TOC training KeyCloak Redhat SSO core

Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 4 / 304
Table of contents
1 Introduction to Keycloak for Identity and Access Management .............................................................11
1.1 Keycloak overview.............................................................................................................................11
1.2 Keycloak competitors ........................................................................................................................12
1.3 Prerequisites .....................................................................................................................................12
1.3.1 Hardware requirements ............................................................................................................12
1.3.2 Software requirements..............................................................................................................12
1.3.3 Tools..........................................................................................................................................13
1.4 Documentation ..................................................................................................................................14
1.4.1 Keycloak documentation...........................................................................................................14
1.4.2 White papers.............................................................................................................................14
1.5 Keycloak code sources .....................................................................................................................16
1.6 Build Keycloak...................................................................................................................................17
1.7 Environment variables.......................................................................................................................18
2 Starting with Keycloak ............................................................................................................................19
2.1 Overview............................................................................................................................................19
2.2 Install Keycloak .................................................................................................................................19
2.3 Keycloak Layout................................................................................................................................19
2.4 Start Standalone Server distribution .................................................................................................20
2.5 Deployment on Tomcat/Jetty.............................................................................................................22
2.6 Keycloak on Quarkus ........................................................................................................................23
2.7 Keycloak healthcheck........................................................................................................................26
2.8 Considerations on Keycloak persistence ..........................................................................................31
2.9 Keycloak core concepts ....................................................................................................................31
2.10 Path to integration with Keycloak .................................................................................................32
2.11 Integration with Keycloak..................................................................................................................33
2.12 Usages of keycloak and corresponding technologies ..................................................................33
2.13 Access the admin console ............................................................................................................35
2.14 Create Admin account ..................................................................................................................37
2.15 Create a realm ..............................................................................................................................39
2.16 Define roles for users....................................................................................................................40
2.17 Add users......................................................................................................................................42
2.18 Access user account Service........................................................................................................45
2.19 Add a client to realm demo...........................................................................................................46
2.19.1 Client Protocol Types............................................................................................................47
2.19.2 Access Types........................................................................................................................48
2.20 Define roles for the client app.......................................................................................................49
2.21 Create a group..............................................................................................................................51
3 Starting with WildFly...............................................................................................................................53
3.1 Overview............................................................................................................................................53
3.2 Install WildFly server .........................................................................................................................53
3.3 Start WildFly Server ..........................................................................................................................53
3.4 Access the admin console.................................................................................................................54
3.5 Install Keycloak adapters ..................................................................................................................56
3.5.1 OpenID Connect adapter..........................................................................................................56
3.5.2 SAML 2.0 adapter .....................................................................................................................57
3.5.3 Check adapters installation.......................................................................................................59
4 Secure a JavaEE application with Keycloak ..........................................................................................60
4.1 Prerequisites .....................................................................................................................................60
4.2 Basic application deployment............................................................................................................60
4.3 Configure HTTP basic authentication with WildFly ...........................................................................60
4.4 Basic application login.......................................................................................................................61

