }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebInteropApp.ts b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebInteropApp.ts
index d00783a2b3..21c06baa99 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebInteropApp.ts
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Scripts/WebInteropApp.ts
@@ -10,8 +10,8 @@ export class WebInteropApp {
             const action = urlParams.get('actionName');
 
             switch (action) {
-                case 'SocialSignInCallback':
-                    await WebInteropApp.socialSignInCallback();
+                case 'ExternalSignInCallback':
+                    await WebInteropApp.externalSignInCallback();
                     break;
                 case 'GetWebAuthnCredential':
                     await WebInteropApp.getWebAuthnCredential();
@@ -43,7 +43,7 @@ export class WebInteropApp {
         }
     }
 
-    private static async socialSignInCallback() {
+    private static async externalSignInCallback() {
         const urlParams = new URLSearchParams(location.search);
         const urlToOpen = urlParams.get('url')!.toString();
         const localHttpPort = urlParams.get('localHttpPort')?.toString();
@@ -64,7 +64,7 @@ export class WebInteropApp {
         if (!localHttpPort) {
             // Blazor WebAssembly, Auto or Server:
             if (window.opener) {
-                window.opener.postMessage({ key: 'PUBLISH_MESSAGE', message: 'SOCIAL_SIGN_IN_CALLBACK', payload: urlToOpen });
+                window.opener.postMessage({ key: 'PUBLISH_MESSAGE', message: 'EXTERNAL_SIGN_IN_CALLBACK', payload: urlToOpen });
             }
             else {
                 WebInteropApp.autoClose = false;
@@ -74,7 +74,7 @@ export class WebInteropApp {
         }
 
         // Blazor Hybrid:
-        await fetch(`http://localhost:${localHttpPort}/api/SocialSignInCallback?urlToOpen=${encodeURIComponent(urlToOpen)}`, {
+        await fetch(`http://localhost:${localHttpPort}/api/ExternalSignInCallback?urlToOpen=${encodeURIComponent(urlToOpen)}`, {
             method: 'POST',
             credentials: 'omit'
         });
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/ClientAppMessages.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/ClientAppMessages.cs
index 137fd39827..be2ba58feb 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/ClientAppMessages.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/ClientAppMessages.cs
@@ -112,8 +112,8 @@ public partial class ClientAppMessages
     //#endif
 
     /// <summary>
-    /// A publisher that publishes this message notifies that the user's social sign-in process has completed.
-    /// When a user completes social sign-in in a separate window, this message is published to notify the app.
+    /// A publisher that publishes this message notifies that the user's external sign-in process has completed.
+    /// When a user completes external sign-in in a separate window, this message is published to notify the app.
     /// </summary>
-    public const string SOCIAL_SIGN_IN_CALLBACK = nameof(SOCIAL_SIGN_IN_CALLBACK);
+    public const string EXTERNAL_SIGN_IN_CALLBACK = nameof(EXTERNAL_SIGN_IN_CALLBACK);
 }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/DefaultExternalNavigationService.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/DefaultExternalNavigationService.cs
index 3a008c12bb..6f66402c17 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/DefaultExternalNavigationService.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/DefaultExternalNavigationService.cs
@@ -36,11 +36,11 @@ public async Task NavigateTo(string url)
         else
         {
             pubSubUnsubscribe?.Invoke();
-            pubSubUnsubscribe = pubSubService.Subscribe(ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK, async _ =>
+            pubSubUnsubscribe = pubSubService.Subscribe(ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK, async _ =>
             {
                 if (lastOpenedWindowId != null)
                 {
-                    await window.Close(lastOpenedWindowId); // It's time to close the social sign-in popup / tab.
+                    await window.Close(lastOpenedWindowId); // It's time to close the external sign-in popup / tab.
                 }
             });
         }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/SignInModalService.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/SignInModalService.cs
index 5dc98039ff..eaeee5c6e0 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/SignInModalService.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Core/Services/SignInModalService.cs
@@ -5,7 +5,7 @@
 namespace Boilerplate.Client.Core.Services;
 
 /// <summary>
-/// When users opt for social sign-in, they are seamlessly authenticated, whether they are new or returning users.
+/// When users opt for external sign-in, they are seamlessly authenticated, whether they are new or returning users.
 /// To provide a similarly streamlined experience for email/password sign-in, this service displays a modal dialog, enabling users to log in quickly without leaving the current page.
 /// For optimal use of this service, it is recommended to remove the sign-up page and its associated links from the project entirely.
 /// Optionally, you may also eliminate the password field from the sign-in form to allow users to authenticate solely via phone/OTP or email/magic-link.
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Platforms/Android/MainActivity.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Platforms/Android/MainActivity.cs
index 7796d5aacf..76414fafa4 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Platforms/Android/MainActivity.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Platforms/Android/MainActivity.cs
@@ -20,7 +20,7 @@ namespace Boilerplate.Client.Maui.Platforms.Android;
                         DataPathPrefixes = [
                             "/en-US", "/en-GB", "/nl-NL", "/fa-IR", "sv-SE", "hi-IN", "zh-CN", "es-ES", "fr-FR", "ar-SA", "de-DE",
                             PageUrls.Confirm, PageUrls.ForgotPassword, PageUrls.Settings, PageUrls.ResetPassword, PageUrls.SignIn,
-                            PageUrls.SignUp, PageUrls.NotAuthorized, PageUrls.NotFound, PageUrls.Terms, PageUrls.About, PageUrls.Authorize,
+                            PageUrls.SignUp, PageUrls.NotAuthorized, PageUrls.NotFound, PageUrls.Terms, PageUrls.About,
                             PageUrls.Roles, PageUrls.Users,
                             //#if (module == "Admin")
                             PageUrls.AddOrEditProduct, PageUrls.Categories, PageUrls.Dashboard, PageUrls.Products,
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Services/MauiLocalHttpServer.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Services/MauiLocalHttpServer.cs
index f55aab1345..c8562d6563 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Services/MauiLocalHttpServer.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Maui/Services/MauiLocalHttpServer.cs
@@ -66,14 +66,14 @@ await MainThread.InvokeOnMainThreadAsync(() =>
             .WithUrlPrefix($"http://localhost:{port}")
             .WithMode(AppPlatform.IsWindows ? HttpListenerMode.Microsoft : HttpListenerMode.EmbedIO))
             .WithCors()
-            .WithModule(new ActionModule("/api/SocialSignInCallback", HttpVerbs.Post, async ctx =>
+            .WithModule(new ActionModule("/api/ExternalSignInCallback", HttpVerbs.Post, async ctx =>
             {
                 try
                 {
                     await MainThread.InvokeOnMainThreadAsync(() =>
                     {
                         var urlToOpen = ctx.Request.QueryString["urlToOpen"];
-                        pubSubService.Publish(ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK, urlToOpen);
+                        pubSubService.Publish(ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK, urlToOpen);
                     });
                 }
                 finally
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Web/wwwroot/web-interop-app.html b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Web/wwwroot/web-interop-app.html
index f515d03d51..46f51469f3 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Web/wwwroot/web-interop-app.html
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Web/wwwroot/web-interop-app.html
@@ -1,12 +1,12 @@
 <!-- Most web features like animations, videos, or Google reCAPTCHA work fine in Blazor Hybrid.
 However, since Blazor Hybrid uses Web View with an IP-based Origin (http://0.0.0.1)
-more sensitive features like Social Sign-in and Face-ID/Fingerprint Sign-in using WebAuthn do not function properly in Web View.
+more sensitive features like External Sign-in and Face-ID/Fingerprint Sign-in using WebAuthn do not function properly in Web View.
 To address this, within a Blazor Hybrid App, you can use a Local HTTP Server to load a lightweight WebInteropApp component that
 only loads app.js (without Blazor.web.js) on an Origin like localhost.
 Then, using IExternalNavigationService, you can display it via an In-App Browser to bypass Web View limitations.
 
-Additionally, in a Web Browser, if Social Sign-in is performed in a Popup or a new Tab to preserve the app's
-state and avoid restarting Blazor upon returning from Social Sign-in, the Popup should redirect back to WebInteropApp
+Additionally, in a Web Browser, if External Sign-in is performed in a Popup or a new Tab to preserve the app's
+state and avoid restarting Blazor upon returning from External Sign-in, the Popup should redirect back to WebInteropApp
 after authentication. Using app.js, it can notify the main Window via window.opener.postMessage({ key: 'PUBLISH_MESSAGE', ... }),
 allowing the main Window to resume its operations.
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Windows/Services/WindowsLocalHttpServer.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Windows/Services/WindowsLocalHttpServer.cs
index 1eabffb383..1c1672056a 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Windows/Services/WindowsLocalHttpServer.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Client/Boilerplate.Client.Windows/Services/WindowsLocalHttpServer.cs
@@ -51,14 +51,14 @@ async Task GoBackToApp()
             .WithUrlPrefix($"http://localhost:{port}")
             .WithMode(HttpListenerMode.Microsoft))
             .WithCors()
-            .WithModule(new ActionModule("/api/SocialSignInCallback", HttpVerbs.Post, async ctx =>
+            .WithModule(new ActionModule("/api/ExternalSignInCallback", HttpVerbs.Post, async ctx =>
             {
                 try
                 {
                     await Application.OpenForms[0]!.InvokeAsync(async (_) =>
                     {
                         var urlToOpen = ctx.Request.QueryString["urlToOpen"];
-                        pubSubService.Publish(ClientAppMessages.SOCIAL_SIGN_IN_CALLBACK, urlToOpen);
+                        pubSubService.Publish(ClientAppMessages.EXTERNAL_SIGN_IN_CALLBACK, urlToOpen);
                     });
                 }
                 finally
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.ExternalSignIn.cs
similarity index 75%
rename from src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs
rename to src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.ExternalSignIn.cs
index d079fb6bc6..8a1c7822b2 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.ExternalSignIn.cs
@@ -11,25 +11,25 @@ public partial class IdentityController
 
     [HttpGet]
     [AppResponseCache(SharedMaxAge = 3600 * 24 * 7, MaxAge = 60 * 5)]
-    public async Task<string> GetSocialSignInUri(string provider, string? returnUrl = null, int? localHttpPort = null, CancellationToken cancellationToken = default)
+    public async Task<string> GetExternalSignInUri(string provider, string? returnUrl = null, int? localHttpPort = null, CancellationToken cancellationToken = default)
     {
-        var uri = Url.Action(nameof(SocialSignIn), new { provider, returnUrl, localHttpPort, origin = Request.GetWebAppUrl() })!;
+        var uri = Url.Action(nameof(ExternalSignIn), new { provider, returnUrl, localHttpPort, origin = Request.GetWebAppUrl() })!;
         return new Uri(Request.GetBaseUrl(), uri).ToString();
     }
 
     [HttpGet]
-    public async Task<ActionResult> SocialSignIn(string provider,
+    public async Task<ActionResult> ExternalSignIn(string provider,
         string? returnUrl = null, /* Specifies the relative page address to navigate to after completion. */
-        int? localHttpPort = null, /* Defines the local HTTP server port awaiting the social sign-in result on Windows/macOS/iOS versions of the app. */
+        int? localHttpPort = null, /* Defines the local HTTP server port awaiting the external sign-in result on Windows/macOS/iOS versions of the app. */
         [FromQuery] string? origin = null /* Indicates the base address URL for redirection after the process completes. */ )
     {
-        var redirectUrl = Url.Action(nameof(SocialSignInCallback), "Identity", new { returnUrl, localHttpPort, origin });
+        var redirectUrl = Url.Action(nameof(ExternalSignInCallback), "Identity", new { returnUrl, localHttpPort, origin });
         var properties = signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
         return new ChallengeResult(provider, properties);
     }
 
     [HttpGet]
-    public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, int? localHttpPort = null, CancellationToken cancellationToken = default)
+    public async Task<ActionResult> ExternalSignInCallback(string? returnUrl = null, int? localHttpPort = null, CancellationToken cancellationToken = default)
     {
         string? signInPageUri;
         ExternalLoginInfo? info = null;
@@ -70,7 +70,18 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
                     await userPhoneNumberStore.SetPhoneNumberAsync(user, phoneNumber!, cancellationToken);
                 }
 
-                await userManager.CreateUserWithDemoRole(user);
+                if (info.LoginProvider is "Keycloak")
+                {
+                    // Roles are supposed to be managed through the key cloack provider.
+                    // The same decision can be made for other providers as well (e.g. AzureAD), if they support roles/claims management.
+                    await userManager.CreateAsync(user);
+                }
+                else
+                {
+                    // External sign-in providers like Google, Facebook, Twitter etc. are typically used for consumer sign-ups.
+                    // Therefore, we assign a role to these users by default.
+                    await userManager.CreateUserWithDemoRole(user);
+                }
 
                 await userManager.AddLoginAsync(user, info);
             }
@@ -89,9 +100,14 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
 
