Building an enterprise level single sign-on application with the help of keycloak (Open Source Identity and Access Management). And understanding the way to secure your application; frontend & backend API’s. Managing user federation with minimum configuration.

1. Building secure
applications with
keycloak (OIDC/JWT)
Abhishek Koserwal
Red Hat

2. Agenda
● IAAA Security factor
● Oauth2/OpenID
● Why? Keycloak
● OIDC/SAML - Keycloak adapters
(which & why?)
● Understanding Json Web Token (JWT)
● Integrating frontend(Angular/React)
with keycloak adapter. -
● Access token/refresh token
● JWT Validation at backend & securing
API endpoints
● Q & A

3. ● Identification: set of attributes related to an entity
(person -> attribute [name, email] )
● Authentication: is the process of verifying an identity (who they say they are)
● Authorization: is the process of verifying what someone is allowed to do
(permissions)
● Accounting: logs, user action, traceability of action
IAAA Security Factor

4. Are we using
Oauth2/OpenID?
Delegation Auth
Allow website to access my data
without providing my password?
➔ Authentication/Identity Level
➔ Authorization/Access Control
Level
➔ Site needs to manage security
➔ Store hash password, verify the hash
against a database

5. ● Oauth2 != Authentication, only Authorization
● Access Granting Protocol
● Delegated access
OAuth2/OpenID?
● Identity, Authentication + Oauth2 = OpenID
Connect
● Federation

6. Why? Keycloak
● Open source Identity and Access Management solution (https://github.com/keycloak/keycloak)
● Browsers, mobiles and clouds
● Many accounts
● Admin headache
Features
● SSO
● Admin console
● Login forms
● Account management
● Multi-factor auth
● Social login
● ..

7. Setup: keycloak
docker pull jboss/keycloak
docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak
Require docker daemon running
Standalone server distribution
(https://www.keycloak.org/downloads.htm)