Tél. 0 950 260 370 – Fax. 0 955 260 370
Page 5 / 304
4.5 Integrate the Vanilla application with Keycloak .................................................................................62
4.5.1 Install Keycloak OIDC adapter..................................................................................................62
4.5.2 Register the Vanilla application with Keycloak .........................................................................62
4.5.3 Display Keycloak Vanilla client information ..............................................................................64
4.5.4 Update Vanilla application configuration in WildFly..................................................................64
4.6 Test the application............................................................................................................................65
5 Use Keycloak with client applications.....................................................................................................67
5.1 Overview............................................................................................................................................67
5.2 Prerequisites .....................................................................................................................................67
5.3 Database service setup.....................................................................................................................68
5.3.1 Create Realm............................................................................................................................68
5.3.2 Enable user registration............................................................................................................68
5.3.3 Create user ...............................................................................................................................69
5.3.4 Create Database service application........................................................................................69
5.3.5 Build and deploy database-service webapp.............................................................................71
5.4 Customer application setup...............................................................................................................72
5.4.1 Create Customer client application...........................................................................................72
5.4.2 Build and deploy customer-portal webapp ...............................................................................75
5.5 Customer application test..................................................................................................................76
5.6 Product application setup..................................................................................................................77
5.6.1 Create Product client application..............................................................................................77
5.6.2 Build product-portal webapp.....................................................................................................81
5.7 Product application Test ....................................................................................................................83
5.8 Common mistakes.............................................................................................................................83
5.8.1 Invalid client secret (WildFly server).........................................................................................83
5.8.2 Invalid user credentials .............................................................................................................84
6 Understanding Oauth2 ...........................................................................................................................85
6.1 Oauth2 Presentation .........................................................................................................................85
6.2 Oauth2 Elements...............................................................................................................................87
6.2.1 Oauth Roles..............................................................................................................................87
6.2.2 Tokens.......................................................................................................................................87
6.2.3 Scopes vs permissions .............................................................................................................87
6.2.4 Types of clients .........................................................................................................................88
6.2.5 Standard OAuth 2.0 / OpenID Connect endpoints ...................................................................88
6.2.6 Callback routes .........................................................................................................................89
6.2.7 OAuth 2.0 grant types...............................................................................................................89
6.2.8 Https is mandatory....................................................................................................................90
6.3 OAuth 2.0 grant types in details ........................................................................................................90
6.3.1 Authorization Code Grant .........................................................................................................90
6.3.2 Implicit.......................................................................................................................................90
6.3.3 Resource Owner Password Credential (ROPC).......................................................................91
6.3.4 Client credentials grant .............................................................................................................92
6.3.5 Refresh token flow ....................................................................................................................92
6.4 Which OAuth 2.0 Grant to Use..........................................................................................................93
6.4.1 Resource owner and client application are same / Machine to machine communication........93
6.4.2 Web / SPA (single page application) / Mobile applications.......................................................93
6.5 Authorization code grant flow with Proof Key for Code Exchange (PKCE) ......................................93
6.6 Use of refresh tokens ........................................................................................................................95
7 Understanding OpenID Connect (OIDC)................................................................................................96
7.1 Overview............................................................................................................................................96
7.2 OpenID sequence flow......................................................................................................................97
7.3 OpenID flows.....................................................................................................................................97
7.3.1 Authorization Code Flow...........................................................................................................97
7.3.2 Implicit Flow ..............................................................................................................................97

Tél. 0 950 260 370 – Fax. 0 955 260 370
Page 6 / 304
7.3.3 Hybrid Flow...............................................................................................................................98
7.3.4 Flow features ............................................................................................................................98
7.3.5 Response types by flow............................................................................................................98
7.4 Authorization Code flow ....................................................................................................................99
7.5 Implicit Flow.....................................................................................................................................103
7.6 ID token analysis .............................................................................................................................105
8 Debug and analyse a Keycloak example .............................................................................................107
8.1 Overview..........................................................................................................................................107
8.2 Prerequisites ...................................................................................................................................107
8.3 Create service-jaxrs application ......................................................................................................107
8.4 Create app-jsp application...............................................................................................................109
8.5 Create a user...................................................................................................................................112
8.6 Login to the app...............................................................................................................................113
8.7 Check Request Headers and Response Headers of the /authenticate endpoint request ..............116
8.8 Use jwt.io debugger.........................................................................................................................117
8.9 Verify the signature..........................................................................................................................119
8.10 Check Cookie within Chrome .....................................................................................................119
9 Use REST API with Keycloak...............................................................................................................121
9.1 Presentation ....................................................................................................................................121
9.2 App-js application............................................................................................................................121
9.3 Realm endpoints - .well-known/openid-configuration .....................................................................121
9.4 admin-cli Client application..............................................................................................................123
9.4.1 Getting an admin Bearer token with the admin CLI................................................................123
9.4.2 Use admin Bearer Token in Rest API query ...........................................................................125
9.4.3 Use another admin user with admin-cli ..................................................................................126
9.4.4 List the number of sessions present on a realm.....................................................................127
9.5 Use Kcadm......................................................................................................................................128
9.5.1 Create .Keycloak registry........................................................................................................128
9.5.2 Use Kcadm .............................................................................................................................130
9.5.3 Security measure with Kcadm ................................................................................................130
9.6 Usage of REST API with realm endpoints.......................................................................................130
9.6.1 App-jsp information.................................................................................................................131
9.6.2 Perform a ROPC query to the /token endpoint.......................................................................131
9.6.3 Call the userinfo endpoint .......................................................................................................132
9.6.4 Call the introspect endpoint ....................................................................................................132
9.7 Call Refresh Token using ROPC.....................................................................................................133
9.7.1 ROPC query to generate access and refresh tokens.............................................................133
9.7.2 Perform the query using the refresh token .............................................................................135
10 Use OpenID protocol to connect to an IDP provider ............................................................................137
10.1 Presentation................................................................................................................................137
10.2 Prerequisites...............................................................................................................................137
10.3 France Connect Endpoints .........................................................................................................138
10.4 France Connect Identity Provider deployment ...........................................................................138
10.5 Create an identity provider..........................................................................................................139
10.6 Add identity provider mappers....................................................................................................139
10.7 Setup the France Connect theme...............................................................................................140
10.8 Test the application .....................................................................................................................141
10.9 Account Linking...........................................................................................................................144
11 SAML V2 Presentation .........................................................................................................................146
11.1 What is SAML ? ..............................................................................................................................146
11.2 SAML 2.0 in short ...........................................................................................................................146
11.2.1 SAML V2 features...............................................................................................................146
11.2.2 Major Key elements ............................................................................................................146
11.3 Examples of SSO flows ..................................................................................................................148