             // Using these tokens (if provided by external provider) for further API calls to the provider on behalf of the user.
             // Example: Getting more profile data from the provider, posting on behalf of the user or getting user claims updates, etc.
-            var accessToken = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "access_token")?.Value;
+            var idToken = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "id_token")?.Value;
             var refreshToken = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "refresh_token")?.Value;
+            var accessToken = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "access_token")?.Value;
             var expiresAt = info.AuthenticationTokens?.FirstOrDefault(t => t.Name == "expires_at")?.Value;
+            if (string.IsNullOrEmpty(idToken) is false)
+            {
+                await userManager.SetAuthenticationTokenAsync(user, info.LoginProvider, "id_token", idToken);
+            }
             if (string.IsNullOrEmpty(refreshToken) is false)
             {
                 await userManager.SetAuthenticationTokenAsync(user, info.LoginProvider, "refresh_token", refreshToken);
@@ -105,7 +121,7 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
                 await userManager.SetAuthenticationTokenAsync(user, info.LoginProvider, "expires_at", expiresAt);
             }
 
-            (_, signInPageUri) = await GenerateAutomaticSignInLink(user, returnUrl, originalAuthenticationMethod: "Social"); // Sign in with a magic link, and 2FA will be prompted if already enabled.
+            (_, signInPageUri) = await GenerateAutomaticSignInLink(user, returnUrl, originalAuthenticationMethod: "External"); // Sign in with a magic link, and 2FA will be prompted if already enabled.
         }
         catch (Exception exp)
         {
@@ -117,7 +133,7 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
             await Request.HttpContext.SignOutAsync(IdentityConstants.ExternalScheme); // We'll handle sign-in with the following redirects, so no external identity cookie is needed.
         }
 
-        var redirectRelativeUrl = $"{PageUrls.WebInteropApp}?actionName=SocialSignInCallback&url={Uri.EscapeDataString(signInPageUri!)}&localHttpPort={localHttpPort}";
+        var redirectRelativeUrl = $"{PageUrls.WebInteropApp}?actionName=ExternalSignInCallback&url={Uri.EscapeDataString(signInPageUri!)}&localHttpPort={localHttpPort}";
 
         if (localHttpPort is not null)
             return Redirect(new Uri(new Uri($"http://localhost:{localHttpPort}"), redirectRelativeUrl).ToString()); // Check out Client.web/wwwroot/web-interop-app.html's comments.
@@ -127,7 +143,7 @@ public async Task<ActionResult> SocialSignInCallback(string? returnUrl = null, i
 
     [HttpGet]
     [AppResponseCache(SharedMaxAge = 3600 * 24 * 7, MaxAge = 60 * 5)]
-    public async Task<string[]> GetSupportedSocialAuthSchemes(CancellationToken cancellationToken = default)
+    public async Task<string[]> GetSupportedExternalAuthSchemes(CancellationToken cancellationToken = default)
     {
         var schemes = await authenticationSchemeProvider.GetAllSchemesAsync();
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/RoleManagementController.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/RoleManagementController.cs
index aa54093f2b..ca44415c23 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/RoleManagementController.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/RoleManagementController.cs
@@ -40,7 +40,7 @@ public IQueryable<RoleDto> GetAllRoles()
     public IQueryable<UserDto> GetAllUsers()
     {
         return userManager.Users
-                          .Where(u => u.EmailConfirmed || u.PhoneNumberConfirmed || u.Logins.Any() /*Social sign-in*/)
+                          .Where(u => u.EmailConfirmed || u.PhoneNumberConfirmed || u.Logins.Any() /*External sign-in*/)
                           .Project();
     }
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.cs
index 1d168461ea..9a73c396c6 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Controllers/Identity/UserController.cs
@@ -422,7 +422,7 @@ public async Task SendElevatedAccessToken(CancellationToken cancellationToken)
             sendMessagesTasks.Add(phoneService.SendSms(smsMessage, user.PhoneNumber!));
         }
 
-        if (user.TwoFactorEnabled || (user.EmailConfirmed is false && user.PhoneNumberConfirmed is false /* Users signed-in through social sign-in */))
+        if (user.TwoFactorEnabled || (user.EmailConfirmed is false && user.PhoneNumberConfirmed is false /* Users signed-in through external sign-in */))
         {
             //#if (signalR == true)
             // Check out AppHub's comments for more info.
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Data/Configurations/Chatbot/SystemPromptConfiguration.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Data/Configurations/Chatbot/SystemPromptConfiguration.cs
index 9e293ed760..ca1a4fa2da 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Data/Configurations/Chatbot/SystemPromptConfiguration.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Data/Configurations/Chatbot/SystemPromptConfiguration.cs
@@ -40,7 +40,7 @@ private static string GetInitialSystemPromptMarkdown()
 These features cover user sign-up, sign-in, account recovery, and security settings.
 
 ### 1.1. Sign Up
-*   **Description:** Allows new users to create an account. Users can sign up using their email address, phone number, or via social providers.
+*   **Description:** Allows new users to create an account. Users can sign up using their email address, phone number, or via external identity providers.
 *   **How to Use:**
     - Navigate to the [Sign Up page](/sign-up).
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Extensions/SignInManagerExtensions.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Extensions/SignInManagerExtensions.cs
index be002fcf35..14f026c523 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Extensions/SignInManagerExtensions.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Extensions/SignInManagerExtensions.cs
@@ -14,11 +14,11 @@ public static partial class SignInManagerExtensions
     /// 2. When the user chooses to sign in using a 6-digit code sent via email, typically within a magic link.
     /// 3. After a successful email confirmation after sign-up, to automatically sign in the confirmed user for an improved user experience.
     /// 4. After a successful phone number confirmation after sign-up, to automatically sign in the confirmed user for a smoother user experience.
-    /// 5. When the browser is redirected to a magic link created after a social sign-in, to automatically authenticate the user.
+    /// 5. When the browser is redirected to a magic link created after a external sign-in, to automatically authenticate the user.
     /// 6. When the user opts to sign in using a 6-digit code delivered via native push notification, web push or SignalR message (if configured).
     /// 7. When the system opts to sign in the user using a 6-digit code generated after a successful WebAuthn process.
     /// 
-    /// It's important to clarify the authentication method (e.g., Social, Email, SMS, Push, Social, or WebAuth) 
+    /// It's important to clarify the authentication method (e.g., External, Email, SMS, Push, or WebAuth) 
     /// to avoid sending a second step to the same communication channel: For successful two-step authentication, the user must use a different method for the second step.
     /// </summary>
 
@@ -45,7 +45,7 @@ public static partial class SignInManagerExtensions
             //#if (notification == true || signalR == true)
             "Push", // => Native push notification, web push or SignalR message.
             //#endif
-            "Social",
+            "External",
             "WebAuthn"
         ];
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
index 571e5202a2..be70a9de65 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
@@ -642,53 +642,41 @@ private static void AddIdentity(WebApplicationBuilder builder)
         }
 
         // While Google, GitHub, Twitter(X), Apple and AzureAD needs configuration in their corresponding developer portals,
-        // the following OpenID Connect configuration would connect to your own Keycloak, Auth0, Okta, Duende IdentityServer, etc.
-        // It has been enabled only for dev environment, until you prepare your own production ready Keycloak server.
-        if (builder.Environment.IsDevelopment())
+        // the following OpenID Connect configuration would connect to your own Keycloak.
+        authenticationBuilder.AddOpenIdConnect("Keycloak", options =>
         {
-            authenticationBuilder.AddOpenIdConnect("EnterpriseSso", options =>
-            {
-                configuration.GetRequiredSection("Authentication:EnterpriseSso").Bind(options);
+            configuration.GetRequiredSection("Authentication:Keycloak").Bind(options);
 
-                var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"]; // Boilerplate.Server.AppHost (Aspire) would pass this value automatically,
-                                                                      // you could also use your own Keycloak URL here.
-                if (string.IsNullOrEmpty(keycloakBaseUrl) is false)
-                {
-                    // The user would sign-in using Keycloak, just like other providers such as Google.
-                    // IdentityController.SocialSignIn's SocialSignInCallback would store refresh token provided by Keycloak
-                    // Laster, AppUserClaimsPrincipalFactory would use the refresh token to retrieve claims (roles etc) from Keycloak.
-                    // This allows seamless integration with Keycloak, that way you could manage users, roles and claims from Keycloak admin console.
-                    // Checkout src/Server/Boilerplate.Server.AppHost/Realms/README.md for more information.
-                    options.Authority = $"{keycloakBaseUrl.TrimEnd('/')}/realms/demo";
-                }
-                else
-                {
-                    // If no configuration found, use public demo Duende IdentityServer (No license required)
-                    options.Authority = "https://demo.duendesoftware.com";
-                }
+            var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"] 
+                ?? configuration["Authentication:Keycloak:KeycloakUrl"]
+                ?? throw new InvalidOperationException("KEYCLOAK_HTTP or Authentication:Keycloak:KeycloakUrl configuration is required");
 
-                options.ResponseType = "code";
-                options.ResponseMode = "query";
+            // The user would sign-in using Keycloak, just like other providers such as Google.
+            // IdentityController.ExternalSignIn's ExternalSignInCallback would store refresh token provided by Keycloak
+            // Laster, AppUserClaimsPrincipalFactory would use the refresh token to retrieve claims (roles etc) from Keycloak.
+            // This allows seamless integration with Keycloak, that way you could manage users, roles and claims from Keycloak admin console.
+            // Checkout src/Server/Boilerplate.Server.AppHost/Realms/README.md for more information.
+            options.Authority = $"{keycloakBaseUrl.TrimEnd('/')}/realms/demo";
 
-                options.Scope.Clear();
-                options.Scope.Add("openid");
-                options.Scope.Add("profile");
-                options.Scope.Add("email");
-                options.Scope.Add("offline_access"); // To get refresh tokens
-                options.Scope.Add("api"); // Sample API scope
+            options.ResponseType = "code";
+            options.ResponseMode = "query";
 
-                options.MapInboundClaims = true;
-                options.GetClaimsFromUserInfoEndpoint = true;
-                options.SaveTokens = true;
+            options.Scope.Clear();
+            options.Scope.Add("openid");
+            options.Scope.Add("profile");
+            options.Scope.Add("email");
+            options.Scope.Add("offline_access"); // To get refresh tokens
 
-                options.Prompt = "login"; // Force login every time
+            options.MapInboundClaims = true;
+            options.SaveTokens = true;
 
-                if (env.IsDevelopment())
-                {
-                    options.RequireHttpsMetadata = false;
-                }
-            });
-        }
+            options.Prompt = "login"; // Force login every time
+
+            if (env.IsDevelopment())
+            {
+                options.RequireHttpsMetadata = false;
+            }
+        });
     }
 
     private static string GetConnectionStringValue(string connectionString, string key, string? defaultValue = null)
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
index 346e6fad16..b6c0c3da7c 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
@@ -30,24 +30,24 @@ protected override async Task<ClaimsIdentity> GenerateClaimsAsync(User user)
     /// <summary>
     /// Retrieves additional claims from Keycloak and adds them to the user's claims.
     /// </summary>
-    private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity result)
+    private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity aspnetCoreIdentityClaims)
     {
         var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"];
         if (string.IsNullOrEmpty(keycloakBaseUrl) is false)
         {
-            var keycloakRefreshToken = await UserManager.GetAuthenticationTokenAsync(user, "EnterpriseSso", "refresh_token");
+            var keycloakRefreshToken = await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "refresh_token");
             if (string.IsNullOrEmpty(keycloakRefreshToken) is false)
             {
-                var keycloakTokenExpiryDate = DateTimeOffset.Parse(await UserManager.GetAuthenticationTokenAsync(user, "EnterpriseSso", "expires_at") ?? throw new InvalidOperationException("expires_at token is missing"));
-                var keycloakAccessToken = await UserManager.GetAuthenticationTokenAsync(user, "EnterpriseSso", "access_token") ?? throw new InvalidOperationException("access_token token is missing");
+                var keycloakTokenExpiryDate = DateTimeOffset.Parse(await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "expires_at") ?? throw new InvalidOperationException("expires_at token is missing"));
+                var keycloakAccessToken = await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "access_token") ?? throw new InvalidOperationException("access_token token is missing");
                 if (DateTimeOffset.UtcNow >= keycloakTokenExpiryDate)
                 {
                     var httpClient = serviceProvider.GetRequiredService<IHttpClientFactory>().CreateClient("Keycloak");
                     var refreshRequestPayload = new FormUrlEncodedContent(new Dictionary<string, string>
                     {
                         { "grant_type", "refresh_token" },
-                        { "client_id", configuration["Authentication:EnterpriseSso:ClientId"]! },
-                        { "client_secret", configuration["Authentication:EnterpriseSso:ClientSecret"]! },
+                        { "client_id", configuration["Authentication:Keycloak:ClientId"]! },
+                        { "client_secret", configuration["Authentication:Keycloak:ClientSecret"]! },
                         { "refresh_token", keycloakRefreshToken }
                     });
                     using var response = await httpClient.PostAsync($"realms/demo/protocol/openid-connect/token", refreshRequestPayload);
@@ -60,6 +60,7 @@ private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity result)
                     }
                     var responseBody = await response.Content.ReadFromJsonAsync<JsonElement>();
                     keycloakAccessToken = responseBody!.GetProperty("access_token").GetString();
+                    await UserManager.SetAuthenticationTokenAsync(user, "Keycloak", "access_token", keycloakAccessToken!);
                 }
                 var handler = new JwtSecurityTokenHandler();
                 var parsedKeycloakAccessToken = handler.ReadJwtToken(keycloakAccessToken);
@@ -71,10 +72,8 @@ private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity result)
                         claim.Value))
                     .ToList();
 
