SlideShare ist ein Scribd-Unternehmen logo

Secure your app with keycloak

Als PPTX, PDF herunterladen
G
Guy Marom

The slides from the talk I gave in Java.IL's Apr 2019 session. These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak

Software
1 von 48
1 Secure Your App With Keycloak Guy Marom@SparkBeyond
2 SparkBeyond Harness humanity’s collective intelligence to solve the world’s most impactful problems 2
3 How We Started With Keycloak We have our own user management code which requires maintenance 3
4 How We Started With Keycloak Customers are requesting features • LDAP/Active Directory integration • Azure Active Directory integration We’re already hearing requests for Kerberos... 4
5 How We Started With Keycloak We are developing more products and we’ll need • Usage of the same users and groups • Single sign-on • Cross-product authorized connections 5
6 Before Keycloak 6 EC2 Machine Postgres SparkBeyond service
7 With Keycloak 7 EC2 Machine Keycloak SparkBeyond services SparkBeyond services SparkBeyond services Authenticate Postgres
8 What is Keycloak? • An Identity Provider (or IdP) A server that creates and manages identities (users) • Integrates with • LDAP and Active Directory • Any OAuth 2.0 IdPs (Google, Facebook, Github, ...) • SAML IdPs • Kerberos 8
9 Before OAuth 2.0 9
10 Authentication and Access Control • Authentication - validating someone is who he says he is • Authorization / Access Control - allowing/disallowing access to certain resources 10
11 Implementing by Yourself 1. Create web application 2. Implement authentication layer (hash passwords, secure DB) 3. Implement lots of more stuff like management screens, password policies, email validation, “Remember Me” and more. And we haven’t talked about access control yet... 11
12 Accessing 3rd Party Resources You may want to create • A Facebook application • A Chrome extension • A GitHub application These all involve accessing private user data 12
13 OAuth (2.0) 13
14 About • Authorization and not authentication • Standardized way for accessing resources • Resource = anything your account contains Gmail Emails, Facebook profile info, GitHub repos etc. • Written with selectivity in mind (scopes) 14
15 OAuth 2.0 participants Resource Owner Resource Server Client Your Application <add_image_here> Authorization Server 15
16 OAuth 2.0 Flows A protocol Predefined steps, at the end of which the Client receives an Access Token that gives scoped access to resources on the Resource Server 16
17 Access Token Many things • User identifier • Group membership • Roles • Optionally - user information 17
18 Authorization Code Flow • For server side applications • Redirection based • Probably the most common • Definitely the most secure - takes advantage of both front channel and back channel 18 Resource Owner Resource Server Client Your Application <add_image_here> Front Channel Back Channel
19 Authorization Code Flow 19
20 Authorization Code Flow - An Example I want to use CircleCI as the CI tool for my github repos 20
21 Authorization Code Flow - An Example Sign-up for CircleCI https://circleci.com/signup/ 21
22 Authorization Code Flow - An Example Sign Up with GitHub https://github.com/login/oauth/authorize? client_id=78a2ba87f071c28e65bb&redirect _uri=https%3A%2F%2Fcircleci.com%2Fauth %2Fgithub%3Freturn- to%3D%252F&scope=repo%2Cuser%3Aema il&state=C5wg07VR_WyyKhcTUgT1Jl2cBQd 02In6UlLfYdlGKEqC4KIAf_hdXLjlfjqpUBAx6S 362uskcdW0-1l1 22
23 Authorization Code Flow - An Example Authorize https://github.com/login/oauth/authorize 23
24 Authorization Code Flow - An Example Get redirected back to CircleCI https://circleci.com/dashboard I am now logged-in and CircleCI is allowed to use my github repos. 24
25 Authorization Code Flow - An Example Back in GitHub I can see CircleCI in the list of the authorized OAuth apps 25
26 Authorization Code Flow - Explained • Resource = GitHub repos • Resource owner = me • Client = CircleCI • Resource server = GitHub • Authorization server = also GitHub 26
27 Authorization Code Flow - Explained K Resource Owner (me) wants to sign into Circle CI Client (Cirlcle) redirects to authorization server (GitHub) with an authorization code request 27 Go and authorize me on GitHub
28 Do you want to give Circle CI access to your repos? Authorization Code Flow - Explained Yeap Here’s a code Resource owner authorizes client to view/edit resources (GitHub) repos) Authorization server (GitHub) issues authorization code to be taken back to client. 28
29 Authorization Code Flow - Explained Here’s your code dude Yo GitHub, trade you this code for a token? Fine… Here’s your access token YES! Let’s get to work Client takes code, performs a backchannel request to Auth Server and exchanges the code for an access token Client hangs on to access token and uses it to perform authorized requests to the Resource Server (GitHub). 29
30 Implicit Flow • Same as Authorization Code, minus the code part - immediately acquire access token • Only valid option for cell phone apps and some web apps • Less secure - no backchannel usage 30
31 Resource Owner Password Credentials • For testing purposes only! • Client has user credentials and uses them to acquire access token • Completely un-secure (remember the Yelp story?) 31
32 Scopes • The mechanism that allows selectivity • Limits the client’s access to resources • When a client initiates token request, it requests specific scopes GitHub 32
33 33
34 What is OpenID? • OAuth was sometimes abused to provide authentication • Authentication built on top of OAuth 2.0 • Standard endpoints (token, auth, discovery) • Standard representation of the user information • Use openid scope 34
35 JWT Token - Standard Claims 35
36 Keycloak 36
37 About • An IdP • Developed by RedHat • Written in Java • Implements the OAuth 2.0 protocol with OpenID support • Documentation - Mostly OK • It’s free, and open-source (Apache 2.0 license) 37
38 Authentication 38 Keycloak SparkBeyond services Authenticate Social Login LDAP / Active Directory Kerberos Use Keycloak as an OpenID authentication server
39 Authentication 39
40 Authentication 40
41 Basic Terms • User • Role A “category” of users, e.g. admin, manager, employee • Group A collection of users • Realm A collection of users, groups and roles • Client Applications that want to use Keycloak for authentication 41
42 Authentication - some cool (and free) features • SSO • GUI self serve (change password + user details) • Session revocation • API Keys (offline tokens) • User registration • OTPs - One Time Passwords • Tons more (not literally) (but tons!!) 42
43 Authorization 1. Assign users to groups, and roles to groups/users 2. Use Keycloak as an OAuth identity provider 3. Acquire username, roles and groups from access token 43
44 Integration with Keycloak - Your App 1. Redirect to Keycloak if a request was made without a token 2. For requests with a token a. Validate the token b. Use it (extract user info and access control data) 44
45 Integration with Keycloak - Your App • val tokenVerifier = TokenVerifier.create(tokenString, classOf[AccessToken]) • val token = tokenVerifier.verify().getToken 45
46 Integration with Keycloak - Keycloak Side 1. Create a realm 2. Create Clients for your apps 3. At least one of the following: a. Create users, groups and roles b. Use external users such as LDAP or any social login 46
47 Tech data • Runs a JBOSS server, with JDK 8 • Requires at least 512MB of RAM • Requires a relational DB • Supports a cluster mode for HA 47
48 Questions? 48