Tél. 0 950 260 370 – Fax. 0 955 260 370
Page 7 / 304
11.3.1 SAML Service Provider Initiated SSO Flow........................................................................148
11.3.2 SAML Identity Provider Initiated SSO Flow ........................................................................149
11.3.3 SAML components..............................................................................................................150
11.4 SAML Components detailed ...........................................................................................................151
11.4.1 SAML 2.0 Protocols ............................................................................................................151
11.4.2 SAML 2.0 Bindings .............................................................................................................152
11.4.3 SAML 2.0 profiles................................................................................................................152
11.5 SAML elements (used by Keycloak)...............................................................................................153
11.5.1 General Adapter Config ......................................................................................................153
11.5.2 SP Element.........................................................................................................................154
11.5.3 SP Keys and Key elements ................................................................................................156
11.5.4 KeyStore element ...............................................................................................................156
11.5.5 Key PEMS...........................................................................................................................157
11.5.6 SP PrincipalNameMapping element...................................................................................157
11.5.7 RoleIdentifiers element .......................................................................................................158
11.5.8 IDP Element........................................................................................................................158
11.5.9 IDP SingleSignOnService sub element ..............................................................................159
11.5.10 IDP SingleLogoutService sub element ...............................................................................159
11.5.11 IDP Keys subelement .........................................................................................................160
11.6 XML SAML Examples .....................................................................................................................161
11.6.1 Post Request example........................................................................................................161
11.6.2 Response Extract ...............................................................................................................162
12 SAML broker example with Keycloak...................................................................................................163
12.1 Presentation................................................................................................................................163
12.2 Prerequisites...............................................................................................................................163
12.3 Import saml-broker-authentication-realm realm in Keycloak ......................................................163
12.4 Import saml-broker-realm realm in Keycloak..............................................................................165
12.5 Build and deploy saml-broker-authentication application ...........................................................167
12.6 Test .............................................................................................................................................169
12.7 Add SAML builtin protocol mapper .............................................................................................174
12.8 Check details of a built-in member (givenName)........................................................................175
12.9 Analyze content of a response with SAML tracer.......................................................................176
12.10 Map SAML attributes at identity provider level ...........................................................................177
12.11 Complete test scenario ...............................................................................................................178
12.12 Account linking............................................................................................................................178
13 SAML Integration with an external identity provider (Okta)..................................................................180
13.1 Overview.....................................................................................................................................180
13.2 Prerequisites...............................................................................................................................180
13.3 Configure Okta as an identity provider .......................................................................................180
13.3.1 Create an Okta account......................................................................................................180
13.3.2 Configure Okta identity provider .........................................................................................184
13.3.3 Assign a user to OKTA_SAML_IDP....................................................................................193
13.4 Configure Keycloak as a service provider ..................................................................................195
13.4.1 Create saml_okta_idp identity provider ..............................................................................195
13.4.2 Add attributes mapping.......................................................................................................196
13.5 Test .............................................................................................................................................197
13.6 Account Linking...........................................................................................................................199
14 Understanding Authorization Services with Keycloak ..........................................................................201
14.1 Presentation................................................................................................................................201
14.2 Key Concepts of Keycloak Authorization service .......................................................................201
14.3 Components of an Authorization Service ...................................................................................202
14.4 Resources...................................................................................................................................202
14.5 Authorization Scopes..................................................................................................................202
14.6 Policies........................................................................................................................................203