-                foreach (var claim in keycloakClaims)
-                {
-                    result.AddClaim(claim);
-                }
+                foreach (var claim in parsedKeycloakAccessToken.Claims.Where(c => aspnetCoreIdentityClaims.HasClaim(c.Type, c.Value) is false))
+                    aspnetCoreIdentityClaims.AddClaim(claim);
             }
         }
     }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
index d9cd1f7505..8458159f92 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
@@ -187,15 +187,16 @@
             "CallbackPath": "/signin-oidc"
         },
         "AzureAD_Comment": "Azure ADB2C/Azure Entra",
-        "EnterpriseSso": {
-            "ClientId": "interactive.confidential",
+        "Keycloak": {
+            "KeycloakUrl": "http://localhost:8080/",
+            "ClientId": "Boilerplate",
             "ClientSecret": "secret"
         },
-        "EnterpriseSso_Comment": "Configure your Enterprise Sso such as Keycloak or Duende Identity Server"
+        "Keycloak_Comment": "Configure your Keycloak OpenId Connect configuration"
     },
     "AllowedHosts": "*",
     "TrustedOrigins": [],
-    "TrustedOrigins_Comment": "Lists the permitted origins for CORS requests, return URLs following social sign-in and email confirmation, etc., along with allowed origins for Web Auth.",
+    "TrustedOrigins_Comment": "Lists the permitted origins for CORS requests, return URLs following external sign-in and email confirmation, etc., along with allowed origins for Web Auth.",
     "ForwardedHeaders": {
         "ForwardedHeaders": "All",
         "ForwardedHeaders_Comment": "These values apply only if your backend is hosted behind a CDN (such as `Cloudflare`).",
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
index 8a4fb2767c..18dd1b5ffb 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
@@ -30,11 +30,42 @@ The realm supports multiple languages for localized user interfaces:
 
 ### 👥 Pre-configured Users
 
-| Username | Email | Password |
-|----------|-------|----------|------|-------------|
-| `alice` | AliceSmith@email.com | `alice` |
-| `bob` | BobSmith@email.com | `bob` |
-| `test` | test@bitplatform.dev | `123456` |
+| Username | Email | Password | Roles |
+|----------|-------|----------|-------|
+| `alice` | AliceSmith@email.com | `alice` | demo |
+| `bob` | BobSmith@email.com | `bob` | demo |
+| `test` | test@bitplatform.dev | `123456` | s-admin |
+
+### Application Roles
+
+The realm includes custom application roles for authorization:
+
+- **`s-admin`**: Super Admin role - Full administrative access to the Boilerplate application
+  - **Claims**: Automatically assigned all features via application logic
+  
+- **`demo`**: Demo role - Standard user access for demonstration purposes
+  - **Claims**:
+    - `mx-p-s`: `-1` (Unlimited privileged sessions)
+    - `feat`: `3.0`, `3.1`, `4.0` (Dashboard, ManageProductCatalog, and ManageTodo features)
+
+**Note**: The `s-admin` role has nothing to do with Keycloak admin privileges, it is specific to the Boilerplate app.
+See `AppRoles.cs` and `AppFeatures.cs` for complete details about application roles and features.
+
+### Role Claims Mapping
+
+Role attributes are automatically mapped to JWT token claims via protocol mappers:
+
+- **Max Privileged Sessions (`mx-p-s`)**: Controls the maximum number of concurrent privileged sessions
+  - `-1` = Unlimited sessions
+  - Positive number = Maximum session limit
+  
+- **Features (`feat`)**: Array of feature flags that grant access to specific application features
+  - `3.0` = `AppFeatures.AdminPanel.Dashboard`
+  - `3.1` = `AppFeatures.AdminPanel.ManageProductCatalog`
+  - `4.0` = `AppFeatures.Todo.ManageTodo`
+  - See `AppFeatures.cs` for all available features
+
+These role-specific claims are included in access tokens, ID tokens, and userinfo endpoints via the `roles` scope, enabling fine-grained authorization in the Boilerplate application.
 
 ### 🔗 Client Configuration
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
index 0259ff4781..5d959e8668 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
@@ -3,14 +3,7 @@
     "id": "demo-realm",
     "enabled": true,
     "displayName": "Boilerplate Demo Realm",
-    "displayNameHtml": "<div class=\"kc-logo-text\"><span>Boilerplate Demo</span></div>",
     "sslRequired": "external",
-    "registrationAllowed": false,
-    "loginWithEmailAllowed": true,
-    "duplicateEmailsAllowed": false,
-    "resetPasswordAllowed": true,
-    "editUsernameAllowed": false,
-    "internationalizationEnabled": true,
     "supportedLocales": [
         "en",
         "nl",
@@ -24,47 +17,6 @@
         "de"
     ],
     "defaultLocale": "en",
-    "bruteForceProtected": true,
-    "permanentLockout": false,
-    "maxFailureWaitSeconds": 900,
-    "minimumQuickLoginWaitSeconds": 60,
-    "waitIncrementSeconds": 60,
-    "quickLoginCheckMilliSeconds": 1000,
-    "maxDeltaTimeSeconds": 43200,
-    "failureFactor": 30,
-    "defaultRoles": [
-        "offline_access",
-        "uma_authorization"
-    ],
-    "requiredCredentials": [
-        "password"
-    ],
-    "otpPolicyType": "totp",
-    "otpPolicyAlgorithm": "HmacSHA1",
-    "otpPolicyInitialCounter": 0,
-    "otpPolicyDigits": 6,
-    "otpPolicyLookAheadWindow": 1,
-    "otpPolicyPeriod": 30,
-    "accessTokenLifespan": 300,
-    "accessTokenLifespanForImplicitFlow": 900,
-    "ssoSessionIdleTimeout": 1800,
-    "ssoSessionMaxLifespan": 36000,
-    "ssoSessionIdleTimeoutRememberMe": 0,
-    "ssoSessionMaxLifespanRememberMe": 0,
-    "offlineSessionIdleTimeout": 2592000,
-    "offlineSessionMaxLifespanEnabled": false,
-    "offlineSessionMaxLifespan": 5184000,
-    "clientSessionIdleTimeout": 0,
-    "clientSessionMaxLifespan": 0,
-    "clientOfflineSessionIdleTimeout": 0,
-    "clientOfflineSessionMaxLifespan": 0,
-    "accessCodeLifespan": 60,
-    "accessCodeLifespanUserAction": 300,
-    "accessCodeLifespanLogin": 1800,
-    "actionTokenGeneratedByAdminLifespan": 43200,
-    "actionTokenGeneratedByUserLifespan": 300,
-    "oauth2DeviceCodeLifespan": 600,
-    "oauth2DevicePollingInterval": 5,
     "users": [
         {
             "id": "alice-user-id",
@@ -75,6 +27,9 @@
             "firstName": "Alice",
             "lastName": "Smith",
             "email": "AliceSmith@email.com",
+            "attributes": {
+                "mx-p-s": [ "5" ]
+            },
             "credentials": [
                 {
                     "type": "password",
@@ -88,7 +43,7 @@
                 "uma_authorization"
             ],
             "notBefore": 0,
-            "groups": []
+            "groups": [ "/demo" ]
         },
         {
             "id": "bob-user-id",
@@ -112,7 +67,7 @@
                 "uma_authorization"
             ],
             "notBefore": 0,
-            "groups": []
+            "groups": [ "/demo" ]
         },
         {
             "id": "test-user-id",
@@ -136,31 +91,33 @@
                 "uma_authorization"
             ],
             "notBefore": 0,
-            "groups": []
+            "groups": [ "/s-admin" ]
         }
     ],
-    "roles": {
-        "realm": [
-            {
-                "id": "offline_access",
-                "name": "offline_access",
-                "description": "${role_offline-access}",
-                "composite": false,
-                "clientRole": false,
-                "containerId": "demo"
+    "groups": [
+        {
+            "id": "s-admin-group-id",
+            "name": "s-admin",
+            "path": "/s-admin",
+            "attributes": {
+                "mx-p-s": [ "-1" ]
             },
-            {
-                "id": "uma_authorization",
-                "name": "uma_authorization",
-                "description": "${role_uma_authorization}",
-                "composite": false,
-                "clientRole": false,
-                "containerId": "demo"
-            }
-        ],
-        "client": {}
-    },
-    "groups": [],
+            "realmRoles": [],
+            "clientRoles": {},
+            "subGroups": []
+        },
+        {
+            "id": "demo-group-id",
+            "name": "demo",
+            "path": "/demo",
+            "attributes": {
+                "boilerplate-features": [ "3.0", "3.1", "4.0" ]
+            },
+            "realmRoles": [],
+            "clientRoles": {},
+            "subGroups": []
+        }
+    ],
     "defaultDefaultClientScopes": [
         "role_list",
         "profile",
@@ -175,31 +132,6 @@
         "microprofile-jwt"
     ],
     "clientScopes": [
-        {
-            "id": "api-scope-id",
-            "name": "api",
-            "description": "API Access Scope for Boilerplate Application",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "true",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "API access permissions"
-            },
-            "protocolMappers": [
-                {
-                    "id": "api-audience-mapper",
-                    "name": "API Audience Mapper",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-audience-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "included.client.audience": "interactive.confidential",
-                        "id.token.claim": "false",
-                        "access.token.claim": "true"
-                    }
-                }
-            ]
-        },
         {
             "id": "profile-scope-id",
             "name": "profile",
@@ -283,21 +215,6 @@
                         "claim.name": "email",
                         "jsonType.label": "String"
                     }
-                },
-                {
-                    "id": "email-verified-mapper",
-                    "name": "email verified",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-property-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "userinfo.token.claim": "true",
-                        "user.attribute": "emailVerified",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "claim.name": "email_verified",
-                        "jsonType.label": "boolean"
-                    }
                 }
             ]
         },
@@ -321,34 +238,6 @@
                 }
             ]
         },
-        {
-            "id": "roles-scope-id",
-            "name": "roles",
-            "description": "OpenID Connect scope for add user roles to the access token",
-            "protocol": "openid-connect",
-            "attributes": {
-                "include.in.token.scope": "false",
-                "display.on.consent.screen": "true",
-                "consent.screen.text": "${rolesScopeConsentText}"
-            },
-
-            "protocolMappers": [
-                {
-                    "name": "realm roles mapper",
-                    "protocol": "openid-connect",
-                    "protocolMapper": "oidc-usermodel-realm-role-mapper",
-                    "consentRequired": false,
-                    "config": {
-                        "claim.name": "roles",
-                        "jsonType.label": "String",
-                        "multivalued": "true",
-                        "id.token.claim": "true",
-                        "access.token.claim": "true",
-                        "userinfo.token.claim": "true"
-                    }
-                }
-            ]
-        },
         {
             "id": "acr-scope-id",
             "name": "acr",
@@ -378,101 +267,81 @@
                 "consent.screen.text": "${offlineAccessScopeConsentText}",
                 "display.on.consent.screen": "true"
             }
+        },
+        {
+            "id": "roles-scope-id",
+            "name": "roles",
+            "description": "OpenID Connect scope for user roles including group memberships",
+            "protocol": "openid-connect",
+            "attributes": {
+                "include.in.token.scope": "false",
+                "display.on.consent.screen": "false"
+            }
         }
     ],
     "clients": [
         {
-            "id": "interactive-confidential-client-id",
-            "clientId": "interactive.confidential",
-            "name": "Interactive Confidential Client",
-            "description": "OpenID Connect client for Boilerplate application",
-            "rootUrl": "",
-            "adminUrl": "",
-            "baseUrl": "",
-            "surrogateAuthRequired": false,
-            "enabled": true,
-            "alwaysDisplayInConsole": false,
-            "clientAuthenticatorType": "client-secret",
+            "id": "Boilerplate-Id",
+            "clientId": "Boilerplate",
             "secret": "secret",
-            "registrationAccessToken": "",
+            "name": "Boilerplate",
+            "description": "OpenID Connect client for Boilerplate application",
             "redirectUris": [
                 "*"
             ],
             "webOrigins": [
                 "*"
             ],
-            "notBefore": 0,
-            "bearerOnly": false,
-            "consentRequired": false,
-            "standardFlowEnabled": true,
-            "implicitFlowEnabled": false,
-            "directAccessGrantsEnabled": true,
-            "serviceAccountsEnabled": false,
-            "publicClient": false,
-            "frontchannelLogout": true,
-            "protocol": "openid-connect",
-            "attributes": {
-                "oidc.ciba.grant.enabled": "false",
-                "client.secret.creation.time": "1640995200",
-                "backchannel.logout.session.required": "true",
-                "display.on.consent.screen": "false",
-                "oauth2.device.authorization.grant.enabled": "false",
-                "backchannel.logout.revoke.offline.tokens": "false"
-            },
-            "authenticationFlowBindingOverrides": {},
-            "fullScopeAllowed": true,
-            "nodeReRegistrationTimeout": -1,
-            "defaultClientScopes": [
-                "web-origins",
-                "acr",
-                "profile",
-                "roles",
-                "email",
-                "api"
-            ],
-            "optionalClientScopes": [
-                "address",
-                "phone",
-                "offline_access",
-                "microprofile-jwt"
+            "protocolMappers": [
+                {
+                    "id": "client-group-membership-mapper",
+                    "name": "client group membership",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-group-membership-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "full.path": "false",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "claim.name": "roles",
+                        "userinfo.token.claim": "true"
+                    }
+                },
+                {
+                    "id": "client-mx-p-s-mapper",
+                    "name": "client mx-p-s attribute",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-usermodel-attribute-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "claim.name": "mx-p-s",
+                        "user.attribute": "mx-p-s",
+                        "jsonType.label": "String",
+                        "multivalued": "false",
+                        "aggregate.attrs": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "userinfo.token.claim": "true"
+                    }
+                },
+                {
+                    "id": "client-boilerplate-features-mapper",
+                    "name": "client boilerplate-features attribute",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-usermodel-attribute-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "claim.name": "boilerplate-features",
+                        "user.attribute": "boilerplate-features",
+                        "jsonType.label": "String",
+                        "multivalued": "true",
+                        "aggregate.attrs": "true",
+                        "id.token.claim": "true",
+                        "access.token.claim": "true",
+                        "userinfo.token.claim": "true"
+                    }
+                }
             ]
         }
-    ],
-    "clientScopeMappings": {
-        "account": [
-            {
-                "client": "account-console",
-                "roles": [
-                    "manage-account"
-                ]
-            }
-        ]
-    },
-    "defaultGroups": [],
-    "browserFlow": "browser",
-    "registrationFlow": "registration",
-    "directGrantFlow": "direct grant",
-    "resetCredentialsFlow": "reset credentials",
-    "clientAuthenticationFlow": "clients",
-    "dockerAuthenticationFlow": "docker auth",
-    "attributes": {
-        "cibaBackchannelTokenDeliveryMode": "poll",
-        "cibaExpiresIn": "120",
-        "cibaInterval": "5",
-        "cibaAuthRequestedUserHint": "login_hint",
-        "oauth2DeviceCodeLifespan": "600",
-        "oauth2DevicePollingInterval": "5",
-        "parRequestUriLifespan": "60",
-        "cibaBackchannelUserCodeParameter": "false",
-        "frontendUrl": "",
-        "acr.loa.map": "{}"
-    },
-    "keycloakVersion": "25.0.0",
-    "userManagedAccessAllowed": false,
-    "clientProfiles": {
-        "profiles": []
-    },
-    "clientPolicies": {
-        "policies": []
-    }
+    ]
 }
\ No newline at end of file
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/ServerSharedSettings.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/ServerSharedSettings.cs
index 509c1ed666..78de417768 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/ServerSharedSettings.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Shared/ServerSharedSettings.cs
@@ -10,7 +10,7 @@ public partial class ServerSharedSettings : SharedSettings
     public ForwardedHeadersOptions? ForwardedHeaders { get; set; } = default!;
 
