Configure your Keycloak client as “bearer-only” and use OWIN’s (or ASP.NET Core’s) JWT middleware to validate tokens. Set your issuer, audience, and signing key (ideally retrieved from Keycloak’s OIDC discovery endpoint) to match Keycloak’s settings. This lets your .NET MVC app validate the bearer tokens issued by Keycloak.