stackconf 2020 | Securing Infrastructure with Keycloak by Rahul Bajaj
OAuth protocol is often misunderstood as an authentication protocol but that is not the case. It is an authorization protocol used to provide authorization between two services. While OAuth does all the heavy lifting, authorization, it does not maintain an identity. At this point, OpenID Connect plays a vital role. It is a thin layer that sits on top of OAuth 2.0 and enables correct authentication for users and provides the correct identity. With the help of OpenID Connect, organizations can provide Single Sign On(SSO) functionality. In this talk, we will understand how one can leverage Keycloak, an OpenID provider, to perform Sign Sign On using the JSON Web Tokens(JWT). Most of the applications use the Session ID mechanism for authentication. Either they use the sticky mechanism or maintain a common database for multiple web-applications running the same server. Although this approach is used widely it is not scalable in nature. With the increase in adoption of the microservices architecture in applications lately, it has become difficult to scale your application using a Session ID. On the other hand, JWT proves to be an efficient methodology in this case. In this talk, we will gain a deep understanding of how to use the JWT for implementing the OpenID Connect protocol and I shall also demonstrate how I have implemented it in the Foreman project.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie stackconf 2020 | Securing Infrastructure with Keycloak by Rahul Bajaj
Ähnlich wie stackconf 2020 | Securing Infrastructure with Keycloak by Rahul Bajaj (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
stackconf 2020 | Securing Infrastructure with Keycloak by Rahul Bajaj
- 2. About me ● Software Engineer at Red Hat. ● Red Hat Certified Architect with certifications in Ansible, Puppet, Openshift, Docker and Linux administration. ● Follow me on: ○ Twitter: @rabajaj_ ○ Github: https://github.com/rabajaj0509 ○ Blog: https://rahulbajaj05.wordpress.com @rabajaj_
- 3. Agenda 1. Conceptual Aside a. Authentication b. JSON web tokens c. Oauth 2.0 d. Openid connect e. Oauth 2.0 workflows 2. Keycloak as an openid provider 3. Single sign on(SSO) for foreman project @rabajaj_
- 4. Conceptual Aside 1. Authentication 2. JSON Web Token (JWT) 3. Oauth 2.0 4. Oauth 2.0 workflows 5. Openid Connect Part I @rabajaj_
- 5. Authentication Authentication is the process used by applications to determine and confirm identities of users. @rabajaj_
- 6. Authentication Password Authentication Token based Authentication @rabajaj_
- 10. Json WEb token eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJrNkp3YmtHOTNsQ ThaM01yTFkwIn0.eyJqdGkiOiJkN2Y1MmQyZS0yMDk3LTQwNDEtOWM4NC1jMz Q5ZDdmNWZjNzUiLCJleHAiOjE1Nzk0MzE4NDIsIm5iZiI6MCwiaWF0IjoxNTc5N DMxNzgyLZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdDEiLCJmY Z0kcmoLs9JHk43xkz_byJtenKpqwrNNDTF3UHsxn4I8doBW1pbHlfbmFtZSI6In Rlc3QyIiwiZW1haWwiOiJ0ZXN0QHRlc3QuY29tIn0.NZ_TDotrL4Nyi1cEGlDs5K DBlml8urlKBvk5R9hXkLJXzgseqpMKtsGQPCOC7jzmjw Payload Data { "jti": "d7f52d2e-2097-4041-9c84-c349d7f5fc75", "exp": 1579431842, "iat": 1579431782, "iss": "https://keycloak.example.com/auth/realms/ssl-realm", "aud": [ "foreman.example.com-foreman-openidc", "broker", "account" ], "sub": "5097d158-6638-43b8-8c76-daade8673ed6", "typ": "Bearer", "name": "test1 test2", "groups": [Stackconf], "preferred_username": "test", "given_name": "test1", "family_name": "test2", "email": "test@example.com" }@rabajaj_
- 13. OAuth 2.0 @rabajaj_ credit: Dominick a.k.a. @leastprivilege
- 14. Openid connect Internet standard for Single Sign On 1. Need to authenticate a user? 2. Send user to their OpenID Provider 3. Get access token back @rabajaj_
- 15. OAuth 2.0 Workflows Password Grant Flow Authorization Code Grant FLow @rabajaj_
- 17. Authorization Code Grant Flow @rabajaj_ credit: Dominick a.k.a. @leastprivilege
- 18. Keycloak a. Registering a client b. Redirect URls c. Session ManagementAs an OpenID Provider(OP) Part II @rabajaj_
- 19. register different clients According to their access type @rabajaj_
- 22. Refresh Tokens @rabajaj_ credit: Auth0
- 23. Foreman PRoject a. Introduction to the Foreman Project. b. Authentication architecture for implementing SSO with the help of Keycloak. SSO integration with the Foreman Project Part III @rabajaj_
- 25. Authentication Architecture Hammer CLI Foreman 1. Hammer requests Keycloak for token. 3. Passes the token to Foreman. 6. Saves the sessionid. 2. Keycloak performs authentication and issues a token to Hammer if the user is valid. 1,2 3 4. Foreman validates the Token and creates a user in the Foreman database. 5. Foreman creates a sessionid and passes that to Hammer. 4 5
- 26. References Specifications: ● Oauth 2.0 Authorization spec: https://tools.ietf.org/html/rfc6749 ● OpenID Connect spec: https://openid.net/developers/specs/ ● JSON Web Token spec: https://tools.ietf.org/html/rfc7519 ● Proof Key for Code Exchange spec (PKCE): https://tools.ietf.org/html/rfc7636 Blogs and Journals: ● https://cybersecurity.ieee.org/blog/2016/06/02/design-best-practices- for-an-authentication-system/ ● http://ijcsit.com/docs/Volume%207/vol7issue4/ijcsit2016070406.pdf
- 27. References Videos: ● Authentication as a microservice (by Brian Pontarelli): https://www.youtube.com/watch?v=SLc3cTlypwM ● OpenID Connect and OAuth 2.0 (by Dominick Baier): https://www.youtube.com/watch?v=jeRALmfyoqg ● A reasonable guide to security (by Niall Mariggan): https://www.youtube.com/watch?v=V0rb4SbvuJs