TOC training KeyCloak Redhat SSO core

Pascal Flamand
Pascal FlamandFounder and CEO at JANUA - CEO at SemanticExperts

Table des matières du support de cours KeyCloak - Redhat SSO core

Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 4 / 304
Table of contents
1 Introduction to Keycloak for Identity and Access Management .............................................................11
1.1 Keycloak overview.............................................................................................................................11
1.2 Keycloak competitors ........................................................................................................................12
1.3 Prerequisites .....................................................................................................................................12
1.3.1 Hardware requirements ............................................................................................................12
1.3.2 Software requirements..............................................................................................................12
1.3.3 Tools..........................................................................................................................................13
1.4 Documentation ..................................................................................................................................14
1.4.1 Keycloak documentation...........................................................................................................14
1.4.2 White papers.............................................................................................................................14
1.5 Keycloak code sources .....................................................................................................................16
1.6 Build Keycloak...................................................................................................................................17
1.7 Environment variables.......................................................................................................................18
2 Starting with Keycloak ............................................................................................................................19
2.1 Overview............................................................................................................................................19
2.2 Install Keycloak .................................................................................................................................19
2.3 Keycloak Layout................................................................................................................................19
2.4 Start Standalone Server distribution .................................................................................................20
2.5 Deployment on Tomcat/Jetty.............................................................................................................22
2.6 Keycloak on Quarkus ........................................................................................................................23
2.7 Keycloak healthcheck........................................................................................................................26
2.8 Considerations on Keycloak persistence ..........................................................................................31
2.9 Keycloak core concepts ....................................................................................................................31
2.10 Path to integration with Keycloak .................................................................................................32
2.11 Integration with Keycloak..................................................................................................................33
2.12 Usages of keycloak and corresponding technologies ..................................................................33
2.13 Access the admin console ............................................................................................................35
2.14 Create Admin account ..................................................................................................................37
2.15 Create a realm ..............................................................................................................................39
2.16 Define roles for users....................................................................................................................40
2.17 Add users......................................................................................................................................42
2.18 Access user account Service........................................................................................................45
2.19 Add a client to realm demo...........................................................................................................46
2.19.1 Client Protocol Types............................................................................................................47
2.19.2 Access Types........................................................................................................................48
2.20 Define roles for the client app.......................................................................................................49
2.21 Create a group..............................................................................................................................51
3 Starting with WildFly...............................................................................................................................53
3.1 Overview............................................................................................................................................53
3.2 Install WildFly server .........................................................................................................................53
3.3 Start WildFly Server ..........................................................................................................................53
3.4 Access the admin console.................................................................................................................54
3.5 Install Keycloak adapters ..................................................................................................................56
3.5.1 OpenID Connect adapter..........................................................................................................56
3.5.2 SAML 2.0 adapter .....................................................................................................................57
3.5.3 Check adapters installation.......................................................................................................59
4 Secure a JavaEE application with Keycloak ..........................................................................................60
4.1 Prerequisites .....................................................................................................................................60
4.2 Basic application deployment............................................................................................................60
4.3 Configure HTTP basic authentication with WildFly ...........................................................................60
4.4 Basic application login.......................................................................................................................61
Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 5 / 304
4.5 Integrate the Vanilla application with Keycloak .................................................................................62
4.5.1 Install Keycloak OIDC adapter..................................................................................................62
4.5.2 Register the Vanilla application with Keycloak .........................................................................62
4.5.3 Display Keycloak Vanilla client information ..............................................................................64
4.5.4 Update Vanilla application configuration in WildFly..................................................................64
4.6 Test the application............................................................................................................................65
5 Use Keycloak with client applications.....................................................................................................67
5.1 Overview............................................................................................................................................67
5.2 Prerequisites .....................................................................................................................................67
5.3 Database service setup.....................................................................................................................68
5.3.1 Create Realm............................................................................................................................68
5.3.2 Enable user registration............................................................................................................68
5.3.3 Create user ...............................................................................................................................69
5.3.4 Create Database service application........................................................................................69
5.3.5 Build and deploy database-service webapp.............................................................................71
5.4 Customer application setup...............................................................................................................72
5.4.1 Create Customer client application...........................................................................................72
5.4.2 Build and deploy customer-portal webapp ...............................................................................75
5.5 Customer application test..................................................................................................................76
5.6 Product application setup..................................................................................................................77
5.6.1 Create Product client application..............................................................................................77
5.6.2 Build product-portal webapp.....................................................................................................81
5.7 Product application Test ....................................................................................................................83
5.8 Common mistakes.............................................................................................................................83
5.8.1 Invalid client secret (WildFly server).........................................................................................83
5.8.2 Invalid user credentials .............................................................................................................84
6 Understanding Oauth2 ...........................................................................................................................85
6.1 Oauth2 Presentation .........................................................................................................................85
6.2 Oauth2 Elements...............................................................................................................................87
6.2.1 Oauth Roles..............................................................................................................................87
6.2.2 Tokens.......................................................................................................................................87
6.2.3 Scopes vs permissions .............................................................................................................87
6.2.4 Types of clients .........................................................................................................................88
6.2.5 Standard OAuth 2.0 / OpenID Connect endpoints ...................................................................88
6.2.6 Callback routes .........................................................................................................................89
6.2.7 OAuth 2.0 grant types...............................................................................................................89
6.2.8 Https is mandatory....................................................................................................................90
6.3 OAuth 2.0 grant types in details ........................................................................................................90
6.3.1 Authorization Code Grant .........................................................................................................90
6.3.2 Implicit.......................................................................................................................................90
6.3.3 Resource Owner Password Credential (ROPC).......................................................................91
6.3.4 Client credentials grant .............................................................................................................92
6.3.5 Refresh token flow ....................................................................................................................92
6.4 Which OAuth 2.0 Grant to Use..........................................................................................................93
6.4.1 Resource owner and client application are same / Machine to machine communication........93
6.4.2 Web / SPA (single page application) / Mobile applications.......................................................93
6.5 Authorization code grant flow with Proof Key for Code Exchange (PKCE) ......................................93
6.6 Use of refresh tokens ........................................................................................................................95
7 Understanding OpenID Connect (OIDC)................................................................................................96
7.1 Overview............................................................................................................................................96
7.2 OpenID sequence flow......................................................................................................................97
7.3 OpenID flows.....................................................................................................................................97
7.3.1 Authorization Code Flow...........................................................................................................97
7.3.2 Implicit Flow ..............................................................................................................................97
Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 6 / 304
7.3.3 Hybrid Flow...............................................................................................................................98
7.3.4 Flow features ............................................................................................................................98
7.3.5 Response types by flow............................................................................................................98
7.4 Authorization Code flow ....................................................................................................................99
7.5 Implicit Flow.....................................................................................................................................103
7.6 ID token analysis .............................................................................................................................105
8 Debug and analyse a Keycloak example .............................................................................................107
8.1 Overview..........................................................................................................................................107
8.2 Prerequisites ...................................................................................................................................107
8.3 Create service-jaxrs application ......................................................................................................107
8.4 Create app-jsp application...............................................................................................................109
8.5 Create a user...................................................................................................................................112
8.6 Login to the app...............................................................................................................................113
8.7 Check Request Headers and Response Headers of the /authenticate endpoint request ..............116