Tél. 0 950 260 370 – Fax. 0 955 260 370
Page 8 / 304
14.6.1 Role Policy..........................................................................................................................203
14.6.2 JavaScript Role...................................................................................................................203
14.7 Permission ..................................................................................................................................204
14.7.1 Resource – policy permission match..................................................................................204
14.7.2 Scope – policy permission match .......................................................................................204
14.8 Putting it all together – Tailoring authorization Service to your architecture needs....................204
15 Use a simple Keycloak Authorization example ....................................................................................206
15.1 Secure a Servlet Application.......................................................................................................206
15.2 Prerequisites...............................................................................................................................206
15.3 Configure Keycloak.....................................................................................................................206
15.4 Get the adapter configuration .....................................................................................................211
15.5 Build and Deploy the application ................................................................................................211
16 Authorization access using Role based users .....................................................................................214
16.1 Overview.....................................................................................................................................214
16.2 Prerequisites...............................................................................................................................214
16.4 Build and deploy the application.................................................................................................215
16.5 Authorization example test .........................................................................................................216
16.5.1 Log in with restricted privileges...........................................................................................216
16.5.2 Log in as Premium user......................................................................................................217
16.6 Detailed authorization scheme analysis .....................................................................................218
16.6.1 Resources details ...............................................................................................................219
16.6.2 Scopes details.....................................................................................................................219
16.6.3 Policies details ....................................................................................................................220
16.6.4 Permissions details.............................................................................................................221
17 Fine Grain Authorization – UMA policy.................................................................................................224
17.1 Presentation................................................................................................................................224
17.2 Prerequisites...............................................................................................................................226
17.3 About the Example application ...................................................................................................226
17.5 Deploy the Example Applications ...............................................................................................228
17.6.1 Create albums.....................................................................................................................229
17.6.2 Share albums......................................................................................................................230
17.6.3 View shared albums............................................................................................................234
17.6.4 Request permissions ..........................................................................................................236
17.6.5 Manage permission requests..............................................................................................237
17.6.6 View all resources...............................................................................................................239
17.6.7 Revoke permissions ...........................................................................................................241
17.6.8 Summary.............................................................................................................................243
18 Keycloak LDAP integration...................................................................................................................244
18.1 Presentation................................................................................................................................244
18.2 Prerequisites...............................................................................................................................244
18.3 About the Keycloak LDAP example............................................................................................244
18.4 Run and load the LDAP server ...................................................................................................244
18.5 Examine LDAP example using JXplorer.....................................................................................245
18.6.1 Define LDAP synchronization policy...................................................................................249
18.6.2 Configure user federation mappers ....................................................................................250
18.7 Build and deploy the application.................................................................................................252
18.8 Test .............................................................................................................................................254
19 Relational Database Setup...................................................................................................................255
19.1 Presentation................................................................................................................................255

Tél. 0 950 260 370 – Fax. 0 955 260 370
Page 9 / 304
19.2 PostgreSQL DB installation and preparation..............................................................................255
19.2.1 Installing PostgreSQL on Ubuntu .......................................................................................255
19.2.2 Installing PostgreSQL on RedHat Linux .............................................................................255
19.2.3 Change PostgreSQL password ..........................................................................................256
19.2.4 Authentication test ..............................................................................................................256
19.2.5 Create keycloak user ..........................................................................................................256
19.2.6 Create keycloak DB ............................................................................................................256
19.2.7 Create keycloak schema ....................................................................................................257
19.3 Keycloak configurations..............................................................................................................257
19.3.1 PostgreSQL driver installation ............................................................................................257
19.3.2 JDBC driver declaration......................................................................................................258
19.3.3 Datasource declaration.......................................................................................................258
19.3.4 Connection Jpa update to accommodate dedicated schema.............................................259
19.4 Test the configuration..................................................................................................................259
20 Import / Export Keycloak configuration.................................................................................................261
20.1 Presentation................................................................................................................................261
20.2 Import/export commands............................................................................................................261
20.2.1 Exporting to a single file......................................................................................................261
20.2.2 Exporting to a directory.......................................................................................................261
20.2.3 Imports................................................................................................................................261
20.3 Options........................................................................................................................................261
21 Protect Keycloak in production with a Reverse Proxy architecture......................................................263
21.1 Why adding a reverse proxy.......................................................................................................263
21.2 Architectural deployment example .............................................................................................263
21.2.1 Role of the DMZ..................................................................................................................263
21.2.2 First firewall (internet - DMZ) ..............................................................................................264
21.2.3 Second Firewall ..................................................................................................................264
21.2.4 Reverse Proxy - DMZ .........................................................................................................264
21.2.5 Keycloak authentication Server - LAN................................................................................264
21.3 HTTPS everywhere ....................................................................................................................264
21.4 Reverse Proxy server used with Keycloak .................................................................................264
22 Keycloak Security.................................................................................................................................265
22.1 Security Best Practices...............................................................................................................265
22.2 Enable SSL/HTTPS for the Keycloak Server .............................................................................265
22.2.1 PKI – Self Cert – CA Authorithy ..........................................................................................265
22.2.2 Generate self cert ...............................................................................................................265
22.2.3 Customize standalone.xml with ssl.....................................................................................266
22.2.4 Check SSL connection using openssl ................................................................................266
22.2.5 Check HTTPS connection ..................................................................................................268
22.3 Outgoing Http Requests .............................................................................................................269
22.4 Differences between when using self signed and signed certificates ........................................270
23 Keycloak Networking............................................................................................................................271
23.1 Keycloak Port presentation – standalone.xml (standalone-ha.xml) ...........................................271
23.2 Usage of each port .....................................................................................................................271
23.3 Disabling http and AJP for Keycloak...........................................................................................272
23.4 Keycloak Multicast Groups .........................................................................................................272
23.5 Keycloak multicast Group with clustering ...................................................................................273
23.5.1 Jgroups - multicast..............................................................................................................273
23.5.2 Mod_Cluster - multicast......................................................................................................273
24 Keycloak Clustering Operating Modes.................................................................................................275
24.1 Presentation................................................................................................................................275
24.2 Standalone clustered mode........................................................................................................275
24.2.1 Configure a shared external database ...............................................................................277
24.2.2 Set up a load balancer........................................................................................................277