     /// <summary>
-    /// Specifies the allowed origins for CORS requests, URLs returned after social sign-in and email confirmation, and permitted origins for Web Auth, as well as forwarded headers middleware in ASP.NET Core.
+    /// Specifies the allowed origins for CORS requests, URLs returned after external sign-in and email confirmation, and permitted origins for Web Auth, as well as forwarded headers middleware in ASP.NET Core.
     /// </summary>
     public Uri[] TrustedOrigins { get; set; } = [];
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/ServerWebSettings.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/ServerWebSettings.cs
index 581e536e76..e03ea285f3 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/ServerWebSettings.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/ServerWebSettings.cs
@@ -11,7 +11,7 @@ public partial class ServerWebSettings : ClientWebSettings
     public ForwardedHeadersOptions? ForwardedHeaders { get; set; } = default!;
 
     /// <summary>
-    /// Specifies the allowed origins for CORS requests, URLs returned after social sign-in and email confirmation, and permitted origins for Web Auth, as well as forwarded headers middleware in ASP.NET Core.
+    /// Specifies the allowed origins for CORS requests, URLs returned after external sign-in and email confirmation, and permitted origins for Web Auth, as well as forwarded headers middleware in ASP.NET Core.
     /// </summary>
     public Uri[] TrustedOrigins { get; set; } = [];
     [Required]
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
index 87afe8b2a7..85def704ef 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
@@ -123,8 +123,9 @@
             "ClientSecret": null,
             "CallbackPath": "/signin-oidc"
         },
-        "EnterpriseSso": {
-            "ClientId": "interactive.confidential",
+        "Keycloak": {
+            "KeycloakUrl": "http://localhost:8080/",
+            "ClientId": "Boilerplate",
             "ClientSecret": "secret"
         }
     },
@@ -147,7 +148,7 @@
     },
     //#endif
     "TrustedOrigins": [],
-    "TrustedOrigins_Comment": "Lists the permitted origins for CORS requests, return URLs following social sign-in and email confirmation, etc., along with allowed origins for Web Auth.",
+    "TrustedOrigins_Comment": "Lists the permitted origins for CORS requests, return URLs following external sign-in and email confirmation, etc., along with allowed origins for Web Auth.",
     "ForwardedHeaders": {
         "ForwardedHeaders": "All",
         "ForwardedHeaders_Comment": "These values apply only if your backend is hosted behind a CDN (such as `Cloudflare`).",
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Controllers/Identity/IIdentityController.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Controllers/Identity/IIdentityController.cs
index 29063e2788..893a4dac1e 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Controllers/Identity/IIdentityController.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Controllers/Identity/IIdentityController.cs
@@ -44,7 +44,7 @@ public interface IIdentityController : IAppController
     Task SendOtp(IdentityRequestDto request, string? returnUrl = null, CancellationToken cancellationToken = default);
 
     [HttpGet("{?provider,returnUrl,localHttpPort}")]
-    Task<string> GetSocialSignInUri(string provider, string? returnUrl = null, int? localHttpPort = null, CancellationToken cancellationToken = default);
+    Task<string> GetExternalSignInUri(string provider, string? returnUrl = null, int? localHttpPort = null, CancellationToken cancellationToken = default);
 
     [HttpPost]
     Task<JsonElement> GetWebAuthnAssertionOptions(WebAuthnAssertionOptionsRequestDto request, CancellationToken cancellationToken) => default!;
@@ -59,5 +59,5 @@ public interface IIdentityController : IAppController
     Task VerifyWebAuthAndSendTwoFactorToken(JsonElement clientResponse, CancellationToken cancellationToken) => default!;
 
     [HttpGet]
-    Task<string[]> GetSupportedSocialAuthSchemes(CancellationToken cancellationToken);
+    Task<string[]> GetSupportedExternalAuthSchemes(CancellationToken cancellationToken);
 }
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/PageUrls.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/PageUrls.cs
index 1850355464..262603278b 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/PageUrls.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/PageUrls.cs
@@ -37,8 +37,6 @@ public static partial class PageUrls
     public const string SystemPrompts = "/system-prompts";
     //#endif
 
-    public const string Authorize = "/authorize";
-
     public const string Roles = "/user-groups";
 
     public const string Users = "/users";
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx
index b6d9b0b7a6..7f6c0fd03b 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.ar.resx
@@ -633,7 +633,7 @@
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>تسجيل الدخول بـ Apple</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>تسجيل الدخول بـ SSO المؤسسي</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx
index f9b64d0d0f..0258124eaa 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.de.resx
@@ -633,7 +633,7 @@ Nach Erreichen von {0} haben zusätzliche Anmeldungen reduzierte Funktionen.</va
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Mit Apple anmelden</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>Mit Enterprise SSO anmelden</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx
index 4fec8894bb..964a0c8664 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.es.resx
@@ -633,7 +633,7 @@ Después de alcanzar {0}, los inicios de sesión adicionales tendrán funciones
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Iniciar sesión con Apple</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>Iniciar sesión con SSO empresarial</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx
index 492c4776d6..3d47f0c102 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fa.resx
@@ -636,7 +636,7 @@
     <data name="SignOut" xml:space="preserve">
     <value>خروج از سیستم</value>
   </data>
-    <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>ورود با SSO سازمانی</value>
   </data>
     <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx
index a69dd76c2b..46906442b2 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.fr.resx
@@ -633,7 +633,7 @@ Après avoir atteint {0}, les connexions supplémentaires auront des fonctions r
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Se connecter avec Apple</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>Se connecter avec SSO d'entreprise</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx
index 2642fb07ef..d75fd2396b 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.hi.resx
@@ -633,7 +633,7 @@
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Apple से साइन इन करें</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>एंटरप्राइज़ SSO से साइन इन करें</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx
index d6b75c7313..b2cafb2467 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.nl.resx
@@ -633,7 +633,7 @@ Na het bereiken van {0} zullen extra aanmeldingen verminderde functies hebben.</
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Aanmelden met Apple</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>Aanmelden met Enterprise SSO</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx
index a7e9e5b40e..0fc89f395e 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.resx
@@ -633,7 +633,7 @@ After reaching {0}, extra sign-ins will have reduced functions.</value>
     <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Sign in with Apple</value>
   </data>
-    <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+    <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>Sign in with Enterprise SSO</value>
   </data>
     <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx
index d8e5d456b2..e1b3726015 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.sv.resx
@@ -633,7 +633,7 @@ Efter att ha nått {0} kommer extra inloggningar att ha reducerade funktioner.</
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>Logga in med Apple</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>Logga in med Enterprise SSO</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx
index 94ba0fb912..eeaa5d6a7a 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Resources/AppStrings.zh.resx
@@ -633,7 +633,7 @@
   <data name="AppleSignInButtonText" xml:space="preserve">
     <value>使用 Apple 登录</value>
   </data>
-  <data name="EnterpriseSsoSignInButtonText" xml:space="preserve">
+  <data name="KeycloakSignInButtonText" xml:space="preserve">
     <value>使用企业SSO登录</value>
   </data>
   <data name="AzureEntraSignInButtonText" xml:space="preserve">
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
index c698b6e2da..7a7f07688f 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
@@ -1,4 +1,5 @@
-namespace Boilerplate.Shared.Services;
+//+:cnd:noEmit
+namespace Boilerplate.Shared.Services;
 
 /// <summary>
 /// These claims may not be added to RoleClaims/UserClaims tables.
@@ -25,8 +26,8 @@ public class AppClaimTypes
     public const string ELEVATED_SESSION = "e-s";
 
     /// <summary>
-    /// The list of features (claims) assigned to the user.
+    /// The list of Boilerplate app features (claims) assigned to the user.
     /// <see cref="AppFeatures"/>
     /// </summary>
-    public const string FEATURES = "feat";
+    public const string FEATURES = "boilerplate-features";
 }

From 4f1348975f8276c785a2ee8f0a8185080a239657 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 16:21:51 +0100
Subject: [PATCH 3/8] fix

---
 ...entity - Authentication & Authorization.md | 249 +++++++++---------
 .../.docs/14- Response Caching System.md      |   2 +-
 .../src/Directory.Packages.props              |   1 +
 .../Boilerplate.Server.Api.csproj             |   1 +
 .../Program.Services.cs                       |  24 +-
 .../Identity/AppUserClaimsPrincipalFactory.cs |  81 ++++--
 .../Boilerplate.Server.Api/appsettings.json   |   1 +
 .../Realms/README.md                          | 127 ---------
 .../{demo-realm.json => dev-realm.json}       |   6 +-
 .../Boilerplate.Server.Web/appsettings.json   |   1 +
 10 files changed, 193 insertions(+), 300 deletions(-)
 delete mode 100644 src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
 rename src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/{demo-realm.json => dev-realm.json} (99%)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md b/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md
index 48be31d82d..097335ab2d 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md	
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md	
@@ -9,7 +9,7 @@ Welcome to **Stage 7** of the Boilerplate project tutorial! In this stage, you w
 1. [Authentication Architecture](#authentication-architecture)
    - [JWT Token-Based Authentication](#jwt-token-based-authentication)
    - [Session Management](#session-management)
-   - [Single Sign-On (SSO) Support](#single-sign-on-sso-support)
+   - [External Identity Support](#external-identity-support)
 2. [Authorization and Access Control](#authorization-and-access-control)
    - [Role-Based and Permission-Based Authorization](#role-based-and-permission-based-authorization)
    - [Policy-Based Authorization](#policy-based-authorization)
@@ -17,10 +17,8 @@ Welcome to **Stage 7** of the Boilerplate project tutorial! In this stage, you w
 3. [Identity Configuration](#identity-configuration)
 4. [Security Best Practices](#security-best-practices)
 5. [One-Time Token System](#one-time-token-system)
-6. [Code Examples from the Project](#code-examples-from-the-project)
-7. [Hands-On Exploration](#hands-on-exploration)
-8. [Video Tutorial](#video-tutorial)
-9. [Summary](#summary)
+6. [Hands-On Exploration](#hands-on-exploration)
+7. [Video Tutorial](#video-tutorial)
 
 **Important**: All topics related to WebAuthn, passkeys, and passwordless authentication are explained in [Stage 24](/.docs/24-%20WebAuthn%20and%20Passwordless%20Authentication%20(Advanced).md).
 
@@ -118,26 +116,21 @@ private async Task<UserSession> CreateUserSession(Guid userId, CancellationToken
 
 ---
 
-### Single Sign-On (SSO) Support
+### External Identity Support
 
-The project supports **external authentication providers** for Single Sign-On (SSO).
+The project supports **external authentication providers** for Single Sign-On (SSO) and Social sign-in purposes.
 