Empfohlen

Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakMuhammad Edwin
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 

Empfohlen

Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
User Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakUser Management Life Cycle with Keycloak
User Management Life Cycle with KeycloakMuhammad Edwin
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
OAuth2 and Spring Security
OAuth2 and Spring SecurityOAuth2 and Spring Security
OAuth2 and Spring SecurityOrest Ivasiv
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-OnRavi Yasas
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 
OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust IssuesLorna Mitchell
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 

Weitere ähnliche Inhalte

Was ist angesagt?

Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect ProtocolMichael Furman
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An OverviewPat Patterson
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxFIDO Alliance
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...Yuichi Nakamura
 

Was ist angesagt? (20)

OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
IBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptxIBM: Hey FIDO, Meet Passkey!.pptx
IBM: Hey FIDO, Meet Passkey!.pptx
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ... Implementing security requirements for banking API system using Open Source ...
Implementing security requirements for banking API system using Open Source ...
 

Ähnlich wie Secure your app with keycloak

Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your appÁlvaro Alonso González
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
Logic apps and PowerApps - Integrate across your APIs
Logic apps and PowerApps - Integrate across your APIsLogic apps and PowerApps - Integrate across your APIs
Logic apps and PowerApps - Integrate across your APIsSriram Hariharan
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
Spring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleSpring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleGordon Dickens
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеSQALab
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure ADSharePointRadi
 
Introduction to sitecore identity
Introduction to sitecore identityIntroduction to sitecore identity
Introduction to sitecore identityGopikrishna Gujjula
 
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...Lucas Jellema
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp VaultMartin Conraux
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Kris Wagner
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
Scribe online 03 scribe online cdk and api overview
Scribe online 03 scribe online cdk and api overviewScribe online 03 scribe online cdk and api overview
Scribe online 03 scribe online cdk and api overviewScribe Software Corp.
 
