SlideShare ist ein Scribd-Unternehmen logo

Building secure applications with keycloak

Als PPTX, PDF herunterladen
A
Abhishek Koserwal

Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management). And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.

Technologie
1 von 20
Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
Application Demo
JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
Q & A Thank You!

Empfohlen

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with Keycloak
Muhammad Edwin
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 

Empfohlen

SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
Ryan Dawson
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with Keycloak
Muhammad Edwin
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
GlobalLogic Ukraine
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
Shrey Agarwal
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
Juan Vicente Herrera Ruiz de Alejo
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
Introduction to microservices
Introduction to microservicesIntroduction to microservices
Introduction to microservices
Anil Allewar
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
Opsta
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
Aqua Security
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Design patterns for microservice architecture
Design patterns for microservice architectureDesign patterns for microservice architecture
Design patterns for microservice architecture
The Software House
 
02 api gateway
02 api gateway02 api gateway
02 api gateway
Janani Velmurugan
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
Yuichi Nakamura
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
Shiu-Fun Poon
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
Knoldus Inc.
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
Aaron Parecki
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
FIDO Alliance
 
Microservices
MicroservicesMicroservices
Microservices
SmartBear
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 

Weitere ähnliche Inhalte

Was ist angesagt?

Design patterns for microservice architecture
Design patterns for microservice architectureDesign patterns for microservice architecture
Design patterns for microservice architecture
The Software House
 

Was ist angesagt? (20)

Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
Hashicorp Vault ppt
Hashicorp Vault pptHashicorp Vault ppt
Hashicorp Vault ppt
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Introduction to microservices
Introduction to microservicesIntroduction to microservices
Introduction to microservices
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Design patterns for microservice architecture
Design patterns for microservice architectureDesign patterns for microservice architecture
Design patterns for microservice architecture
 
02 api gateway
02 api gateway02 api gateway
02 api gateway
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 
OAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPowerOAuth 2.0 with IBM WebSphere DataPower
OAuth 2.0 with IBM WebSphere DataPower
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Introduction to Vault
Introduction to VaultIntroduction to Vault
Introduction to Vault
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
Microservices
MicroservicesMicroservices
Microservices
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 

Ähnlich wie Building secure applications with keycloak

AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
nasza-klasa
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Ioan Eugen Stan
 

Ähnlich wie Building secure applications with keycloak (20)

Securing Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTPSecuring Microservices using Play and Akka HTTP
Securing Microservices using Play and Akka HTTP
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Security Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren ShahSecurity Architecture Consulting - Hiren Shah
Security Architecture Consulting - Hiren Shah
 
iMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within MicroservicesiMasters Intercon 2016 - Identity within Microservices
iMasters Intercon 2016 - Identity within Microservices
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API AuthorizationGDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDBMongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB.local Atlanta: Introduction to Serverless MongoDB
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
Complex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWSComplex architectures for authentication and authorization on AWS
Complex architectures for authentication and authorization on AWS
 
AWS IoT Deep Dive
AWS IoT Deep DiveAWS IoT Deep Dive
AWS IoT Deep Dive
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
How to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GEHow to Install and Configure your own Identity Manager GE
How to Install and Configure your own Identity Manager GE
 
How to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GEHow to Install & Configure Your Own Identity Manager GE
How to Install & Configure Your Own Identity Manager GE
 
Nk API - examples
Nk API - examplesNk API - examples
Nk API - examples
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSI
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
 

Kürzlich hochgeladen

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 

Building secure applications with keycloak

  • 1. Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
  • 2. ● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
  • 3. Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
  • 4. What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
  • 5. Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
  • 6. Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
  • 7. App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
  • 8. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
  • 9. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
  • 10. Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
  • 11. Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
  • 12. The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
  • 13. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
  • 14. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
  • 15. Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
  • 17. JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
  • 18. Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
  • 19. Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
  • 20. Q & A Thank You!

Hinweis der Redaktion

  1. https://www.x2u.club/work-delegation-memes.html
  2. https://www.keycloak.org/
  3. https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
  4. https://www.keycloak.org/docs/3.1/securing_apps/topics/overview/what-are-client-adapters.html
  5. https://www.keycloak.org/docs/3.1/server_admin/topics/sso-protocols/saml.html
  6. http://www.chaosincomputing.com/2012/05/sticky-sessions-are-evil/
  7. https://dzone.com/articles/api-security-ways-to-authenticate-and-authorize
  8. https://blogs.mulesoft.com/dev/connectivity-dev/google-oauth-security-confused-deputy/ https://samnewman.io/books/building_microservices/
  9. https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html
  10. https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html https://jwt.io/ https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/ https://github.com/akoserwal/keycloak-jwt https://www.npmjs.com/package/keycloak-angular https://github.com/akoserwal/keycloak-jwt https://github.com/akoserwal/statelessappdemo
  11. https://www.keycloak.org/downloads.html
  12. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage https://www.owasp.org/index.php/HttpOnly https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
  13. https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd https://www.keycloak.org/docs/3.3/server_admin/topics/sso-protocols/docker.html
  14. https://www.keycloak.org/docs/latest/server_admin/index.html#threat-model-mitigation