 #### Supported Providers
 
-You can easily configure SSO with:
+The following external identity providers have been already configured:
 
-- **Google** - OAuth 2.0 authentication
-- **GitHub** - OAuth authentication for developers
-- **Microsoft/Azure AD** - Enterprise identity integration (Azure AD B2C/Entra)
-- **Twitter** - Social authentication
-- **Apple** - Sign in with Apple
-- **Facebook** - Social media authentication
-- **Duende Identity Server / Keycloak** - OpenID Connect provider
-- And many other OAuth/OpenID Connect providers
-
-#### Enterprise SSO
-
-The project is configured to connect to a **Keycloak (If URL provided) or Duende Identity Server (A public demo server) instance** to demonstrate how external OpenID Connect providers work.
+- **Google**
+- **Microsoft/Azure Entra/Azure AD B2C**
+- **Twitter (X)**
+- **Apple**
+- **GitHub**
+- **Facebook**
+- **Keycloak** Free, Open Source Identity and Access Management
 
 #### Configuration
 
@@ -164,23 +157,23 @@ External provider settings are configured in [`appsettings.json`](/src/Server/Bo
 }
 ```
 
-#### Social Sign-In Flow
+#### External Sign-In Flow
 
-From [`IdentityController.SocialSignIn.cs`](/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.SocialSignIn.cs):
+From [`IdentityController.ExternalSignIn.cs`](/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.ExternalSignIn.cs):
 
 ```csharp
 [HttpGet]
-public async Task<ActionResult> SocialSignIn(string provider, string? returnUrl = null, 
+public async Task<ActionResult> ExternalSignIn(string provider, string? returnUrl = null, 
     int? localHttpPort = null, [FromQuery] string? origin = null)
 {
-    var redirectUrl = Url.Action(nameof(SocialSignInCallback), "Identity", 
+    var redirectUrl = Url.Action(nameof(ExternalSignInCallback), "Identity", 
         new { returnUrl, localHttpPort, origin });
     var properties = signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
     return new ChallengeResult(provider, properties);
 }
 ```
 
-When a social sign-in is successful, the system:
+When a external sign-in is successful, the system:
 1. Retrieves user information from the external provider
 2. Either finds an existing user or creates a new one
 3. Automatically confirms email/phone if the provider provides them
@@ -660,127 +653,124 @@ Let's walk through a password reset scenario:
 
 ---
 
-## Code Examples from the Project
+## Advanced Topics
 
-### Sign Up with Validation
+### JWT Token Signing with PFX Certificates
 
-From [`IdentityController.cs`](/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.cs):
+By default, the Bit Boilerplate uses a string-based secret (`JwtIssuerSigningKeySecret`) for signing JWT tokens in the [`AppJwtSecureDataFormat`](/src/Server/Boilerplate.Server.Api/Services/Identity/AppJwtSecureDataFormat.cs) class. While this approach is valid and secure, using a **PFX certificate** is considered best practice for production environments, especially when:
 
-```csharp
-[HttpPost]
-public async Task SignUp(SignUpRequestDto request, CancellationToken cancellationToken)
-{
-    request.PhoneNumber = phoneService.NormalizePhoneNumber(request.PhoneNumber);
-    
-    // Validate Google reCAPTCHA
-    if (await googleRecaptchaService.Verify(request.GoogleRecaptchaResponse, cancellationToken) is false)
-        throw new BadRequestException(Localizer[nameof(AppStrings.InvalidGoogleRecaptchaResponse)]);
-
-    // Check for existing user
-    var existingUser = await userManager.FindUserAsync(
-        new() { Email = request.Email, PhoneNumber = request.PhoneNumber });
-        
-    if (existingUser is not null)
-    {
-        if (await userConfirmation.IsConfirmedAsync(userManager, existingUser) is false)
-        {
-            await SendConfirmationToken(existingUser, request.ReturnUrl, cancellationToken);
-            throw new BadRequestException(Localizer[nameof(AppStrings.UserIsNotConfirmed)])
-                .WithData("UserId", existingUser.Id);
-        }
-        else
-        {
-            throw new BadRequestException(Localizer[nameof(AppStrings.DuplicateEmailOrPhoneNumber)])
-                .WithData("UserId", existingUser.Id);
-        }
-    }
+- You need to share JWT validation across multiple backend services
+- You want to follow industry-standard cryptographic practices
+- You're deploying to enterprise environments with strict security requirements
 
-    // Create new user
-    var userToAdd = new User { LockoutEnabled = true };
-    await userStore.SetUserNameAsync(userToAdd, request.UserName!, cancellationToken);
-    
-    if (string.IsNullOrEmpty(request.Email) is false)
-    {
-        await userEmailStore.SetEmailAsync(userToAdd, request.Email!, cancellationToken);
-    }
-    
-    if (string.IsNullOrEmpty(request.PhoneNumber) is false)
-    {
-        await userPhoneNumberStore.SetPhoneNumberAsync(userToAdd, request.PhoneNumber!, cancellationToken);
-    }
+**Why We Didn't Use PFX by Default**
 
-    await userManager.CreateUserWithDemoRole(userToAdd, request.Password!);
-    await SendConfirmationToken(userToAdd, request.ReturnUrl, cancellationToken);
-}
+We chose the string-based secret as the default because:
+- **Easier Deployment**: PFX certificates require additional configuration on shared hosting providers
+- **Simplified Development**: Developers can get started immediately without certificate management
+- **Good Security**: String-based secrets with HS512 are still cryptographically secure
+
+**How to Migrate to PFX Certificates**
+
+If you want to use PFX certificates, you'll need to modify [`AppJwtSecureDataFormat`](/src/Server/Boilerplate.Server.Api/Services/Identity/AppJwtSecureDataFormat.cs) to use `AsymmetricSecurityKey` instead of `SymmetricSecurityKey`:
+
+```csharp
+// Instead of:
+IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(appSettings.Identity.JwtIssuerSigningKeySecret))
+
+// Use:
+var certificate = new X509Certificate2("path/to/certificate.pfx", "password");
+IssuerSigningKey = new X509SecurityKey(certificate)
 ```
 