Zend server 6 compliance
Zend server 6 complianceZend server 6 compliance
Zend server 6 complianceYonni Mendes
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 

Ähnlich wie Secure your app with keycloak (20)

OAuth: Trust Issues
OAuth: Trust IssuesOAuth: Trust Issues
OAuth: Trust Issues
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 
Adding identity management and access control to your app
Adding identity management and access control to your appAdding identity management and access control to your app
Adding identity management and access control to your app
 
Api security
Api security Api security
Api security
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Logic apps and PowerApps - Integrate across your APIs
Logic apps and PowerApps - Integrate across your APIsLogic apps and PowerApps - Integrate across your APIs
Logic apps and PowerApps - Integrate across your APIs
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
Spring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing PeopleSpring Social - Messaging Friends & Influencing People
Spring Social - Messaging Friends & Influencing People
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружение
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Developing Apps with Azure AD
Developing Apps with Azure ADDeveloping Apps with Azure AD
Developing Apps with Azure AD
 
Introduction to sitecore identity
Introduction to sitecore identityIntroduction to sitecore identity
Introduction to sitecore identity
 
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...
Part 5 of the REAL Webinars on Oracle Cloud Native Application Development - ...
 
Self-Service x Hashicorp Vault
Self-Service x Hashicorp VaultSelf-Service x Hashicorp Vault
Self-Service x Hashicorp Vault
 
Microsoft Azure Identity and O365
Microsoft Azure Identity and O365Microsoft Azure Identity and O365
Microsoft Azure Identity and O365
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
Scribe online 03 scribe online cdk and api overview
Scribe online 03 scribe online cdk and api overviewScribe online 03 scribe online cdk and api overview
Scribe online 03 scribe online cdk and api overview
 
Zend server 6 compliance
Zend server 6 complianceZend server 6 compliance
Zend server 6 compliance
 
Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
 

Kürzlich hochgeladen

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....ShaimaaMohamedGalal
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 

Kürzlich hochgeladen (20)

Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Clustering techniques data mining book ....
Clustering techniques data mining book ....Clustering techniques data mining book ....
Clustering techniques data mining book ....
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 