8.8 Use jwt.io debugger.........................................................................................................................117
8.9 Verify the signature..........................................................................................................................119
8.10 Check Cookie within Chrome .....................................................................................................119
9 Use REST API with Keycloak...............................................................................................................121
9.1 Presentation ....................................................................................................................................121
9.2 App-js application............................................................................................................................121
9.3 Realm endpoints - .well-known/openid-configuration .....................................................................121
9.4 admin-cli Client application..............................................................................................................123
9.4.1 Getting an admin Bearer token with the admin CLI................................................................123
9.4.2 Use admin Bearer Token in Rest API query ...........................................................................125
9.4.3 Use another admin user with admin-cli ..................................................................................126
9.4.4 List the number of sessions present on a realm.....................................................................127
9.5 Use Kcadm......................................................................................................................................128
9.5.1 Create .Keycloak registry........................................................................................................128
9.5.2 Use Kcadm .............................................................................................................................130
9.5.3 Security measure with Kcadm ................................................................................................130
9.6 Usage of REST API with realm endpoints.......................................................................................130
9.6.1 App-jsp information.................................................................................................................131
9.6.2 Perform a ROPC query to the /token endpoint.......................................................................131
9.6.3 Call the userinfo endpoint .......................................................................................................132
9.6.4 Call the introspect endpoint ....................................................................................................132
9.7 Call Refresh Token using ROPC.....................................................................................................133
9.7.1 ROPC query to generate access and refresh tokens.............................................................133
9.7.2 Perform the query using the refresh token .............................................................................135
10 Use OpenID protocol to connect to an IDP provider ............................................................................137
10.1 Presentation................................................................................................................................137
10.2 Prerequisites...............................................................................................................................137
10.3 France Connect Endpoints .........................................................................................................138
10.4 France Connect Identity Provider deployment ...........................................................................138
10.5 Create an identity provider..........................................................................................................139
10.6 Add identity provider mappers....................................................................................................139
10.7 Setup the France Connect theme...............................................................................................140
10.8 Test the application .....................................................................................................................141
10.9 Account Linking...........................................................................................................................144
11 SAML V2 Presentation .........................................................................................................................146
11.1 What is SAML ? ..............................................................................................................................146
11.2 SAML 2.0 in short ...........................................................................................................................146
11.2.1 SAML V2 features...............................................................................................................146
11.2.2 Major Key elements ............................................................................................................146
11.3 Examples of SSO flows ..................................................................................................................148
Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 7 / 304
11.3.1 SAML Service Provider Initiated SSO Flow........................................................................148
11.3.2 SAML Identity Provider Initiated SSO Flow ........................................................................149
11.3.3 SAML components..............................................................................................................150
11.4 SAML Components detailed ...........................................................................................................151
11.4.1 SAML 2.0 Protocols ............................................................................................................151
11.4.2 SAML 2.0 Bindings .............................................................................................................152
11.4.3 SAML 2.0 profiles................................................................................................................152
11.5 SAML elements (used by Keycloak)...............................................................................................153
11.5.1 General Adapter Config ......................................................................................................153
11.5.2 SP Element.........................................................................................................................154
11.5.3 SP Keys and Key elements ................................................................................................156
11.5.4 KeyStore element ...............................................................................................................156
11.5.5 Key PEMS...........................................................................................................................157
11.5.6 SP PrincipalNameMapping element...................................................................................157
11.5.7 RoleIdentifiers element .......................................................................................................158
11.5.8 IDP Element........................................................................................................................158
11.5.9 IDP SingleSignOnService sub element ..............................................................................159
11.5.10 IDP SingleLogoutService sub element ...............................................................................159
11.5.11 IDP Keys subelement .........................................................................................................160
11.6 XML SAML Examples .....................................................................................................................161
11.6.1 Post Request example........................................................................................................161
11.6.2 Response Extract ...............................................................................................................162
12 SAML broker example with Keycloak...................................................................................................163
12.1 Presentation................................................................................................................................163
12.2 Prerequisites...............................................................................................................................163
12.3 Import saml-broker-authentication-realm realm in Keycloak ......................................................163
12.4 Import saml-broker-realm realm in Keycloak..............................................................................165
12.5 Build and deploy saml-broker-authentication application ...........................................................167
12.6 Test .............................................................................................................................................169
12.7 Add SAML builtin protocol mapper .............................................................................................174
12.8 Check details of a built-in member (givenName)........................................................................175
12.9 Analyze content of a response with SAML tracer.......................................................................176
12.10 Map SAML attributes at identity provider level ...........................................................................177
12.11 Complete test scenario ...............................................................................................................178
12.12 Account linking............................................................................................................................178
13 SAML Integration with an external identity provider (Okta)..................................................................180
13.1 Overview.....................................................................................................................................180
13.2 Prerequisites...............................................................................................................................180
13.3 Configure Okta as an identity provider .......................................................................................180
13.3.1 Create an Okta account......................................................................................................180
13.3.2 Configure Okta identity provider .........................................................................................184
13.3.3 Assign a user to OKTA_SAML_IDP....................................................................................193
13.4 Configure Keycloak as a service provider ..................................................................................195
13.4.1 Create saml_okta_idp identity provider ..............................................................................195
13.4.2 Add attributes mapping.......................................................................................................196
13.5 Test .............................................................................................................................................197
13.6 Account Linking...........................................................................................................................199
14 Understanding Authorization Services with Keycloak ..........................................................................201
14.1 Presentation................................................................................................................................201
14.2 Key Concepts of Keycloak Authorization service .......................................................................201
14.3 Components of an Authorization Service ...................................................................................202
14.4 Resources...................................................................................................................................202
14.5 Authorization Scopes..................................................................................................................202
14.6 Policies........................................................................................................................................203
Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 8 / 304
14.6.1 Role Policy..........................................................................................................................203
14.6.2 JavaScript Role...................................................................................................................203
14.7 Permission ..................................................................................................................................204
14.7.1 Resource – policy permission match..................................................................................204
14.7.2 Scope – policy permission match .......................................................................................204
14.8 Putting it all together – Tailoring authorization Service to your architecture needs....................204
15 Use a simple Keycloak Authorization example ....................................................................................206
15.1 Secure a Servlet Application.......................................................................................................206
15.2 Prerequisites...............................................................................................................................206
15.3 Configure Keycloak.....................................................................................................................206
15.4 Get the adapter configuration .....................................................................................................211
15.5 Build and Deploy the application ................................................................................................211
15.6 Test the application .....................................................................................................................212
16 Authorization access using Role based users .....................................................................................214
16.1 Overview.....................................................................................................................................214
16.2 Prerequisites...............................................................................................................................214
16.3 Configure Keycloak.....................................................................................................................214
16.4 Build and deploy the application.................................................................................................215
16.5 Authorization example test .........................................................................................................216
16.5.1 Log in with restricted privileges...........................................................................................216
16.5.2 Log in as Premium user......................................................................................................217
16.6 Detailed authorization scheme analysis .....................................................................................218
16.6.1 Resources details ...............................................................................................................219
16.6.2 Scopes details.....................................................................................................................219
16.6.3 Policies details ....................................................................................................................220
16.6.4 Permissions details.............................................................................................................221
17 Fine Grain Authorization – UMA policy.................................................................................................224
17.1 Presentation................................................................................................................................224
17.2 Prerequisites...............................................................................................................................226
17.3 About the Example application ...................................................................................................226