-### Password Reset Flow
+**Protecting ASP.NET Core Data Protection Keys**
 
-From [`IdentityController.ResetPassword.cs`](/src/Server/Boilerplate.Server.Api/Controllers/Identity/IdentityController.ResetPassword.cs):
+Additionally, you should protect the Data Protection keys stored in the database. In [`Program.Services.cs`](/src/Server/Boilerplate.Server.Api/Program.Services.cs), update the following code:
 
 ```csharp
-[HttpPost]
-public async Task ResetPassword(ResetPasswordRequestDto request, CancellationToken cancellationToken)
-{
-    request.PhoneNumber = phoneService.NormalizePhoneNumber(request.PhoneNumber);
-    var user = await userManager.FindUserAsync(request) 
-        ?? throw new ResourceNotFoundException(Localizer[nameof(AppStrings.UserNotFound)])
-            .WithData("Identifier", request);
+services.AddDataProtection()
+   .PersistKeysToDbContext<AppDbContext>()
+   .ProtectKeysWithCertificate(certificate); // Add this line
+```
 
-    // Check if token has expired
-    var expired = (DateTimeOffset.Now - user.ResetPasswordTokenRequestedOn) 
-        > AppSettings.Identity.ResetPasswordTokenLifetime;
+**Cross-Service JWT Validation**
 
-    if (expired)
-        throw new BadRequestException(nameof(AppStrings.ExpiredToken))
-            .WithData("UserId", user.Id);
+When using PFX certificates, you can share the **public key** with other backend services to validate JWTs issued by your ASP.NET Core Identity system. Other services can use the `AddJwtAuthentication` method to validate tokens without needing the private key.
 
-    // Check if user is locked out
-    if (await userManager.IsLockedOutAsync(user))
-    {
-        var tryAgainIn = (user.LockoutEnd! - DateTimeOffset.UtcNow).Value;
-        throw new BadRequestException(
-            Localizer[nameof(AppStrings.UserLockedOut), 
-            tryAgainIn.Humanize(culture: CultureInfo.CurrentUICulture)])
-            .WithData("UserId", user.Id)
-            .WithExtensionData("TryAgainIn", tryAgainIn);
-    }
+This enables scenarios where:
+- Multiple microservices validate the same JWT
+- Third-party services can verify your tokens
 
-    // Verify the token
-    bool tokenIsValid = await userManager.VerifyUserTokenAsync(
-        user!, 
-        TokenOptions.DefaultPhoneProvider, 
-        FormattableString.Invariant($"ResetPassword,{user.ResetPasswordTokenRequestedOn?.ToUniversalTime()}"), 
-        request.Token!);
+---
 
-    if (tokenIsValid is false)
-    {
-        await userManager.AccessFailedAsync(user);
-        throw new BadRequestException(nameof(AppStrings.InvalidToken))
-            .WithData("UserId", user.Id);
-    }
+### Keycloak Integration
 
-    // Reset the password
-    var result = await userManager.ResetPasswordAsync(
-        user!, 
-        await userManager.GeneratePasswordResetTokenAsync(user!), 
-        request.Password!);
+Bit Boilerplate includes built-in support for **Keycloak**, a free, open-source identity and access management solution. Keycloak provides enterprise-grade features like:
 
-    if (result.Succeeded is false)
-        throw new ResourceValidationException(result.Errors
-            .Select(e => new LocalizedString(e.Code, e.Description)).ToArray())
-            .WithData("UserId", user.Id);
+- Centralized user management
+- Single Sign-On (SSO) across multiple applications
+- Fine-grained authorization
+- User federation (LDAP, Active Directory)
 
-    // Reset access failed count and invalidate the token
-    await ((IUserLockoutStore<User>)userStore).ResetAccessFailedCountAsync(user, cancellationToken);
-    user.ResetPasswordTokenRequestedOn = null; // Invalidates the token
-    var updateResult = await userManager.UpdateAsync(user);
-    if (updateResult.Succeeded is false)
-        throw new ResourceValidationException(updateResult.Errors
-            .Select(e => new LocalizedString(e.Code, e.Description)).ToArray())
-            .WithData("UserId", user.Id);
-}
-```
+#### Keycloak in .NET Aspire
+
+When you run the project with .NET Aspire enabled (default configuration), Keycloak is automatically started as a containerized service. This provides a complete identity server for development and testing without any manual setup.
+
+#### Demo User Accounts
+
+The Keycloak instance comes pre-configured with the following demo accounts (Provided by [src\Server\Boilerplate.Server.AppHost\Realms\dev-realm.json](..\src\Server\Boilerplate.Server.AppHost\Realms\dev-realm.json)):
+
+| Username | Password | Role | Description |
+|----------|----------|------|-------------|
+| test | 123456 | Admin | Full administrative access |
+| bob | bob | Demo | Standard demo user |
+| alice | alice | Demo | Standard demo user |
+
+#### How Keycloak Mapping Works
+
+The Boilerplate template integrates Keycloak with ASP.NET Core Identity through a custom mapping system in [`AppUserClaimsPrincipalFactory`](/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs):
+
+**1. Groups → Roles**
+- Keycloak **groups** are mapped to ASP.NET Core Identity **roles**
+- Users inherit all roles from their group memberships
+
+**2. Attributes → Claims**
+- **User attributes** in Keycloak become individual claims
+- **Group attributes** are also mapped to claims
+
+**3. Keycloak Roles → Custom Mapping** (Not required with the current project setup)
+- Keycloak's built-in **roles** (distinct from groups) are **not automatically mapped**
+- These roles follow a different structure than ASP.NET Core Identity roles
+
+#### Real-Time Claim Synchronization
+
+The `AppUserClaimsPrincipalFactory` retrieves the latest claims from Keycloak on every ASP.NET Core Identity token refresh:
+
+**Security Benefits:**
+- **Automatic Deactivation**: If a user is disabled or deleted in Keycloak, access is immediately revoked
+- **Fresh Claims**: Every token refresh fetches the latest permissions from Keycloak
+- **Session Validation**: Expired or revoked Keycloak sessions trigger `UnauthorizedException`
+
+#### JWT Token Issuance Flow
+
+Despite using Keycloak for authentication, the final JWT tokens are still issued by **ASP.NET Core Identity**:
+
+1. User signs in through Keycloak (via OpenID Connect)
+2. `AppUserClaimsPrincipalFactory` retrieves claims from Keycloak
+3. ASP.NET Core Identity merges Keycloak claims with local claims
+4. A new JWT is issued and signed using the configured secret (or PFX certificate)
+5. The JWT is sent to the client and used for all subsequent API requests
+
+**Validation:**
+- When the JWT is sent back to the backend, **ASP.NET Core Identity validates it**
+
+#### Using JWTs with Other Backend Services
+
+If you want to share the JWT with other backend services (e.g., microservices), follow these steps:
+
+1. **Switch to PFX Certificates** (as described in the previous section)
+2. **Share the Public Key** with other services
+3. Other services use `AddJwtAuthentication` to validate the token
 
 ---
 
@@ -816,7 +806,7 @@ public async Task ResetPassword(ResetPasswordRequestDto request, CancellationTok
 - Try using an already-used token
 
 ### 6. External Providers
-- Try **social sign-in** with the configured demo provider
+- Try **External sign-in** with the configured demo provider
 - Observe how email confirmation works with external providers
 
 ### 7. Permissions and Policies
@@ -853,7 +843,6 @@ public async Task ResetPassword(ResetPasswordRequestDto request, CancellationTok
 ### AI Wiki: Answered Questions
 * [How does a `refresh token` function in a Boilerplate project template?](https://deepwiki.com/search/how-does-a-refresh-token-funct_6a75fa66-ab98-4367-bd1a-24b081fbf88c)
 * [What would happen when I use [AuthorizedApi]](https://deepwiki.com/search/what-would-happen-when-i-use-a_c525d59d-5c55-489b-8f95-69f6df7c743d)
-* [Give me high level overview of social sign-in flow](https://deepwiki.com/search/give-me-high-level-overview-of_059d227a-0ffe-4077-9e01-ba9f61456a3f)
 * [Give me high level overview of two factor auth setup and usage flows](https://deepwiki.com/search/give-me-high-level-overview-of_1883503f-2e34-41ca-821a-1246d332990f)
 
 Ask your own question [here](https://wiki.bitplatform.dev)
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/.docs/14- Response Caching System.md b/src/Templates/Boilerplate/Bit.Boilerplate/.docs/14- Response Caching System.md
index 077b553185..cb8dfa7485 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/.docs/14- Response Caching System.md	
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/.docs/14- Response Caching System.md	
@@ -462,7 +462,7 @@ The project uses the **FusionCache** library for server-side caching:
 
 - **Output Cache Backend**: Powers the ASP.NET Core Output Cache implementation (Layer 4)
 - **Data Caching**: Provides data caching via `IFusionCache` interface for caching arbitrary data (database query results, computed values, etc.) in addition to HTTP responses
-- **Flexible Storage**: Supports multiple backends (in-memory, Redis, etc) for both response and data caching
+- **Flexible Storage**: Supports multiple backends (in-memory, Redis, hybrid etc) for both response and data caching
 
 ---
 
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props b/src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props
index 1acd61fa6d..e13d4ed46e 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Directory.Packages.props
@@ -10,6 +10,7 @@
         <PackageVersion Include="Bit.Bswup" Version="10.2.0" />
         <PackageVersion Include="Bit.CodeAnalyzers" Version="10.2.0" />
         <PackageVersion Include="Bit.SourceGenerators" Version="10.2.0" />
+        <PackageVersion Include="DistributedLock.FileSystem" Version="1.0.3" />
         <PackageVersion Include="Fido2.AspNet" Version="4.0.0" />
         <PackageVersion Include="Fido2.Models" Version="4.0.0" />
         <PackageVersion Include="HtmlSanitizer" Version="9.0.889" />
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Boilerplate.Server.Api.csproj b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Boilerplate.Server.Api.csproj
index 1c4719fc87..6806f34332 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Boilerplate.Server.Api.csproj
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Boilerplate.Server.Api.csproj
@@ -22,6 +22,7 @@
     </ItemGroup>
 
     <ItemGroup>
+        <PackageReference Include="DistributedLock.FileSystem" />
         <PackageReference Include="Fido2.AspNet" />
         <PackageReference Include="Hangfire.AspNetCore" />
         <PackageReference Include="Hangfire.EntityFrameworkCore" />
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
index be70a9de65..802ad90a7f 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Program.Services.cs
@@ -41,6 +41,7 @@
 using Boilerplate.Server.Api.Models.Identity;
 using Boilerplate.Server.Api.Services.Identity;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Medallion.Threading;
 //#if (offlineDb == true)
 using CommunityToolkit.Datasync.Server;
 //#endif
@@ -158,6 +159,11 @@ public static void AddServerApiProjectServices(this WebApplicationBuilder builde
         services.AddScoped<PushNotificationJobRunner>();
         //#endif
 
+        services.AddTransient(sp => new Func<string, IDistributedLock>((string lockKey) =>
+        {
+            return new Medallion.Threading.FileSystem.FileDistributedLock(new(Path.Combine(Path.GetTempPath(), $"Boilerplate-{lockKey}.lock")));
+        }));
+
         services.AddSingleton<ServerExceptionHandler>();
         services.AddSingleton(sp => (IProblemDetailsWriter)sp.GetRequiredService<ServerExceptionHandler>());
         services.AddProblemDetails();
@@ -400,7 +406,9 @@ void AddDbContext(DbContextOptionsBuilder options)
 
         services.AddHttpClient("Keycloak", c =>
         {
-            c.BaseAddress = new Uri(configuration["KEYCLOAK_HTTP"] ?? throw new InvalidOperationException("KEYCLOAK_HTTP configuration is required"));
+            c.BaseAddress = new Uri(configuration["KEYCLOAK_HTTP"]
+                ?? configuration["Authentication:Keycloak:KeycloakUrl"]
+                ?? throw new InvalidOperationException("KEYCLOAK_HTTP configuration is required"));
             c.DefaultRequestVersion = HttpVersion.Version11;
         });
 
@@ -641,22 +649,18 @@ private static void AddIdentity(WebApplicationBuilder builder)
             });
         }
 
-        // While Google, GitHub, Twitter(X), Apple and AzureAD needs configuration in their corresponding developer portals,
-        // the following OpenID Connect configuration would connect to your own Keycloak.
+        // In order to have better understanding of Keycloak integration, checkout .docs/07- ASP.NET Core Identity - Authentication & Authorization.md
         authenticationBuilder.AddOpenIdConnect("Keycloak", options =>
         {
             configuration.GetRequiredSection("Authentication:Keycloak").Bind(options);
 
-            var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"] 
+            var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"]
                 ?? configuration["Authentication:Keycloak:KeycloakUrl"]
                 ?? throw new InvalidOperationException("KEYCLOAK_HTTP or Authentication:Keycloak:KeycloakUrl configuration is required");
 
-            // The user would sign-in using Keycloak, just like other providers such as Google.
-            // IdentityController.ExternalSignIn's ExternalSignInCallback would store refresh token provided by Keycloak
-            // Laster, AppUserClaimsPrincipalFactory would use the refresh token to retrieve claims (roles etc) from Keycloak.
-            // This allows seamless integration with Keycloak, that way you could manage users, roles and claims from Keycloak admin console.
-            // Checkout src/Server/Boilerplate.Server.AppHost/Realms/README.md for more information.
-            options.Authority = $"{keycloakBaseUrl.TrimEnd('/')}/realms/demo";
+            var realm = configuration["Authentication:Keycloak:Realm"] ?? throw new InvalidOperationException("Authentication:Keycloak:Realm configuration is required");
+
+            options.Authority = $"{keycloakBaseUrl.TrimEnd('/')}/realms/{realm}";
 
             options.ResponseType = "code";
             options.ResponseMode = "query";
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
index b6c0c3da7c..c18e3de957 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/Services/Identity/AppUserClaimsPrincipalFactory.cs
@@ -1,10 +1,12 @@
-using System.IdentityModel.Tokens.Jwt;
+using Medallion.Threading;
+using System.IdentityModel.Tokens.Jwt;
 using Boilerplate.Server.Api.Models.Identity;
 
 namespace Boilerplate.Server.Api.Services.Identity;
 
 public partial class AppUserClaimsPrincipalFactory(UserClaimsService userClaimsService, UserManager<User> userManager, RoleManager<Role> roleManager,
-        IOptions<IdentityOptions> optionsAccessor, IConfiguration configuration, IServiceProvider serviceProvider)
+        IOptions<IdentityOptions> optionsAccessor, IConfiguration configuration, IServiceProvider serviceProvider,
+        Func<string, IDistributedLock> distributedLockProvider)
     : UserClaimsPrincipalFactory<User, Role>(userManager, roleManager, optionsAccessor)
 {
     /// <summary>
@@ -28,40 +30,19 @@ protected override async Task<ClaimsIdentity> GenerateClaimsAsync(User user)
     }
 
     /// <summary>
-    /// Retrieves additional claims from Keycloak and adds them to the user's claims.
+    /// Retrieves additional claims from Keycloak and adds them to the user's claims, if the user has been externally authenticated via Keycloak.
+    /// It also prevents disabled/deleted keycloak users from accessing the application by throwing an UnauthorizedException.
     /// </summary>
     private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity aspnetCoreIdentityClaims)
     {
-        var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"];
