Secure your app with keycloak

1
Secure Your App With
Keycloak
Guy Marom@SparkBeyond

2
SparkBeyond
Harness humanity’s collective
intelligence to solve the world’s
most impactful problems
2

3
How We Started With Keycloak
We have our own user management code which requires maintenance
3

4
Customers are requesting features
• LDAP/Active Directory integration
• Azure Active Directory integration
We’re already hearing requests for Kerberos...
4

5
We are developing more products and we’ll need
• Usage of the same users and groups
• Single sign-on
• Cross-product authorized connections
5

6
Before Keycloak
6
EC2 Machine
Postgres
SparkBeyond
service

7
With Keycloak
7
EC2 Machine
Keycloak
SparkBeyond
services
SparkBeyond
services
SparkBeyond
services Authenticate
Postgres

8
What is Keycloak?
• An Identity Provider (or IdP)
A server that creates and manages identities (users)
• Integrates with
• LDAP and Active Directory
• Any OAuth 2.0 IdPs (Google, Facebook, Github, ...)
• SAML IdPs
• Kerberos
8

10
Authentication and Access Control
• Authentication - validating someone is who he says he is
• Authorization / Access Control - allowing/disallowing access to certain resources
10

11
Implementing by Yourself
1. Create web application
2. Implement authentication layer (hash passwords, secure DB)
3. Implement lots of more stuff like management screens, password policies, email
validation, “Remember Me” and more.
And we haven’t talked about access control yet...
11

12
Accessing 3rd Party Resources
You may want to create
• A Facebook application
• A Chrome extension
• A GitHub application
These all involve accessing private user
data
12

14
About
• Authorization and not authentication
• Standardized way for accessing resources
• Resource = anything your account contains
Gmail Emails, Facebook profile info, GitHub repos etc.
• Written with selectivity in mind (scopes)
14

15
OAuth 2.0 participants
Resource Owner
Resource Server
Client
Your Application
<add_image_here>
Authorization Server
15

16
OAuth 2.0 Flows
A protocol
Predefined steps, at the end of which the Client receives an Access
Token that gives scoped access to resources on the Resource Server
16

17
Access Token
Many things
• User identifier
• Group membership
• Roles
• Optionally - user information
17

18
Authorization Code Flow
• For server side applications
• Redirection based
• Probably the most common
• Definitely the most secure - takes advantage of both front channel and back channel
18
Resource Owner Resource Server
Client
Your Application
<add_image_here>
Front
Channel
Back
Channel

20
Authorization Code Flow - An Example
I want to use CircleCI as the CI tool for my github repos
20

21
Sign-up for CircleCI
https://circleci.com/signup/
21

22
Sign Up with GitHub
https://github.com/login/oauth/authorize?
client_id=78a2ba87f071c28e65bb&redirect
_uri=https%3A%2F%2Fcircleci.com%2Fauth
%2Fgithub%3Freturn-
to%3D%252F&scope=repo%2Cuser%3Aema
il&state=C5wg07VR_WyyKhcTUgT1Jl2cBQd
02In6UlLfYdlGKEqC4KIAf_hdXLjlfjqpUBAx6S
362uskcdW0-1l1
22

23
Authorize
https://github.com/login/oauth/authorize
23

24
Get redirected back to CircleCI
https://circleci.com/dashboard
I am now logged-in and CircleCI is allowed
to use my github repos.
24

25
Back in GitHub
I can see CircleCI in the list of
the authorized OAuth apps
25

26
Authorization Code Flow - Explained
• Resource = GitHub repos
• Resource owner = me
• Client = CircleCI
• Resource server = GitHub
• Authorization server = also GitHub
26

27
K
Resource Owner (me) wants to sign into
Circle CI
Client (Cirlcle) redirects to authorization
server (GitHub) with an authorization code
request
27
Go and
authorize
me on
GitHub

28
Do you want to
give Circle CI
access to your
repos?
Yeap
Here’s a code
Resource owner authorizes
client to view/edit resources
(GitHub) repos)
Authorization server (GitHub)
issues authorization code to
be taken back to client.
28

29
Here’s your
code dude
Yo GitHub, trade
you this code for a
token?
Fine… Here’s
your access
token
YES! Let’s get to
work
Client takes code, performs a backchannel
request to Auth Server and exchanges the
code for an access token
Client hangs on to access token and uses it to
perform authorized requests to the Resource
Server (GitHub).
29

30
Implicit Flow
• Same as Authorization Code, minus the code part - immediately acquire access token
• Only valid option for cell phone apps and some web apps
• Less secure - no backchannel usage
30

31
Resource Owner Password Credentials
• For testing purposes only!
• Client has user credentials and uses them to acquire access token
• Completely un-secure (remember the Yelp story?)
31

32
Scopes
• The mechanism that allows selectivity
• Limits the client’s access to resources
• When a client initiates token request,
it requests specific scopes
GitHub
32

34
What is OpenID?
• OAuth was sometimes abused to provide authentication
• Authentication built on top of OAuth 2.0
• Standard endpoints (token, auth, discovery)
• Standard representation of the user information
• Use openid scope
34

35
JWT Token - Standard Claims
35

37
About
• An IdP
• Developed by RedHat
• Written in Java
• Implements the OAuth 2.0 protocol with OpenID support
• Documentation - Mostly OK
• It’s free, and open-source (Apache 2.0 license)
37

38
Authentication
38
Keycloak
SparkBeyond
services
Authenticate
Social Login
LDAP / Active
Directory
Kerberos
Use Keycloak as an OpenID authentication server

41
Basic Terms
• User
• Role
A “category” of users, e.g. admin, manager, employee
• Group
A collection of users
• Realm
A collection of users, groups and roles
• Client
Applications that want to use Keycloak for authentication
41

42
Authentication - some cool (and free) features
• SSO
• GUI self serve (change password + user details)
• Session revocation
• API Keys (offline tokens)
• User registration
• OTPs - One Time Passwords
• Tons more (not literally) (but tons!!)
42

43
Authorization
1. Assign users to groups, and roles to groups/users
2. Use Keycloak as an OAuth identity provider
3. Acquire username, roles and groups from access token
43

44
Integration with Keycloak - Your App
1. Redirect to Keycloak if a request was made without a token
2. For requests with a token
a. Validate the token
b. Use it (extract user info and access control data)
44

45
Integration with Keycloak - Your App
• val tokenVerifier = TokenVerifier.create(tokenString, classOf[AccessToken])
• val token = tokenVerifier.verify().getToken
45

46
Integration with Keycloak - Keycloak Side
1. Create a realm
2. Create Clients for your apps
3. At least one of the following:
a. Create users, groups and roles
b. Use external users such as LDAP or any social login
46

47
Tech data
• Runs a JBOSS server, with JDK 8
• Requires at least 512MB of RAM
• Requires a relational DB
• Supports a cluster mode for HA
47

Secure your app with keycloak

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Secure your app with keycloak

Similaire à Secure your app with keycloak (20)

Dernier

Dernier (20)

Secure your app with keycloak

Notes de l'éditeur