17.4 Configure Keycloak.....................................................................................................................227
17.5 Deploy the Example Applications ...............................................................................................228
17.6 Test the application .....................................................................................................................229
17.6.1 Create albums.....................................................................................................................229
17.6.2 Share albums......................................................................................................................230
17.6.3 View shared albums............................................................................................................234
17.6.4 Request permissions ..........................................................................................................236
17.6.5 Manage permission requests..............................................................................................237
17.6.6 View all resources...............................................................................................................239
17.6.7 Revoke permissions ...........................................................................................................241
17.6.8 Summary.............................................................................................................................243
18 Keycloak LDAP integration...................................................................................................................244
18.1 Presentation................................................................................................................................244
18.2 Prerequisites...............................................................................................................................244
18.3 About the Keycloak LDAP example............................................................................................244
18.4 Run and load the LDAP server ...................................................................................................244
18.5 Examine LDAP example using JXplorer.....................................................................................245
18.6 Configure Keycloak.....................................................................................................................247
18.6.1 Define LDAP synchronization policy...................................................................................249
18.6.2 Configure user federation mappers ....................................................................................250
18.7 Build and deploy the application.................................................................................................252
18.8 Test .............................................................................................................................................254
19 Relational Database Setup...................................................................................................................255
19.1 Presentation................................................................................................................................255
Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 9 / 304
19.2 PostgreSQL DB installation and preparation..............................................................................255
19.2.1 Installing PostgreSQL on Ubuntu .......................................................................................255
19.2.2 Installing PostgreSQL on RedHat Linux .............................................................................255
19.2.3 Change PostgreSQL password ..........................................................................................256
19.2.4 Authentication test ..............................................................................................................256
19.2.5 Create keycloak user ..........................................................................................................256
19.2.6 Create keycloak DB ............................................................................................................256
19.2.7 Create keycloak schema ....................................................................................................257
19.3 Keycloak configurations..............................................................................................................257
19.3.1 PostgreSQL driver installation ............................................................................................257
19.3.2 JDBC driver declaration......................................................................................................258
19.3.3 Datasource declaration.......................................................................................................258
19.3.4 Connection Jpa update to accommodate dedicated schema.............................................259
19.4 Test the configuration..................................................................................................................259
20 Import / Export Keycloak configuration.................................................................................................261
20.1 Presentation................................................................................................................................261
20.2 Import/export commands............................................................................................................261
20.2.1 Exporting to a single file......................................................................................................261
20.2.2 Exporting to a directory.......................................................................................................261
20.2.3 Imports................................................................................................................................261
20.3 Options........................................................................................................................................261
21 Protect Keycloak in production with a Reverse Proxy architecture......................................................263
21.1 Why adding a reverse proxy.......................................................................................................263
21.2 Architectural deployment example .............................................................................................263
21.2.1 Role of the DMZ..................................................................................................................263
21.2.2 First firewall (internet - DMZ) ..............................................................................................264
21.2.3 Second Firewall ..................................................................................................................264
21.2.4 Reverse Proxy - DMZ .........................................................................................................264
21.2.5 Keycloak authentication Server - LAN................................................................................264
21.3 HTTPS everywhere ....................................................................................................................264
21.4 Reverse Proxy server used with Keycloak .................................................................................264
22 Keycloak Security.................................................................................................................................265
22.1 Security Best Practices...............................................................................................................265
22.2 Enable SSL/HTTPS for the Keycloak Server .............................................................................265
22.2.1 PKI – Self Cert – CA Authorithy ..........................................................................................265
22.2.2 Generate self cert ...............................................................................................................265
22.2.3 Customize standalone.xml with ssl.....................................................................................266
22.2.4 Check SSL connection using openssl ................................................................................266
22.2.5 Check HTTPS connection ..................................................................................................268
22.3 Outgoing Http Requests .............................................................................................................269
22.4 Differences between when using self signed and signed certificates ........................................270
23 Keycloak Networking............................................................................................................................271
23.1 Keycloak Port presentation – standalone.xml (standalone-ha.xml) ...........................................271
23.2 Usage of each port .....................................................................................................................271
23.3 Disabling http and AJP for Keycloak...........................................................................................272
23.4 Keycloak Multicast Groups .........................................................................................................272
23.5 Keycloak multicast Group with clustering ...................................................................................273
23.5.1 Jgroups - multicast..............................................................................................................273
23.5.2 Mod_Cluster - multicast......................................................................................................273
24 Keycloak Clustering Operating Modes.................................................................................................275
24.1 Presentation................................................................................................................................275
24.2 Standalone clustered mode........................................................................................................275
24.2.1 Configure a shared external database ...............................................................................277
24.2.2 Set up a load balancer........................................................................................................277
Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret
Tél. 0 950 260 370 – Fax. 0 955 260 370
Siret : 478 075 369 00015 - http://www.janua.fr
Page 10 / 304
24.2.3 Enable HTTPS/SSL with a Reverse Proxy.........................................................................278
24.2.4 Test the cluster....................................................................................................................279
24.3 Domain clustered mode..............................................................................................................280
24.3.1 Master node configuration ..................................................................................................281
24.3.2 Slave node configuration ....................................................................................................281
24.4 Clustered Domain Example........................................................................................................282
24.4.1 Prerequisites.......................................................................................................................282
24.4.2 Configure the slave secret key ...........................................................................................282
24.4.3 Create an admin master user .............................................................................................284
24.4.4 Start the servers..................................................................................................................285
24.5 Add app_vanilla profile client application to the cluster..............................................................286
24.6 Limitation of the domain cluster example ...................................................................................287
25 Mod_cluster with Standalone HA cluster deployment ..........................................................................287
25.1 Presentation................................................................................................................................287
25.2 Mod_cluster – Apache SW load Balancer ..................................................................................287
25.2.1 Presentation........................................................................................................................287
25.2.2 Mod_cluster and multicast group........................................................................................287
25.2.3 Mod_cluster with Keycloak .................................................................................................287
25.3 Clustering standalone HA example ............................................................................................288
25.3.1 Presentation........................................................................................................................288
25.3.2 Limitation.............................................................................................................................288
25.3.3 Set Keycloak requires SSL to none ....................................................................................288
25.3.1 Mod_Cluster configuration..................................................................................................289
25.3.2 Apache installation..............................................................................................................289
25.3.3 Mod_Cluster configuration..................................................................................................290
25.3.4 Commands used.................................................................................................................291
25.3.5 Test Mod_cluster.................................................................................................................291
25.4 Testing application failover..........................................................................................................292
26 SPI testing integration – High available environment...........................................................................294
26.1 Overview.....................................................................................................................................294
26.2 Event SPI....................................................................................................................................294
26.2.1 Deploying the Jar file ..........................................................................................................294
26.2.2 Registering the SPI in standalone-ha.xml ..........................................................................294
26.3 SPI various use cases ................................................................................................................294
26.3.1 Use case 1 – Both nodes are Up........................................................................................294
26.3.2 Use case 2 – Node1 brought Down....................................................................................295
26.4 SPI interaction with keycloak in clustering mode........................................................................296
27 Keycloak Clustering best practices – Recommendation......................................................................297
28 Annex : Oauth 2.0, OIDC, PKCE, Refresh tokens (French) ................................................................298
28.1 Considération sur la sécurité des applications Web...................................................................298
28.2 Introduction à OAuth 2................................................................................................................298
28.3 Introduction d’OpenID Connect (OIDC)......................................................................................298
28.4 Oauth 2 en détails.......................................................................................................................299
28.4.1 Vocabulaire .........................................................................................................................299
28.4.2 Flux de codes d’autorisation (Authorization Code Flow) ....................................................299
28.4.3 Flux de codes d'autorisation avec PKCE (Authorization Code with PKCE Flow) ..............301
28.4.4 Flux implicite (Implicit Flow)................................................................................................303
28.4.5 Jeton de rafraîchissement ..................................................................................................304