+        var keycloakBaseUrl = configuration["KEYCLOAK_HTTP"] ?? configuration["Authentication:Keycloak:KeycloakUrl"];
         if (string.IsNullOrEmpty(keycloakBaseUrl) is false)
         {
             var keycloakRefreshToken = await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "refresh_token");
             if (string.IsNullOrEmpty(keycloakRefreshToken) is false)
             {
-                var keycloakTokenExpiryDate = DateTimeOffset.Parse(await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "expires_at") ?? throw new InvalidOperationException("expires_at token is missing"));
-                var keycloakAccessToken = await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "access_token") ?? throw new InvalidOperationException("access_token token is missing");
-                if (DateTimeOffset.UtcNow >= keycloakTokenExpiryDate)
-                {
-                    var httpClient = serviceProvider.GetRequiredService<IHttpClientFactory>().CreateClient("Keycloak");
-                    var refreshRequestPayload = new FormUrlEncodedContent(new Dictionary<string, string>
-                    {
-                        { "grant_type", "refresh_token" },
-                        { "client_id", configuration["Authentication:Keycloak:ClientId"]! },
-                        { "client_secret", configuration["Authentication:Keycloak:ClientSecret"]! },
-                        { "refresh_token", keycloakRefreshToken }
-                    });
-                    using var response = await httpClient.PostAsync($"realms/demo/protocol/openid-connect/token", refreshRequestPayload);
-                    if (response.IsSuccessStatusCode is false)
-                    {
-                        var errorDetails = await response.Content.ReadFromJsonAsync<Dictionary<string, object?>>();
-                        if (errorDetails?.Any(i => i.Key == "error" && i.Value?.ToString() is "invalid_grant") is true)
-                            throw new UnauthorizedException(errorDetails["error_description"]!.ToString()!).WithData(errorDetails);
-                        throw new InvalidOperationException("Failed to refresh Keycloak access token").WithData(errorDetails ?? []);
-                    }
-                    var responseBody = await response.Content.ReadFromJsonAsync<JsonElement>();
-                    keycloakAccessToken = responseBody!.GetProperty("access_token").GetString();
-                    await UserManager.SetAuthenticationTokenAsync(user, "Keycloak", "access_token", keycloakAccessToken!);
-                }
+                var realm = configuration["Authentication:Keycloak:Realm"] ?? throw new InvalidOperationException("Authentication:Keycloak:Realm configuration is required");
+                string? keycloakAccessToken = await GetKeycloakAccessToken(user, keycloakRefreshToken, realm);
                 var handler = new JwtSecurityTokenHandler();
                 var parsedKeycloakAccessToken = handler.ReadJwtToken(keycloakAccessToken);
                 var keycloakClaims = parsedKeycloakAccessToken.Claims
@@ -72,12 +53,54 @@ private async Task RetrieveKeycloakClaims(User user, ClaimsIdentity aspnetCoreId
                         claim.Value))
                     .ToList();
 
-                foreach (var claim in parsedKeycloakAccessToken.Claims.Where(c => aspnetCoreIdentityClaims.HasClaim(c.Type, c.Value) is false))
+                foreach (var claim in keycloakClaims.Where(c => aspnetCoreIdentityClaims.HasClaim(c.Type, c.Value) is false))
                     aspnetCoreIdentityClaims.AddClaim(claim);
             }
         }
     }
 
+    private async Task<string> GetKeycloakAccessToken(User user, string? keycloakRefreshToken, string realm)
+    {
+        var keycloakTokenExpiryDate = DateTimeOffset.Parse(await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "expires_at") ?? throw new InvalidOperationException("expires_at token is missing"));
+
+        if (DateTimeOffset.UtcNow < keycloakTokenExpiryDate)
+            return (await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "access_token"))!;
+
+        await using var distributedLock = await distributedLockProvider($"KeycloakTokenRefresh-{user.Id}").AcquireAsync(TimeSpan.FromSeconds(10));
+
+        keycloakTokenExpiryDate = DateTimeOffset.Parse(await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "expires_at") ?? throw new InvalidOperationException("expires_at token is missing"));
+
+        if (DateTimeOffset.UtcNow < keycloakTokenExpiryDate) // Token was refreshed while waiting for the lock by another request
+            return (await UserManager.GetAuthenticationTokenAsync(user, "Keycloak", "access_token"))!;
+
+        var httpClient = serviceProvider.GetRequiredService<IHttpClientFactory>().CreateClient("Keycloak");
+        var refreshRequestPayload = new FormUrlEncodedContent(new Dictionary<string, string>
+        {
+            { "grant_type", "refresh_token" },
+            { "client_id", configuration["Authentication:Keycloak:ClientId"]! },
+            { "client_secret", configuration["Authentication:Keycloak:ClientSecret"]! },
+            { "refresh_token", keycloakRefreshToken! }
+        });
+        using var response = await httpClient.PostAsync($"realms/{realm}/protocol/openid-connect/token", refreshRequestPayload);
+        if (response.IsSuccessStatusCode is false)
+        {
+            var errorDetails = await response.Content.ReadFromJsonAsync<Dictionary<string, object?>>();
+            if (errorDetails?.Any(i => i.Key == "error" && i.Value?.ToString() is "invalid_grant") is true)
+                throw new UnauthorizedException(errorDetails["error_description"]!.ToString()!).WithData(errorDetails);
+            throw new InvalidOperationException("Failed to refresh Keycloak access token").WithData(errorDetails ?? []);
+        }
+        var responseBody = await response.Content.ReadFromJsonAsync<JsonElement>();
+        var keycloakAccessToken = responseBody!.GetProperty("access_token").GetString()!;
+        keycloakRefreshToken = responseBody!.GetProperty("refresh_token").GetString();
+        var expiresIn = responseBody!.GetProperty("expires_in").GetInt32();
+        var newExpiryDate = DateTimeOffset.UtcNow.AddSeconds(expiresIn);
+        await UserManager.SetAuthenticationTokenAsync(user, "Keycloak", "access_token", keycloakAccessToken!);
+        await UserManager.SetAuthenticationTokenAsync(user, "Keycloak", "refresh_token", keycloakRefreshToken!);
+        await UserManager.SetAuthenticationTokenAsync(user, "Keycloak", "expires_at", newExpiryDate.ToString("O"));
+
+        return keycloakAccessToken;
+    }
+
     /// <summary>
     /// aspnetcore identity's code to retrieve claims is not performant enough,
     /// because it doesn't have access to navigation properties and has to query the database for user claims, user roles and role claims separately,
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
index 8458159f92..5daae4a916 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Api/appsettings.json
@@ -189,6 +189,7 @@
         "AzureAD_Comment": "Azure ADB2C/Azure Entra",
         "Keycloak": {
             "KeycloakUrl": "http://localhost:8080/",
+            "Realm": "dev",
             "ClientId": "Boilerplate",
             "ClientSecret": "secret"
         },
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
deleted file mode 100644
index 18dd1b5ffb..0000000000
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/README.md
+++ /dev/null
@@ -1,127 +0,0 @@
-# Keycloak Realm Configuration
-
-This directory contains Keycloak realm configuration files that set up authentication and authorization for the Boilerplate application.
-
-## Overview
-
-The `demo-realm.json` file defines a Keycloak realm with pre-configured clients, users, roles, and security settings. This allows the Boilerplate application to demonstrate enterprise Single Sign-On (SSO) functionality using Keycloak as an OpenID Connect identity provider.
-
-## Realm Features
-
-### 🔐 Authentication & Security
-- **Realm Name**: `demo`
-- **SSL Required**: External connections only
-- **Brute Force Protection**: Enabled with progressive lockout
-- **Session Management**: Configurable token lifespans and session timeouts
-- **Password Reset**: Enabled for user self-service
-
-### 🌍 Internationalization Support
-The realm supports multiple languages for localized user interfaces:
-- **English** (en) - Default
-- **Dutch** (nl)
-- **Persian/Farsi** (fa)
-- **Swedish** (sv)
-- **Hindi** (hi)
-- **Chinese** (zh)
-- **Spanish** (es)
-- **French** (fr)
-- **Arabic** (ar)
-- **German** (de)
-
-### 👥 Pre-configured Users
-
-| Username | Email | Password | Roles |
-|----------|-------|----------|-------|
-| `alice` | AliceSmith@email.com | `alice` | demo |
-| `bob` | BobSmith@email.com | `bob` | demo |
-| `test` | test@bitplatform.dev | `123456` | s-admin |
-
-### Application Roles
-
-The realm includes custom application roles for authorization:
-
-- **`s-admin`**: Super Admin role - Full administrative access to the Boilerplate application
-  - **Claims**: Automatically assigned all features via application logic
-  
-- **`demo`**: Demo role - Standard user access for demonstration purposes
-  - **Claims**:
-    - `mx-p-s`: `-1` (Unlimited privileged sessions)
-    - `feat`: `3.0`, `3.1`, `4.0` (Dashboard, ManageProductCatalog, and ManageTodo features)
-
-**Note**: The `s-admin` role has nothing to do with Keycloak admin privileges, it is specific to the Boilerplate app.
-See `AppRoles.cs` and `AppFeatures.cs` for complete details about application roles and features.
-
-### Role Claims Mapping
-
-Role attributes are automatically mapped to JWT token claims via protocol mappers:
-
-- **Max Privileged Sessions (`mx-p-s`)**: Controls the maximum number of concurrent privileged sessions
-  - `-1` = Unlimited sessions
-  - Positive number = Maximum session limit
-  
-- **Features (`feat`)**: Array of feature flags that grant access to specific application features
-  - `3.0` = `AppFeatures.AdminPanel.Dashboard`
-  - `3.1` = `AppFeatures.AdminPanel.ManageProductCatalog`
-  - `4.0` = `AppFeatures.Todo.ManageTodo`
-  - See `AppFeatures.cs` for all available features
-
-These role-specific claims are included in access tokens, ID tokens, and userinfo endpoints via the `roles` scope, enabling fine-grained authorization in the Boilerplate application.
-
-### 🔗 Client Configuration
-
-#### Interactive Confidential Client
-- **Client ID**: `interactive.confidential`
-- **Client Secret**: `secret`
-- **Protocol**: OpenID Connect
-- **Flow Support**: Authorization Code Flow with PKCE
-- **Redirect URIs**: Wildcard (`*`) for development (should be restricted in production)
-
-#### Supported Scopes
-- **`openid`**: Core OpenID Connect identity
-- **`profile`**: User profile information (name, username)
-- **`email`**: Email address and verification status
-- **`api`**: Sample API scope
-- **`offline_access`**: Refresh token support
-
-### ⚙️ Token Configuration
-
-| Setting | Value | Description |
-|---------|-------|-------------|
-| Access Token Lifespan | 5 minutes | Short-lived for security |
-| SSO Session Idle Timeout | 30 minutes | Auto-logout on inactivity |
-| SSO Session Max Lifespan | 10 hours | Maximum session duration |
-| Offline Session Idle Timeout | 30 days | Refresh token validity |
-
-## Integration with Boilerplate
-
-The Keycloak realm integrates seamlessly with the Boilerplate application through:
-
-1. **Aspire Integration**: Automatically starts Keycloak container with realm import
-2. **Environment Configuration**: Connects via `KEYCLOAK_HTTP` environment variable
-3. **OpenID Connect**: Uses standard OIDC flows for authentication
-4. **Token Validation**: JWT tokens validated against Keycloak's public keys
-5. **User Mapping**: Claims automatically mapped to application user properties
-
-## Development Usage
-
-When running the Boilerplate application with Aspire:
-
-1. **Keycloak starts automatically** on port 8080
-2. **Realm is imported** from this JSON file
-3. **Users are immediately available** for testing
-4. **Admin Console**: Access at `http://localhost:8080` (admin/P@ssw0rd)
-Note: Keycloak's admin panel opens master realm by default; switch to `demo` realm to manage users.
-
-## Security Notes
-
-⚠️ **Important**: This configuration is designed for **development and demonstration** purposes only.
-
-For production deployments:
-- Change all default passwords
-- Restrict redirect URIs to specific domains
-- Use proper SSL certificates
-- Configure appropriate session timeouts
-- Enable additional security features for admin user (e.g., 2FA)
-- Review and minimize granted permissions
-- Use strong client secrets and rotate them regularly
-- Enable SMTP server
\ No newline at end of file
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json
similarity index 99%
rename from src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
rename to src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json
index 5d959e8668..b028d42b04 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/demo-realm.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json
@@ -1,8 +1,8 @@
 {
-    "realm": "demo",
-    "id": "demo-realm",
+    "realm": "dev",
+    "id": "dev-realm",
     "enabled": true,
-    "displayName": "Boilerplate Demo Realm",
+    "displayName": "Boilerplate Dev Realm",
     "sslRequired": "external",
     "supportedLocales": [
         "en",
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
index 85def704ef..f27fb084d8 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.Web/appsettings.json
@@ -125,6 +125,7 @@
         },
         "Keycloak": {
             "KeycloakUrl": "http://localhost:8080/",
+            "Realm": "dev",
             "ClientId": "Boilerplate",
             "ClientSecret": "secret"
         }

From 67f323938b7bf879295c2e67a1660a2092e779e1 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 16:23:16 +0100
Subject: [PATCH 4/8] fix

---
 .../Boilerplate.Server.AppHost.csproj         |   1 -
 .../Boilerplate.Server.AppHost/Program.cs     | 117 +++++++++---------
 2 files changed, 59 insertions(+), 59 deletions(-)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Boilerplate.Server.AppHost.csproj b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Boilerplate.Server.AppHost.csproj
index 711cc84610..442f96b539 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Boilerplate.Server.AppHost.csproj
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Boilerplate.Server.AppHost.csproj
@@ -9,7 +9,6 @@
     </PropertyGroup>
 
     <ItemGroup>
-        <Content Include=".config\dotnet-tools.json" />
         <PackageReference Include="Aspire.Hosting.AppHost" />
         <PackageReference Include="Aspire.Hosting.DevTunnels" />
         <PackageReference Include="Aspire.Hosting.Keycloak" />
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs
index 682dd986cd..e6b9bafc55 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs
@@ -5,45 +5,46 @@
 
 // Check out appsettings.Development.json for credentials/passwords settings.
 
-//#if (database == "SqlServer")
-var sqlDatabase = builder.AddSqlServer("sqlserver")
-        .WithDbGate(config => config.WithDataVolume())
-        .WithDataVolume()
-        .WithImage("mssql/server", "2025-latest")
-        .AddDatabase("mssqldb"); // Sql server 2025 supports embedded vector search.
-
-//#elif (database == "PostgreSql")
-var postgresDatabase = builder.AddPostgres("postgresserver")
-        .WithPgAdmin(config => config.WithVolume("/var/lib/pgadmin/Boilerplate/data"))
-        .WithV18DataVolume()
-        .WithImage("pgvector/pgvector", "pg18") // pgvector supports embedded vector search.
-        .AddDatabase("postgresdb");
-
-//#elif (database == "MySql")
-var mySqlDatabase = builder.AddMySql("mysqlserver")
-        .WithPhpMyAdmin(config => config.WithVolume("/var/lib/phpMyAdmin/Boilerplate/data"))