Tél. 0 950 260 370 – Fax. 0 955 260 370
Page 10 / 304
24.2.3 Enable HTTPS/SSL with a Reverse Proxy.........................................................................278
24.2.4 Test the cluster....................................................................................................................279
24.3 Domain clustered mode..............................................................................................................280
24.3.1 Master node configuration ..................................................................................................281
24.3.2 Slave node configuration ....................................................................................................281
24.4 Clustered Domain Example........................................................................................................282
24.4.1 Prerequisites.......................................................................................................................282
24.4.2 Configure the slave secret key ...........................................................................................282
24.4.3 Create an admin master user .............................................................................................284
24.4.4 Start the servers..................................................................................................................285
24.5 Add app_vanilla profile client application to the cluster..............................................................286
24.6 Limitation of the domain cluster example ...................................................................................287
25 Mod_cluster with Standalone HA cluster deployment ..........................................................................287
25.1 Presentation................................................................................................................................287
25.2 Mod_cluster – Apache SW load Balancer ..................................................................................287
25.2.1 Presentation........................................................................................................................287
25.2.2 Mod_cluster and multicast group........................................................................................287
25.2.3 Mod_cluster with Keycloak .................................................................................................287
25.3 Clustering standalone HA example ............................................................................................288
25.3.1 Presentation........................................................................................................................288
25.3.2 Limitation.............................................................................................................................288
25.3.3 Set Keycloak requires SSL to none ....................................................................................288
25.3.1 Mod_Cluster configuration..................................................................................................289
25.3.2 Apache installation..............................................................................................................289
25.3.3 Mod_Cluster configuration..................................................................................................290
25.3.4 Commands used.................................................................................................................291
25.3.5 Test Mod_cluster.................................................................................................................291
25.4 Testing application failover..........................................................................................................292
26 SPI testing integration – High available environment...........................................................................294
26.1 Overview.....................................................................................................................................294
26.2 Event SPI....................................................................................................................................294
26.2.1 Deploying the Jar file ..........................................................................................................294
26.2.2 Registering the SPI in standalone-ha.xml ..........................................................................294
26.3 SPI various use cases ................................................................................................................294
26.3.1 Use case 1 – Both nodes are Up........................................................................................294
26.3.2 Use case 2 – Node1 brought Down....................................................................................295
26.4 SPI interaction with keycloak in clustering mode........................................................................296
27 Keycloak Clustering best practices – Recommendation......................................................................297
28 Annex : Oauth 2.0, OIDC, PKCE, Refresh tokens (French) ................................................................298
28.1 Considération sur la sécurité des applications Web...................................................................298
28.2 Introduction à OAuth 2................................................................................................................298
28.3 Introduction d’OpenID Connect (OIDC)......................................................................................298
28.4 Oauth 2 en détails.......................................................................................................................299
28.4.1 Vocabulaire .........................................................................................................................299
28.4.2 Flux de codes d’autorisation (Authorization Code Flow) ....................................................299
28.4.3 Flux de codes d'autorisation avec PKCE (Authorization Code with PKCE Flow) ..............301
28.4.4 Flux implicite (Implicit Flow)................................................................................................303
28.4.5 Jeton de rafraîchissement ..................................................................................................304

TOC training KeyCloak Redhat SSO core

TOC training KeyCloak Redhat SSO core

TOC training KeyCloak Redhat SSO core

Recommended

More Related Content

What's hot

What's hot(20)

Similar to TOC training KeyCloak Redhat SSO core

Similar to TOC training KeyCloak Redhat SSO core(20)

More from Pascal Flamand

More from Pascal Flamand(20)

Recently uploaded

Recently uploaded(20)

TOC training KeyCloak Redhat SSO core