Recommended

TOC training Keycloak RedhatSSO advanced by
TOC training Keycloak RedhatSSO advancedTOC training Keycloak RedhatSSO advanced
TOC training Keycloak RedhatSSO advancedPascal Flamand
943 views5 slides
TOC training Keycloak RedhatSSO UMA by
TOC training Keycloak RedhatSSO UMATOC training Keycloak RedhatSSO UMA
TOC training Keycloak RedhatSSO UMAPascal Flamand
3.8K views3 slides
Luận văn: Công nghệ ảo hóa Docker và ứng dụng tại ĐH Hải Phòng by
Luận văn: Công nghệ ảo hóa Docker và ứng dụng tại ĐH Hải PhòngLuận văn: Công nghệ ảo hóa Docker và ứng dụng tại ĐH Hải Phòng
Luận văn: Công nghệ ảo hóa Docker và ứng dụng tại ĐH Hải PhòngDịch Vụ Viết Bài Trọn Gói ZALO 0917193864
537 views88 slides
Conception et Réalisation d'un Système Intégré de Vote Electronique cas: Haiti by
Conception et Réalisation d'un Système Intégré de Vote Electronique cas: HaitiConception et Réalisation d'un Système Intégré de Vote Electronique cas: Haiti
Conception et Réalisation d'un Système Intégré de Vote Electronique cas: HaitiCarlos Philippe
7.4K views53 slides
Kioti Daedong DK55 Tractor Service Repair Manual by
Kioti Daedong DK55 Tractor Service Repair ManualKioti Daedong DK55 Tractor Service Repair Manual
Kioti Daedong DK55 Tractor Service Repair Manualjksmemm ekmdm
5.4K views30 slides
mise en place d'un système de classes virtuelles utilisant le webRTC + openfi... by
mise en place d'un système de classes virtuelles utilisant le webRTC + openfi...mise en place d'un système de classes virtuelles utilisant le webRTC + openfi...
mise en place d'un système de classes virtuelles utilisant le webRTC + openfi...Bassirou Dime
1.9K views69 slides