-        .WithDataVolume()
-        .AddDatabase("mysqldb");
-//#elif (database == "Sqlite")
+////#if (database == "SqlServer")
+//var sqlDatabase = builder.AddSqlServer("sqlserver")
+//        .WithDbGate(config => config.WithDataVolume())
+//        .WithDataVolume()
+//        .WithImage("mssql/server", "2025-latest")
+//        .AddDatabase("mssqldb"); // Sql server 2025 supports embedded vector search.
+
+////#elif (database == "PostgreSql")
+//var postgresDatabase = builder.AddPostgres("postgresserver")
+//        .WithPgAdmin(config => config.WithVolume("/var/lib/pgadmin/Boilerplate/data"))
+//        .WithV18DataVolume()
+//        .WithImage("pgvector/pgvector", "pg18") // pgvector supports embedded vector search.
+//        .AddDatabase("postgresdb");
+
+////#elif (database == "MySql")
+//var mySqlDatabase = builder.AddMySql("mysqlserver")
+//        .WithPhpMyAdmin(config => config.WithVolume("/var/lib/phpMyAdmin/Boilerplate/data"))
+//        .WithDataVolume()
+//        .AddDatabase("mysqldb");
+////#elif (database == "Sqlite")
 var sqlite = builder.AddSqlite("sqlite", databaseFileName: "BoilerplateDb.db")
     .WithSqliteWeb(config => config.WithVolume("/var/lib/sqliteweb/Boilerplate/data"));
-//#endif
-//#if (filesStorage == "AzureBlobStorage")
-var azureBlobStorage = builder.AddAzureStorage("storage")
-        .RunAsEmulator(azurite =>
-        {
-            azurite
-                .WithDataVolume();
-        })
-        .AddBlobs("azureblobstorage");
-
-//#elif (filesStorage == "S3")
-var s3Storage = builder.AddMinioContainer("s3")
-    .WithDataVolume();
-//#endif
+////#endif
+////#if (filesStorage == "AzureBlobStorage")
+//var azureBlobStorage = builder.AddAzureStorage("storage")
+//        .RunAsEmulator(azurite =>
+//        {
+//            azurite
+//                .WithDataVolume();
+//        })
+//        .AddBlobs("azureblobstorage");
+
+////#elif (filesStorage == "S3")
+//var s3Storage = builder.AddMinioContainer("s3")
+//    .WithDataVolume();
+////#endif
 
 // https://aspire.dev/integrations/security/keycloak/
 var keycloak = builder.AddKeycloak("keycloak", 8080)
+    .WithLifetime(ContainerLifetime.Persistent)
     .WithDataVolume()
     .WithRealmImport("./Realms");
 
@@ -70,35 +71,35 @@
 
 serverWebProject.WithReference(serverApiProject);
 //#if (database == "SqlServer")
-serverApiProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
-//#elif (database == "PostgreSql")
-serverApiProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
-//#elif (database == "MySql")
-serverApiProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
-//#elif (database == "Sqlite")
-serverApiProject.WithReference(sqlite).WaitFor(sqlite);
-//#endif
-//#if (filesStorage == "AzureBlobStorage")
-serverApiProject.WithReference(azureBlobStorage);
-//#elif (filesStorage == "S3")
-serverApiProject.WithReference(s3Storage);
+//serverApiProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
+////#elif (database == "PostgreSql")
+//serverApiProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
+////#elif (database == "MySql")
+//serverApiProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
+////#elif (database == "Sqlite")
+//serverApiProject.WithReference(sqlite).WaitFor(sqlite);
+////#endif
+////#if (filesStorage == "AzureBlobStorage")
+//serverApiProject.WithReference(azureBlobStorage);
+////#elif (filesStorage == "S3")
+//serverApiProject.WithReference(s3Storage);
 //#endif
 serverApiProject.WithReference(keycloak);
 //#else
 
-//#if (database == "SqlServer")
-serverWebProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
-//#elif (database == "PostgreSql")
-serverWebProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
-//#elif (database == "MySql")
-serverWebProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
-//#elif (database == "Sqlite")
+////#if (database == "SqlServer")
+//serverWebProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
+////#elif (database == "PostgreSql")
+//serverWebProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
+////#elif (database == "MySql")
+//serverWebProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
+////#elif (database == "Sqlite")
 serverWebProject.WithReference(sqlite).WaitFor(sqlite);
-//#endif
-//#if (filesStorage == "AzureBlobStorage")
-serverWebProject.WithReference(azureBlobStorage);
-//#elif (filesStorage == "S3")
-serverWebProject.WithReference(s3Storage);
+////#endif
+////#if (filesStorage == "AzureBlobStorage")
+//serverWebProject.WithReference(azureBlobStorage);
+////#elif (filesStorage == "S3")
+//serverWebProject.WithReference(s3Storage);
 //#endif
 serverWebProject.WithReference(keycloak);
 //#endif

From 37a71ce0db11b5ffb7866588d34e8bc50d9d0a13 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 16:24:03 +0100
Subject: [PATCH 5/8] fix

---
 .../Boilerplate.Server.AppHost/Program.cs     | 117 +++++++++---------
 1 file changed, 58 insertions(+), 59 deletions(-)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs
index e6b9bafc55..682dd986cd 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Program.cs
@@ -5,46 +5,45 @@
 
 // Check out appsettings.Development.json for credentials/passwords settings.
 
-////#if (database == "SqlServer")
-//var sqlDatabase = builder.AddSqlServer("sqlserver")
-//        .WithDbGate(config => config.WithDataVolume())
-//        .WithDataVolume()
-//        .WithImage("mssql/server", "2025-latest")
-//        .AddDatabase("mssqldb"); // Sql server 2025 supports embedded vector search.
-
-////#elif (database == "PostgreSql")
-//var postgresDatabase = builder.AddPostgres("postgresserver")
-//        .WithPgAdmin(config => config.WithVolume("/var/lib/pgadmin/Boilerplate/data"))
-//        .WithV18DataVolume()
-//        .WithImage("pgvector/pgvector", "pg18") // pgvector supports embedded vector search.
-//        .AddDatabase("postgresdb");
-
-////#elif (database == "MySql")
-//var mySqlDatabase = builder.AddMySql("mysqlserver")
-//        .WithPhpMyAdmin(config => config.WithVolume("/var/lib/phpMyAdmin/Boilerplate/data"))
-//        .WithDataVolume()
-//        .AddDatabase("mysqldb");
-////#elif (database == "Sqlite")
+//#if (database == "SqlServer")
+var sqlDatabase = builder.AddSqlServer("sqlserver")
+        .WithDbGate(config => config.WithDataVolume())
+        .WithDataVolume()
+        .WithImage("mssql/server", "2025-latest")
+        .AddDatabase("mssqldb"); // Sql server 2025 supports embedded vector search.
+
+//#elif (database == "PostgreSql")
+var postgresDatabase = builder.AddPostgres("postgresserver")
+        .WithPgAdmin(config => config.WithVolume("/var/lib/pgadmin/Boilerplate/data"))
+        .WithV18DataVolume()
+        .WithImage("pgvector/pgvector", "pg18") // pgvector supports embedded vector search.
+        .AddDatabase("postgresdb");
+
+//#elif (database == "MySql")
+var mySqlDatabase = builder.AddMySql("mysqlserver")
+        .WithPhpMyAdmin(config => config.WithVolume("/var/lib/phpMyAdmin/Boilerplate/data"))
+        .WithDataVolume()
+        .AddDatabase("mysqldb");
+//#elif (database == "Sqlite")
 var sqlite = builder.AddSqlite("sqlite", databaseFileName: "BoilerplateDb.db")
     .WithSqliteWeb(config => config.WithVolume("/var/lib/sqliteweb/Boilerplate/data"));
-////#endif
-////#if (filesStorage == "AzureBlobStorage")
-//var azureBlobStorage = builder.AddAzureStorage("storage")
-//        .RunAsEmulator(azurite =>
-//        {
-//            azurite
-//                .WithDataVolume();
-//        })
-//        .AddBlobs("azureblobstorage");
-
-////#elif (filesStorage == "S3")
-//var s3Storage = builder.AddMinioContainer("s3")
-//    .WithDataVolume();
-////#endif
+//#endif
+//#if (filesStorage == "AzureBlobStorage")
+var azureBlobStorage = builder.AddAzureStorage("storage")
+        .RunAsEmulator(azurite =>
+        {
+            azurite
+                .WithDataVolume();
+        })
+        .AddBlobs("azureblobstorage");
+
+//#elif (filesStorage == "S3")
+var s3Storage = builder.AddMinioContainer("s3")
+    .WithDataVolume();
+//#endif
 
 // https://aspire.dev/integrations/security/keycloak/
 var keycloak = builder.AddKeycloak("keycloak", 8080)
-    .WithLifetime(ContainerLifetime.Persistent)
     .WithDataVolume()
     .WithRealmImport("./Realms");
 
@@ -71,35 +70,35 @@
 
 serverWebProject.WithReference(serverApiProject);
 //#if (database == "SqlServer")
-//serverApiProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
-////#elif (database == "PostgreSql")
-//serverApiProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
-////#elif (database == "MySql")
-//serverApiProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
-////#elif (database == "Sqlite")
-//serverApiProject.WithReference(sqlite).WaitFor(sqlite);
-////#endif
-////#if (filesStorage == "AzureBlobStorage")
-//serverApiProject.WithReference(azureBlobStorage);
-////#elif (filesStorage == "S3")
-//serverApiProject.WithReference(s3Storage);
+serverApiProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
+//#elif (database == "PostgreSql")
+serverApiProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
+//#elif (database == "MySql")
+serverApiProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
+//#elif (database == "Sqlite")
+serverApiProject.WithReference(sqlite).WaitFor(sqlite);
+//#endif
+//#if (filesStorage == "AzureBlobStorage")
+serverApiProject.WithReference(azureBlobStorage);
+//#elif (filesStorage == "S3")
+serverApiProject.WithReference(s3Storage);
 //#endif
 serverApiProject.WithReference(keycloak);
 //#else
 
-////#if (database == "SqlServer")
-//serverWebProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
-////#elif (database == "PostgreSql")
-//serverWebProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
-////#elif (database == "MySql")
-//serverWebProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
-////#elif (database == "Sqlite")
+//#if (database == "SqlServer")
+serverWebProject.WithReference(sqlDatabase).WaitFor(sqlDatabase);
+//#elif (database == "PostgreSql")
+serverWebProject.WithReference(postgresDatabase).WaitFor(postgresDatabase);
+//#elif (database == "MySql")
+serverWebProject.WithReference(mySqlDatabase).WaitFor(mySqlDatabase);
+//#elif (database == "Sqlite")
 serverWebProject.WithReference(sqlite).WaitFor(sqlite);
-////#endif
-////#if (filesStorage == "AzureBlobStorage")
-//serverWebProject.WithReference(azureBlobStorage);
-////#elif (filesStorage == "S3")
-//serverWebProject.WithReference(s3Storage);
+//#endif
+//#if (filesStorage == "AzureBlobStorage")
+serverWebProject.WithReference(azureBlobStorage);
+//#elif (filesStorage == "S3")
+serverWebProject.WithReference(s3Storage);
 //#endif
 serverWebProject.WithReference(keycloak);
 //#endif

From 1805ed0d6030e1e474a527cf73515f593ffddd1d Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 16:27:44 +0100
Subject: [PATCH 6/8] fix

---
 ...P.NET Core Identity - Authentication & Authorization.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md b/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md
index 097335ab2d..11d5f84cd0 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md	
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/.docs/07- ASP.NET Core Identity - Authentication & Authorization.md	
@@ -17,8 +17,11 @@ Welcome to **Stage 7** of the Boilerplate project tutorial! In this stage, you w
 3. [Identity Configuration](#identity-configuration)
 4. [Security Best Practices](#security-best-practices)
 5. [One-Time Token System](#one-time-token-system)
-6. [Hands-On Exploration](#hands-on-exploration)
-7. [Video Tutorial](#video-tutorial)
+6. [Advanced Topics](#advanced-topics)
+   - [JWT Token Signing with PFX Certificates](#jwt-token-signing-with-pfx-certificates)
+   - [Keycloak Integration](#keycloak-integration)
+7. [Hands-On Exploration](#hands-on-exploration)
+8. [Video Tutorial](#video-tutorial)
 
 **Important**: All topics related to WebAuthn, passkeys, and passwordless authentication are explained in [Stage 24](/.docs/24-%20WebAuthn%20and%20Passwordless%20Authentication%20(Advanced).md).
 

From 799f237af18caf26eda7cdbe40f61de19a5efdc4 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 16:35:57 +0100
Subject: [PATCH 7/8] fix

---
 .../src/Shared/Services/AppClaimTypes.cs               | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
index 7a7f07688f..631fc40421 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
@@ -1,32 +1,30 @@
 //+:cnd:noEmit
 namespace Boilerplate.Shared.Services;
 
-/// <summary>
-/// These claims may not be added to RoleClaims/UserClaims tables.
-/// The system itself will assign these claims to the user based on <see cref="AuthPolicies"/> policies.
-/// </summary>
 public class AppClaimTypes
 {
     public const string SESSION_ID = "s-id";
 
     /// <summary>
+    /// true/false
     /// <inheritdoc cref="AuthPolicies.PRIVILEGED_ACCESS"/>
     /// </summary>
     public const string PRIVILEGED_SESSION = "p-s";
 
     /// <summary>
+    /// Number: Maximum privileged sessions for the user.
     /// <inheritdoc cref="AuthPolicies.PRIVILEGED_ACCESS"/>
-    /// Maximum privileged sessions for the user.
     /// </summary>
     public const string MAX_PRIVILEGED_SESSIONS = "mx-p-s";
 
     /// <summary>
+    /// true/false
     /// <inheritdoc cref="AuthPolicies.ELEVATED_ACCESS"/>
     /// </summary>
     public const string ELEVATED_SESSION = "e-s";
 
     /// <summary>
-    /// The list of Boilerplate app features (claims) assigned to the user.
+    /// Array: The list of Boilerplate app features (claims) assigned to the user.
     /// <see cref="AppFeatures"/>
     /// </summary>
     public const string FEATURES = "boilerplate-features";

From 487ac5e7652d7473cbfaaca6f3b0a367fb3b1b12 Mon Sep 17 00:00:00 2001
From: ysmoradi <ysmoradi@outlook.com>
Date: Tue, 9 Dec 2025 16:53:07 +0100
Subject: [PATCH 8/8] fix

---
 .../Boilerplate.Server.AppHost/Realms/dev-realm.json   | 10 +++++-----
 .../src/Shared/Services/AppClaimTypes.cs               |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json
index b028d42b04..792d855a49 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Server/Boilerplate.Server.AppHost/Realms/dev-realm.json
@@ -111,7 +111,7 @@
             "name": "demo",
             "path": "/demo",
             "attributes": {
-                "boilerplate-features": [ "3.0", "3.1", "4.0" ]
+                "features": [ "3.0", "3.1", "4.0" ]
             },
             "realmRoles": [],
             "clientRoles": {},
@@ -325,14 +325,14 @@
                     }
                 },
                 {
-                    "id": "client-boilerplate-features-mapper",
-                    "name": "client boilerplate-features attribute",
+                    "id": "client-features-mapper",
+                    "name": "client features attribute",
                     "protocol": "openid-connect",
                     "protocolMapper": "oidc-usermodel-attribute-mapper",
                     "consentRequired": false,
                     "config": {
-                        "claim.name": "boilerplate-features",
-                        "user.attribute": "boilerplate-features",
+                        "claim.name": "features",
+                        "user.attribute": "features",
                         "jsonType.label": "String",
                         "multivalued": "true",
                         "aggregate.attrs": "true",
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
index 631fc40421..3b42db1289 100644
--- a/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
+++ b/src/Templates/Boilerplate/Bit.Boilerplate/src/Shared/Services/AppClaimTypes.cs
@@ -27,5 +27,5 @@ public class AppClaimTypes
     /// Array: The list of Boilerplate app features (claims) assigned to the user.
     /// <see cref="AppFeatures"/>
     /// </summary>
-    public const string FEATURES = "boilerplate-features";
+    public const string FEATURES = "features";
 }