Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Building secure applications with keycloak

3.629 Aufrufe

Veröffentlicht am

Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management).
And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.

Veröffentlicht in: Technologie
  • You can try to use this service ⇒ www.HelpWriting.net ⇐ I have used it several times in college and was absolutely satisfied with the result.
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Did you try ⇒ www.HelpWriting.net ⇐?. They know how to do an amazing essay, research papers or dissertations.
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Building secure applications with keycloak

  1. 1. Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
  2. 2. ● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
  3. 3. Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
  4. 4. What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
  5. 5. Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
  6. 6. Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
  7. 7. App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
  8. 8. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
  9. 9. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
  10. 10. Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
  11. 11. Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
  12. 12. The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
  13. 13. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
  14. 14. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
  15. 15. Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
  16. 16. Application Demo
  17. 17. JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
  18. 18. Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
  19. 19. Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
  20. 20. Q & A Thank You!

×