More Related Content

What's hot

Object detection and recognition in digital images by
Object detection and recognition in digital imagesObject detection and recognition in digital images
Object detection and recognition in digital imagesSakher BELOUADAH
343 views89 slides
TTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアル by
TTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアルTTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアル
TTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアルCRI Japan, Inc.
18.6K views51 slides
Rapport atef by
Rapport atefRapport atef
Rapport atefAtef Kouiri
1.1K views76 slides
Gestion des actifs applicatifs by
Gestion des actifs applicatifsGestion des actifs applicatifs
Gestion des actifs applicatifsSafaAballagh
561 views62 slides
Crown wave50 work assit vehicle service repair manual by
Crown wave50 work assit vehicle service repair manualCrown wave50 work assit vehicle service repair manual
Crown wave50 work assit vehicle service repair manualfhhsjdkmem
449 views23 slides
Manual de serviço electrolux top 8 by
Manual de serviço   electrolux top 8Manual de serviço   electrolux top 8
Manual de serviço electrolux top 8Maurilio Caetano
146.8K views102 slides

What's hot(20)

Object detection and recognition in digital images by Sakher BELOUADAH
Object detection and recognition in digital imagesObject detection and recognition in digital images
Object detection and recognition in digital images
Sakher BELOUADAH343 views
TTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアル by CRI Japan, Inc.
TTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアルTTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアル
TTN V3対応最新版LoRaWANゲートウェイLPS8-JP日本語マニュアル
CRI Japan, Inc.18.6K views
Gestion des actifs applicatifs by SafaAballagh
Gestion des actifs applicatifsGestion des actifs applicatifs
Gestion des actifs applicatifs
SafaAballagh561 views
Crown wave50 work assit vehicle service repair manual by fhhsjdkmem
Crown wave50 work assit vehicle service repair manualCrown wave50 work assit vehicle service repair manual
Crown wave50 work assit vehicle service repair manual
fhhsjdkmem449 views
Manual de serviço electrolux top 8 by Maurilio Caetano
Manual de serviço   electrolux top 8Manual de serviço   electrolux top 8
Manual de serviço electrolux top 8
Maurilio Caetano146.8K views
Deploying customizations across microsoft dynamics ax 2012 environments ax2012 by Prathamesh Joshi
Deploying customizations across microsoft dynamics ax 2012 environments ax2012Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Deploying customizations across microsoft dynamics ax 2012 environments ax2012
Prathamesh Joshi13K views
屋外向け 8chLoRaWANゲートウェイ DLOS8 日本語マニュアル by CRI Japan, Inc.
屋外向け 8chLoRaWANゲートウェイ  DLOS8 日本語マニュアル屋外向け 8chLoRaWANゲートウェイ  DLOS8 日本語マニュアル
屋外向け 8chLoRaWANゲートウェイ DLOS8 日本語マニュアル
CRI Japan, Inc.2.6K views
Mise en place d'une solution du supérvision réseau by Rabeb Boumaiza
Mise en place d'une solution du supérvision réseauMise en place d'une solution du supérvision réseau
Mise en place d'une solution du supérvision réseau
Rabeb Boumaiza4.8K views
Mise en place de deux réseaux LAN interconnectés par un réseau WAN by Ghassen Chaieb
Mise en place de deux réseaux LAN interconnectés par un réseau WANMise en place de deux réseaux LAN interconnectés par un réseau WAN
Mise en place de deux réseaux LAN interconnectés par un réseau WAN
Ghassen Chaieb25.5K views
pfe_rapport_poste_licence_LFIG.pdf by nesrine haloui
pfe_rapport_poste_licence_LFIG.pdfpfe_rapport_poste_licence_LFIG.pdf
pfe_rapport_poste_licence_LFIG.pdf
nesrine haloui160 views
SX1262 LoRaWAN温度・湿度・拡張プローブ LHT65N  日本語マニュアル by CRI Japan, Inc.
SX1262 LoRaWAN温度・湿度・拡張プローブ  LHT65N  日本語マニュアルSX1262 LoRaWAN温度・湿度・拡張プローブ  LHT65N  日本語マニュアル
SX1262 LoRaWAN温度・湿度・拡張プローブ LHT65N  日本語マニュアル
CRI Japan, Inc.969 views
Conception et Réalisation d’un Système de Vote Electronique (Blondel Seumo) by Gantner Technologies
Conception et Réalisation d’un Système de Vote Electronique (Blondel Seumo)Conception et Réalisation d’un Système de Vote Electronique (Blondel Seumo)
Conception et Réalisation d’un Système de Vote Electronique (Blondel Seumo)
Gantner Technologies12.1K views
A Bidding System In Football "Football Fantasy" by Anit Thapaliya
A Bidding System In Football "Football Fantasy" A Bidding System In Football "Football Fantasy"
A Bidding System In Football "Football Fantasy"
Anit Thapaliya7.2K views
Déploiement de la solution Libre de cloud computing : Nextcloud by bamaemmanuel
Déploiement de la solution Libre de  cloud computing : NextcloudDéploiement de la solution Libre de  cloud computing : Nextcloud
Déploiement de la solution Libre de cloud computing : Nextcloud
bamaemmanuel3K views
Rapport de pfe gestion de parc informatique et Helpdesk by Raef Ghribi
Rapport de pfe gestion de parc informatique et HelpdeskRapport de pfe gestion de parc informatique et Helpdesk
Rapport de pfe gestion de parc informatique et Helpdesk
Raef Ghribi15.2K views
Introduction à l'informatique by lmodadam
Introduction à l'informatiqueIntroduction à l'informatique
Introduction à l'informatique
lmodadam3K views
04. de cuong bai giang cong nghe web by Đinh Luận
04. de cuong bai giang cong nghe web04. de cuong bai giang cong nghe web
04. de cuong bai giang cong nghe web
Đinh Luận5.7K views
Pandora FMS: Plugin de monitorización de IIS by Pandora FMS
Pandora FMS: Plugin de monitorización de IIS  Pandora FMS: Plugin de monitorización de IIS
Pandora FMS: Plugin de monitorización de IIS
Pandora FMS1.2K views

