The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
3. 3
How We Started With Keycloak
We have our own user management code which requires maintenance
3
4. 4
How We Started With Keycloak
Customers are requesting features
• LDAP/Active Directory integration
• Azure Active Directory integration
We’re already hearing requests for Kerberos...
4
5. 5
How We Started With Keycloak
We are developing more products and we’ll need
• Usage of the same users and groups
• Single sign-on
• Cross-product authorized connections
5
8. 8
What is Keycloak?
• An Identity Provider (or IdP)
A server that creates and manages identities (users)
• Integrates with
• LDAP and Active Directory
• Any OAuth 2.0 IdPs (Google, Facebook, Github, ...)
• SAML IdPs
• Kerberos
8
10. 10
Authentication and Access Control
• Authentication - validating someone is who he says he is
• Authorization / Access Control - allowing/disallowing access to certain resources
10
11. 11
Implementing by Yourself
1. Create web application
2. Implement authentication layer (hash passwords, secure DB)
3. Implement lots of more stuff like management screens, password policies, email
validation, “Remember Me” and more.
And we haven’t talked about access control yet...
11
12. 12
Accessing 3rd Party Resources
You may want to create
• A Facebook application
• A Chrome extension
• A GitHub application
These all involve accessing private user
data
12
14. 14
About
• Authorization and not authentication
• Standardized way for accessing resources
• Resource = anything your account contains
Gmail Emails, Facebook profile info, GitHub repos etc.
• Written with selectivity in mind (scopes)
14
16. 16
OAuth 2.0 Flows
A protocol
Predefined steps, at the end of which the Client receives an Access
Token that gives scoped access to resources on the Resource Server
16
18. 18
Authorization Code Flow
• For server side applications
• Redirection based
• Probably the most common
• Definitely the most secure - takes advantage of both front channel and back channel
18
Resource Owner Resource Server
Client
Your Application
<add_image_here>
Front
Channel
Back
Channel
24. 24
Authorization Code Flow - An Example
Get redirected back to CircleCI
https://circleci.com/dashboard
I am now logged-in and CircleCI is allowed
to use my github repos.
24
25. 25
Authorization Code Flow - An Example
Back in GitHub
I can see CircleCI in the list of
the authorized OAuth apps
25
26. 26
Authorization Code Flow - Explained
• Resource = GitHub repos
• Resource owner = me
• Client = CircleCI
• Resource server = GitHub
• Authorization server = also GitHub
26
27. 27
Authorization Code Flow - Explained
K
Resource Owner (me) wants to sign into
Circle CI
Client (Cirlcle) redirects to authorization
server (GitHub) with an authorization code
request
27
Go and
authorize
me on
GitHub
28. 28
Do you want to
give Circle CI
access to your
repos?
Authorization Code Flow - Explained
Yeap
Here’s a code
Resource owner authorizes
client to view/edit resources
(GitHub) repos)
Authorization server (GitHub)
issues authorization code to
be taken back to client.
28
29. 29
Authorization Code Flow - Explained
Here’s your
code dude
Yo GitHub, trade
you this code for a
token?
Fine… Here’s
your access
token
YES! Let’s get to
work
Client takes code, performs a backchannel
request to Auth Server and exchanges the
code for an access token
Client hangs on to access token and uses it to
perform authorized requests to the Resource
Server (GitHub).
29
30. 30
Implicit Flow
• Same as Authorization Code, minus the code part - immediately acquire access token
• Only valid option for cell phone apps and some web apps
• Less secure - no backchannel usage
30
31. 31
Resource Owner Password Credentials
• For testing purposes only!
• Client has user credentials and uses them to acquire access token
• Completely un-secure (remember the Yelp story?)
31
32. 32
Scopes
• The mechanism that allows selectivity
• Limits the client’s access to resources
• When a client initiates token request,
it requests specific scopes
GitHub
32
34. 34
What is OpenID?
• OAuth was sometimes abused to provide authentication
• Authentication built on top of OAuth 2.0
• Standard endpoints (token, auth, discovery)
• Standard representation of the user information
• Use openid scope
34
37. 37
About
• An IdP
• Developed by RedHat
• Written in Java
• Implements the OAuth 2.0 protocol with OpenID support
• Documentation - Mostly OK
• It’s free, and open-source (Apache 2.0 license)
37
41. 41
Basic Terms
• User
• Role
A “category” of users, e.g. admin, manager, employee
• Group
A collection of users
• Realm
A collection of users, groups and roles
• Client
Applications that want to use Keycloak for authentication
41
42. 42
Authentication - some cool (and free) features
• SSO
• GUI self serve (change password + user details)
• Session revocation
• API Keys (offline tokens)
• User registration
• OTPs - One Time Passwords
• Tons more (not literally) (but tons!!)
42
43. 43
Authorization
1. Assign users to groups, and roles to groups/users
2. Use Keycloak as an OAuth identity provider
3. Acquire username, roles and groups from access token
43
44. 44
Integration with Keycloak - Your App
1. Redirect to Keycloak if a request was made without a token
2. For requests with a token
a. Validate the token
b. Use it (extract user info and access control data)
44
45. 45
Integration with Keycloak - Your App
• val tokenVerifier = TokenVerifier.create(tokenString, classOf[AccessToken])
• val token = tokenVerifier.verify().getToken
45
46. 46
Integration with Keycloak - Keycloak Side
1. Create a realm
2. Create Clients for your apps
3. At least one of the following:
a. Create users, groups and roles
b. Use external users such as LDAP or any social login
46
47. 47
Tech data
• Runs a JBOSS server, with JDK 8
• Requires at least 512MB of RAM
• Requires a relational DB
• Supports a cluster mode for HA
47
Client does one of the following:
Sets the access token as a cookie, so the user will re-transmit it with any following request
Creates some session token that locally saves a map of session token -> access token