OAuth protocol is often misunderstood as an authentication protocol but that is not the case. It is an authorization protocol used to provide authorization between two services. While OAuth does all the heavy lifting, authorization, it does not maintain an identity. At this point, OpenID Connect plays a vital role. It is a thin layer that sits on top of OAuth 2.0 and enables correct authentication for users and provides the correct identity. With the help of OpenID Connect, organizations can provide Single Sign On(SSO) functionality. In this talk, we will understand how one can leverage Keycloak, an OpenID provider, to perform Sign Sign On using the JSON Web Tokens(JWT). Most of the applications use the Session ID mechanism for authentication. Either they use the sticky mechanism or maintain a common database for multiple web-applications running the same server. Although this approach is used widely it is not scalable in nature. With the increase in adoption of the microservices architecture in applications lately, it has become difficult to scale your application using a Session ID. On the other hand, JWT proves to be an efficient methodology in this case. In this talk, we will gain a deep understanding of how to use the JWT for implementing the OpenID Connect protocol and I shall also demonstrate how I have implemented it in the Foreman project.
2. About me
● Software Engineer at Red Hat.
● Red Hat Certified Architect with certifications in
Ansible, Puppet, Openshift, Docker and Linux
administration.
● Follow me on:
○ Twitter: @rabajaj_
○ Github: https://github.com/rabajaj0509
○ Blog: https://rahulbajaj05.wordpress.com
@rabajaj_
3. Agenda
1. Conceptual Aside
a. Authentication
b. JSON web tokens
c. Oauth 2.0
d. Openid connect
e. Oauth 2.0 workflows
2. Keycloak as an openid provider
3. Single sign on(SSO) for foreman project
@rabajaj_
14. Openid connect
Internet standard for Single Sign On
1. Need to authenticate a user?
2. Send user to their OpenID
Provider
3. Get access token back
@rabajaj_
23. Foreman PRoject
a. Introduction to the Foreman
Project.
b. Authentication architecture
for implementing SSO with the
help of Keycloak.
SSO integration with the
Foreman Project
Part III
@rabajaj_
25. Authentication
Architecture
Hammer CLI Foreman
1. Hammer requests Keycloak
for token.
3. Passes the token to
Foreman.
6. Saves the sessionid.
2. Keycloak performs
authentication and issues a token
to Hammer if the user is valid.
1,2
3 4. Foreman
validates the Token
and creates a user in
the Foreman
database.
5. Foreman creates a
sessionid and passes
that to Hammer.
4
5