Similar to TOC training KeyCloak Redhat SSO core

Cc shanghai uk_print by
Cc shanghai uk_printCc shanghai uk_print
Cc shanghai uk_printfareita
754 views81 slides
Eta nonfab-deploy-guide-2019oct by
Eta nonfab-deploy-guide-2019octEta nonfab-deploy-guide-2019oct
Eta nonfab-deploy-guide-2019octssuserae99fb
37 views52 slides
ARQUIVO ROUBADO by
ARQUIVO ROUBADOARQUIVO ROUBADO
ARQUIVO ROUBADOD813061988
1.8K views470 slides
Invest plus user manual by
Invest plus user manualInvest plus user manual
Invest plus user manualInvest Plus
2.1K views132 slides
Forecasting, Financing & Fast Tracking Your Business Growth by
Forecasting, Financing & Fast Tracking Your Business GrowthForecasting, Financing & Fast Tracking Your Business Growth
Forecasting, Financing & Fast Tracking Your Business GrowthVenugopal Rao Pendyala
955 views129 slides
Collaboration and Social Media 2008 by
Collaboration and Social Media 2008Collaboration and Social Media 2008
Collaboration and Social Media 2008white paper
2.8K views132 slides

Similar to TOC training KeyCloak Redhat SSO core(20)

Cc shanghai uk_print by fareita
Cc shanghai uk_printCc shanghai uk_print
Cc shanghai uk_print
fareita754 views
Eta nonfab-deploy-guide-2019oct by ssuserae99fb
Eta nonfab-deploy-guide-2019octEta nonfab-deploy-guide-2019oct
Eta nonfab-deploy-guide-2019oct
ssuserae99fb37 views
ARQUIVO ROUBADO by D813061988
ARQUIVO ROUBADOARQUIVO ROUBADO
ARQUIVO ROUBADO
D8130619881.8K views
Invest plus user manual by Invest Plus
Invest plus user manualInvest plus user manual
Invest plus user manual
Invest Plus2.1K views
Forecasting, Financing & Fast Tracking Your Business Growth by Venugopal Rao Pendyala
Forecasting, Financing & Fast Tracking Your Business GrowthForecasting, Financing & Fast Tracking Your Business Growth
Forecasting, Financing & Fast Tracking Your Business Growth
Collaboration and Social Media 2008 by white paper
Collaboration and Social Media 2008Collaboration and Social Media 2008
Collaboration and Social Media 2008
white paper2.8K views
X cart 430-manual by madtgw
X cart 430-manualX cart 430-manual
X cart 430-manual
madtgw40.2K views
Artromick Mcm Manual for Hospital Computing Solutions by Artromick
Artromick Mcm Manual for Hospital Computing SolutionsArtromick Mcm Manual for Hospital Computing Solutions
Artromick Mcm Manual for Hospital Computing Solutions
Artromick958 views
Habanero book earlydraft by marco coelho
Habanero book earlydraftHabanero book earlydraft
Habanero book earlydraft
marco coelho1.2K views
Hype cycle for e commerce, 2010 by Gaurav Verma
Hype cycle for e commerce, 2010Hype cycle for e commerce, 2010
Hype cycle for e commerce, 2010
Gaurav Verma20.2K views
Plesk 8.1 for Linux/UNIX by webhostingguy
Plesk 8.1 for Linux/UNIXPlesk 8.1 for Linux/UNIX
Plesk 8.1 for Linux/UNIX
webhostingguy9.2K views
Plesk 8.0 for Linux/UNIX by webhostingguy
Plesk 8.0 for Linux/UNIXPlesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIX
webhostingguy13.4K views
Plesk 8.0 for Linux/UNIX by webhostingguy
Plesk 8.0 for Linux/UNIXPlesk 8.0 for Linux/UNIX
Plesk 8.0 for Linux/UNIX
webhostingguy10.1K views
White Paper: Look Before You Leap Into Google Apps by Office
White Paper: Look Before You Leap Into Google AppsWhite Paper: Look Before You Leap Into Google Apps
White Paper: Look Before You Leap Into Google Apps
Office2.7K views

More from Pascal Flamand

Start14 french tech startuffe nation by
Start14 french tech startuffe nationStart14 french tech startuffe nation
Start14 french tech startuffe nationPascal Flamand
35 views2 slides
Article "Un an de télétravail et de COVID" dans le magazine Start by
Article "Un an de télétravail et de COVID" dans le magazine StartArticle "Un an de télétravail et de COVID" dans le magazine Start
Article "Un an de télétravail et de COVID" dans le magazine StartPascal Flamand
77 views2 slides
Article "La tyrannie du risque zéro" dans le magazine Start by
Article "La tyrannie du risque zéro" dans le magazine StartArticle "La tyrannie du risque zéro" dans le magazine Start
Article "La tyrannie du risque zéro" dans le magazine StartPascal Flamand
69 views2 slides
Article "quand les licornes voleront..." dans le magazine Start by
Article "quand les licornes voleront..." dans le magazine StartArticle "quand les licornes voleront..." dans le magazine Start
Article "quand les licornes voleront..." dans le magazine StartPascal Flamand
73 views2 slides
Article sur "Le temps des c(e)rises" dans le magazine Start by
Article sur "Le temps des c(e)rises" dans le magazine StartArticle sur "Le temps des c(e)rises" dans le magazine Start
Article sur "Le temps des c(e)rises" dans le magazine StartPascal Flamand
79 views2 slides
Article sur l'Agilité dans le magazine Start by
Article sur l'Agilité dans le magazine StartArticle sur l'Agilité dans le magazine Start
Article sur l'Agilité dans le magazine StartPascal Flamand
68 views2 slides