Secure your app with keycloak

  • 1. 1 Secure Your App With Keycloak Guy Marom@SparkBeyond
  • 2. 2 SparkBeyond Harness humanity’s collective intelligence to solve the world’s most impactful problems 2
  • 3. 3 How We Started With Keycloak We have our own user management code which requires maintenance 3
  • 4. 4 How We Started With Keycloak Customers are requesting features • LDAP/Active Directory integration • Azure Active Directory integration We’re already hearing requests for Kerberos... 4
  • 5. 5 How We Started With Keycloak We are developing more products and we’ll need • Usage of the same users and groups • Single sign-on • Cross-product authorized connections 5
  • 8. 8 What is Keycloak? • An Identity Provider (or IdP) A server that creates and manages identities (users) • Integrates with • LDAP and Active Directory • Any OAuth 2.0 IdPs (Google, Facebook, Github, ...) • SAML IdPs • Kerberos 8
  • 10. 10 Authentication and Access Control • Authentication - validating someone is who he says he is • Authorization / Access Control - allowing/disallowing access to certain resources 10
  • 11. 11 Implementing by Yourself 1. Create web application 2. Implement authentication layer (hash passwords, secure DB) 3. Implement lots of more stuff like management screens, password policies, email validation, “Remember Me” and more. And we haven’t talked about access control yet... 11
  • 12. 12 Accessing 3rd Party Resources You may want to create • A Facebook application • A Chrome extension • A GitHub application These all involve accessing private user data 12
  • 14. 14 About • Authorization and not authentication • Standardized way for accessing resources • Resource = anything your account contains Gmail Emails, Facebook profile info, GitHub repos etc. • Written with selectivity in mind (scopes) 14
  • 15. 15 OAuth 2.0 participants Resource Owner Resource Server Client Your Application <add_image_here> Authorization Server 15
  • 16. 16 OAuth 2.0 Flows A protocol Predefined steps, at the end of which the Client receives an Access Token that gives scoped access to resources on the Resource Server 16
  • 17. 17 Access Token Many things • User identifier • Group membership • Roles • Optionally - user information 17
  • 18. 18 Authorization Code Flow • For server side applications • Redirection based • Probably the most common • Definitely the most secure - takes advantage of both front channel and back channel 18 Resource Owner Resource Server Client Your Application <add_image_here> Front Channel Back Channel
  • 20. 20 Authorization Code Flow - An Example I want to use CircleCI as the CI tool for my github repos 20
  • 21. 21 Authorization Code Flow - An Example Sign-up for CircleCI https://circleci.com/signup/ 21
  • 22. 22 Authorization Code Flow - An Example Sign Up with GitHub https://github.com/login/oauth/authorize? client_id=78a2ba87f071c28e65bb&redirect _uri=https%3A%2F%2Fcircleci.com%2Fauth %2Fgithub%3Freturn- to%3D%252F&scope=repo%2Cuser%3Aema il&state=C5wg07VR_WyyKhcTUgT1Jl2cBQd 02In6UlLfYdlGKEqC4KIAf_hdXLjlfjqpUBAx6S 362uskcdW0-1l1 22
  • 23. 23 Authorization Code Flow - An Example Authorize https://github.com/login/oauth/authorize 23
  • 24. 24 Authorization Code Flow - An Example Get redirected back to CircleCI https://circleci.com/dashboard I am now logged-in and CircleCI is allowed to use my github repos. 24
  • 25. 25 Authorization Code Flow - An Example Back in GitHub I can see CircleCI in the list of the authorized OAuth apps 25
  • 26. 26 Authorization Code Flow - Explained • Resource = GitHub repos • Resource owner = me • Client = CircleCI • Resource server = GitHub • Authorization server = also GitHub 26
  • 27. 27 Authorization Code Flow - Explained K Resource Owner (me) wants to sign into Circle CI Client (Cirlcle) redirects to authorization server (GitHub) with an authorization code request 27 Go and authorize me on GitHub
  • 28. 28 Do you want to give Circle CI access to your repos? Authorization Code Flow - Explained Yeap Here’s a code Resource owner authorizes client to view/edit resources (GitHub) repos) Authorization server (GitHub) issues authorization code to be taken back to client. 28
  • 29. 29 Authorization Code Flow - Explained Here’s your code dude Yo GitHub, trade you this code for a token? Fine… Here’s your access token YES! Let’s get to work Client takes code, performs a backchannel request to Auth Server and exchanges the code for an access token Client hangs on to access token and uses it to perform authorized requests to the Resource Server (GitHub). 29
  • 30. 30 Implicit Flow • Same as Authorization Code, minus the code part - immediately acquire access token • Only valid option for cell phone apps and some web apps • Less secure - no backchannel usage 30
  • 31. 31 Resource Owner Password Credentials • For testing purposes only! • Client has user credentials and uses them to acquire access token • Completely un-secure (remember the Yelp story?) 31
  • 32. 32 Scopes • The mechanism that allows selectivity • Limits the client’s access to resources • When a client initiates token request, it requests specific scopes GitHub 32
  • 33. 33 33
  • 34. 34 What is OpenID? • OAuth was sometimes abused to provide authentication • Authentication built on top of OAuth 2.0 • Standard endpoints (token, auth, discovery) • Standard representation of the user information • Use openid scope 34
  • 35. 35 JWT Token - Standard Claims 35
  • 37. 37 About • An IdP • Developed by RedHat • Written in Java • Implements the OAuth 2.0 protocol with OpenID support • Documentation - Mostly OK • It’s free, and open-source (Apache 2.0 license) 37
  • 38. 38 Authentication 38 Keycloak SparkBeyond services Authenticate Social Login LDAP / Active Directory Kerberos Use Keycloak as an OpenID authentication server
  • 41. 41 Basic Terms • User • Role A “category” of users, e.g. admin, manager, employee • Group A collection of users • Realm A collection of users, groups and roles • Client Applications that want to use Keycloak for authentication 41
  • 42. 42 Authentication - some cool (and free) features • SSO • GUI self serve (change password + user details) • Session revocation • API Keys (offline tokens) • User registration • OTPs - One Time Passwords • Tons more (not literally) (but tons!!) 42
  • 43. 43 Authorization 1. Assign users to groups, and roles to groups/users 2. Use Keycloak as an OAuth identity provider 3. Acquire username, roles and groups from access token 43
  • 44. 44 Integration with Keycloak - Your App 1. Redirect to Keycloak if a request was made without a token 2. For requests with a token a. Validate the token b. Use it (extract user info and access control data) 44
  • 45. 45 Integration with Keycloak - Your App • val tokenVerifier = TokenVerifier.create(tokenString, classOf[AccessToken]) • val token = tokenVerifier.verify().getToken 45
  • 46. 46 Integration with Keycloak - Keycloak Side 1. Create a realm 2. Create Clients for your apps 3. At least one of the following: a. Create users, groups and roles b. Use external users such as LDAP or any social login 46
  • 47. 47 Tech data • Runs a JBOSS server, with JDK 8 • Requires at least 512MB of RAM • Requires a relational DB • Supports a cluster mode for HA 47

Hinweis der Redaktion

  1. Yelp story
  2. Client does one of the following: Sets the access token as a cookie, so the user will re-transmit it with any following request Creates some session token that locally saves a map of session token -> access token
  3. Show Keycloak