SlideShare una empresa de Scribd logo

Building secure applications with keycloak

Descargar como PPTX, PDF
A
Abhishek Koserwal

Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management). And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.

Tecnología
1 de 20
Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
Application Demo
JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
Q & A Thank You!

Recomendados

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 

Recomendados

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
Prabath Siriwardena
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
Uwe Friedrichsen
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
Torin Sandall
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
Albert Lombarte
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
confluent
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
Docker, Inc.
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
apidays
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
Kunal Hire
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 

Más contenido relacionado

La actualidad más candente

API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
WSO2
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
Kunal Hire
 

La actualidad más candente (20)

Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy Engine
 
KrakenD API Gateway
KrakenD API GatewayKrakenD API Gateway
KrakenD API Gateway
 
IBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use CasesIBM DataPower Gateway - Common Use Cases
IBM DataPower Gateway - Common Use Cases
 
Securing Kafka
Securing Kafka Securing Kafka
Securing Kafka
 
Introduction to Docker - 2017
Introduction to Docker - 2017Introduction to Docker - 2017
Introduction to Docker - 2017
 
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
APIsecure 2023 - API orchestration: to build resilient applications, Cherish ...
 
Api gateway in microservices
Api gateway in microservicesApi gateway in microservices
Api gateway in microservices
 

Similar a Building secure applications with keycloak

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Ioan Eugen Stan
 

Similar a Building secure applications with keycloak (20)

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
 
How to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEHow to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GE
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 

Building secure applications with keycloak

  • 1. Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
  • 2. ● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
  • 3. Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
  • 4. What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
  • 5. Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
  • 6. Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
  • 7. App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
  • 8. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
  • 9. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
  • 10. Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
  • 11. Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
  • 12. The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
  • 13. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
  • 14. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
  • 15. Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
  • 17. JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
  • 18. Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
  • 19. Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
  • 20. Q & A Thank You!

Notas del editor

  1. https://www.x2u.club/work-delegation-memes.html
  2. https://www.keycloak.org/
  3. https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
  4. https://www.keycloak.org/docs/3.1/securing_apps/topics/overview/what-are-client-adapters.html
  5. https://www.keycloak.org/docs/3.1/server_admin/topics/sso-protocols/saml.html
  6. http://www.chaosincomputing.com/2012/05/sticky-sessions-are-evil/
  7. https://dzone.com/articles/api-security-ways-to-authenticate-and-authorize
  8. https://blogs.mulesoft.com/dev/connectivity-dev/google-oauth-security-confused-deputy/ https://samnewman.io/books/building_microservices/
  9. https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html
  10. https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html https://jwt.io/ https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/ https://github.com/akoserwal/keycloak-jwt https://www.npmjs.com/package/keycloak-angular https://github.com/akoserwal/keycloak-jwt https://github.com/akoserwal/statelessappdemo
  11. https://www.keycloak.org/downloads.html
  12. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage https://www.owasp.org/index.php/HttpOnly https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
  13. https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd https://www.keycloak.org/docs/3.3/server_admin/topics/sso-protocols/docker.html
  14. https://www.keycloak.org/docs/latest/server_admin/index.html#threat-model-mitigation