More from Pascal Flamand(20)

Start14 french tech startuffe nation by Pascal Flamand
Start14 french tech startuffe nationStart14 french tech startuffe nation
Start14 french tech startuffe nation
Pascal Flamand35 views
Article "Un an de télétravail et de COVID" dans le magazine Start by Pascal Flamand
Article "Un an de télétravail et de COVID" dans le magazine StartArticle "Un an de télétravail et de COVID" dans le magazine Start
Article "Un an de télétravail et de COVID" dans le magazine Start
Pascal Flamand77 views
Article "La tyrannie du risque zéro" dans le magazine Start by Pascal Flamand
Article "La tyrannie du risque zéro" dans le magazine StartArticle "La tyrannie du risque zéro" dans le magazine Start
Article "La tyrannie du risque zéro" dans le magazine Start
Pascal Flamand69 views
Article "quand les licornes voleront..." dans le magazine Start by Pascal Flamand
Article "quand les licornes voleront..." dans le magazine StartArticle "quand les licornes voleront..." dans le magazine Start
Article "quand les licornes voleront..." dans le magazine Start
Pascal Flamand73 views
Article sur "Le temps des c(e)rises" dans le magazine Start by Pascal Flamand
Article sur "Le temps des c(e)rises" dans le magazine StartArticle sur "Le temps des c(e)rises" dans le magazine Start
Article sur "Le temps des c(e)rises" dans le magazine Start
Pascal Flamand79 views
Article sur l'Agilité dans le magazine Start by Pascal Flamand
Article sur l'Agilité dans le magazine StartArticle sur l'Agilité dans le magazine Start
Article sur l'Agilité dans le magazine Start
Pascal Flamand68 views
Article sur l'IA dans le magazine Start by Pascal Flamand
Article sur l'IA dans le magazine StartArticle sur l'IA dans le magazine Start
Article sur l'IA dans le magazine Start
Pascal Flamand78 views
Article sur la Smart City dans le magazine Start by Pascal Flamand
Article sur la Smart City dans le magazine StartArticle sur la Smart City dans le magazine Start
Article sur la Smart City dans le magazine Start
Pascal Flamand84 views
Article sur les Startup dans le magazine Start by Pascal Flamand
Article sur les Startup dans le magazine StartArticle sur les Startup dans le magazine Start
Article sur les Startup dans le magazine Start
Pascal Flamand73 views
TOC training Keycloak RedhatSSO advanced by Pascal Flamand
TOC training Keycloak RedhatSSO advancedTOC training Keycloak RedhatSSO advanced
TOC training Keycloak RedhatSSO advanced
Pascal Flamand780 views
TOC training KeyCloak Redhat SSO core by Pascal Flamand
TOC training KeyCloak Redhat SSO coreTOC training KeyCloak Redhat SSO core
TOC training KeyCloak Redhat SSO core
Pascal Flamand1.3K views
Article sur les Pitchs dans le magazine Start by Pascal Flamand
Article sur les Pitchs dans le magazine StartArticle sur les Pitchs dans le magazine Start
Article sur les Pitchs dans le magazine Start
Pascal Flamand74 views
Article sur la Transformation Digitale dans le Magazine Start by Pascal Flamand
Article sur la Transformation Digitale dans le Magazine StartArticle sur la Transformation Digitale dans le Magazine Start
Article sur la Transformation Digitale dans le Magazine Start
Pascal Flamand58 views
Article sur l'IA dans le magazine Start by Pascal Flamand
Article sur l'IA dans le magazine StartArticle sur l'IA dans le magazine Start
Article sur l'IA dans le magazine Start
Pascal Flamand53 views
Tribune paca jaguards 12.12.18 by Pascal Flamand
Tribune paca jaguards 12.12.18Tribune paca jaguards 12.12.18
Tribune paca jaguards 12.12.18
Pascal Flamand910 views
Partenariat Jaguards - Busit by Pascal Flamand
Partenariat Jaguards - BusitPartenariat Jaguards - Busit
Partenariat Jaguards - Busit
Pascal Flamand331 views
La tribune ce que booster apporte à semantic experts by Pascal Flamand
La tribune   ce que booster apporte à semantic expertsLa tribune   ce que booster apporte à semantic experts
La tribune ce que booster apporte à semantic experts
Pascal Flamand2.8K views
OPENAM 13.5 - Core Token Service by Pascal Flamand
OPENAM 13.5 - Core Token ServiceOPENAM 13.5 - Core Token Service
OPENAM 13.5 - Core Token Service
Pascal Flamand1.1K views
La tribune Jaguards juillet 2017 by Pascal Flamand
La tribune Jaguards juillet 2017La tribune Jaguards juillet 2017
La tribune Jaguards juillet 2017
Pascal Flamand663 views

Recently uploaded

1st parposal presentation.pptx by
1st parposal presentation.pptx1st parposal presentation.pptx
1st parposal presentation.pptxi238212
9 views3 slides
The details of description: Techniques, tips, and tangents on alternative tex... by
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...BookNet Canada
126 views24 slides
Unit 1_Lecture 2_Physical Design of IoT.pdf by
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdfStephenTec
12 views36 slides
virtual reality.pptx by
virtual reality.pptxvirtual reality.pptx
virtual reality.pptxG036GaikwadSnehal
11 views15 slides
Uni Systems for Power Platform.pptx by
Uni Systems for Power Platform.pptxUni Systems for Power Platform.pptx
Uni Systems for Power Platform.pptxUni Systems S.M.S.A.
55 views21 slides
Report 2030 Digital Decade by
Report 2030 Digital DecadeReport 2030 Digital Decade
Report 2030 Digital DecadeMassimo Talia
15 views41 slides

Recently uploaded(20)

1st parposal presentation.pptx by i238212
1st parposal presentation.pptx1st parposal presentation.pptx
1st parposal presentation.pptx
i2382129 views
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada126 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 views
6g - REPORT.pdf by Liveplex
6g - REPORT.pdf6g - REPORT.pdf
6g - REPORT.pdf
Liveplex10 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software257 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson66 views
AMAZON PRODUCT RESEARCH.pdf by JerikkLaureta
AMAZON PRODUCT RESEARCH.pdfAMAZON PRODUCT RESEARCH.pdf
AMAZON PRODUCT RESEARCH.pdf
JerikkLaureta19 views
HTTP headers that make your website go faster - devs.gent November 2023 by Thijs Feryn
HTTP headers that make your website go faster - devs.gent November 2023HTTP headers that make your website go faster - devs.gent November 2023
HTTP headers that make your website go faster - devs.gent November 2023
Thijs Feryn21 views
Perth MeetUp November 2023 by Michael Price
Perth MeetUp November 2023 Perth MeetUp November 2023
Perth MeetUp November 2023
Michael Price19 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
DALI Basics Course 2023 by Ivory Egg
DALI Basics Course  2023DALI Basics Course  2023
DALI Basics Course 2023
Ivory Egg16 views

TOC training KeyCloak Redhat SSO core

  • 1. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 4 / 304 Table of contents 1 Introduction to Keycloak for Identity and Access Management .............................................................11 1.1 Keycloak overview.............................................................................................................................11 1.2 Keycloak competitors ........................................................................................................................12 1.3 Prerequisites .....................................................................................................................................12 1.3.1 Hardware requirements ............................................................................................................12 1.3.2 Software requirements..............................................................................................................12 1.3.3 Tools..........................................................................................................................................13 1.4 Documentation ..................................................................................................................................14 1.4.1 Keycloak documentation...........................................................................................................14 1.4.2 White papers.............................................................................................................................14 1.5 Keycloak code sources .....................................................................................................................16 1.6 Build Keycloak...................................................................................................................................17 1.7 Environment variables.......................................................................................................................18 2 Starting with Keycloak ............................................................................................................................19 2.1 Overview............................................................................................................................................19 2.2 Install Keycloak .................................................................................................................................19 2.3 Keycloak Layout................................................................................................................................19 2.4 Start Standalone Server distribution .................................................................................................20 2.5 Deployment on Tomcat/Jetty.............................................................................................................22 2.6 Keycloak on Quarkus ........................................................................................................................23 2.7 Keycloak healthcheck........................................................................................................................26 2.8 Considerations on Keycloak persistence ..........................................................................................31 2.9 Keycloak core concepts ....................................................................................................................31 2.10 Path to integration with Keycloak .................................................................................................32 2.11 Integration with Keycloak..................................................................................................................33 2.12 Usages of keycloak and corresponding technologies ..................................................................33 2.13 Access the admin console ............................................................................................................35 2.14 Create Admin account ..................................................................................................................37 2.15 Create a realm ..............................................................................................................................39 2.16 Define roles for users....................................................................................................................40 2.17 Add users......................................................................................................................................42 2.18 Access user account Service........................................................................................................45 2.19 Add a client to realm demo...........................................................................................................46 2.19.1 Client Protocol Types............................................................................................................47 2.19.2 Access Types........................................................................................................................48 2.20 Define roles for the client app.......................................................................................................49 2.21 Create a group..............................................................................................................................51 3 Starting with WildFly...............................................................................................................................53 3.1 Overview............................................................................................................................................53 3.2 Install WildFly server .........................................................................................................................53 3.3 Start WildFly Server ..........................................................................................................................53 3.4 Access the admin console.................................................................................................................54 3.5 Install Keycloak adapters ..................................................................................................................56 3.5.1 OpenID Connect adapter..........................................................................................................56 3.5.2 SAML 2.0 adapter .....................................................................................................................57 3.5.3 Check adapters installation.......................................................................................................59 4 Secure a JavaEE application with Keycloak ..........................................................................................60 4.1 Prerequisites .....................................................................................................................................60 4.2 Basic application deployment............................................................................................................60 4.3 Configure HTTP basic authentication with WildFly ...........................................................................60 4.4 Basic application login.......................................................................................................................61
  • 2. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 5 / 304 4.5 Integrate the Vanilla application with Keycloak .................................................................................62 4.5.1 Install Keycloak OIDC adapter..................................................................................................62 4.5.2 Register the Vanilla application with Keycloak .........................................................................62 4.5.3 Display Keycloak Vanilla client information ..............................................................................64 4.5.4 Update Vanilla application configuration in WildFly..................................................................64 4.6 Test the application............................................................................................................................65 5 Use Keycloak with client applications.....................................................................................................67 5.1 Overview............................................................................................................................................67 5.2 Prerequisites .....................................................................................................................................67 5.3 Database service setup.....................................................................................................................68 5.3.1 Create Realm............................................................................................................................68 5.3.2 Enable user registration............................................................................................................68 5.3.3 Create user ...............................................................................................................................69 5.3.4 Create Database service application........................................................................................69 5.3.5 Build and deploy database-service webapp.............................................................................71 5.4 Customer application setup...............................................................................................................72 5.4.1 Create Customer client application...........................................................................................72 5.4.2 Build and deploy customer-portal webapp ...............................................................................75 5.5 Customer application test..................................................................................................................76 5.6 Product application setup..................................................................................................................77 5.6.1 Create Product client application..............................................................................................77 5.6.2 Build product-portal webapp.....................................................................................................81 5.7 Product application Test ....................................................................................................................83 5.8 Common mistakes.............................................................................................................................83 5.8.1 Invalid client secret (WildFly server).........................................................................................83 5.8.2 Invalid user credentials .............................................................................................................84 6 Understanding Oauth2 ...........................................................................................................................85 6.1 Oauth2 Presentation .........................................................................................................................85 6.2 Oauth2 Elements...............................................................................................................................87 6.2.1 Oauth Roles..............................................................................................................................87 6.2.2 Tokens.......................................................................................................................................87 6.2.3 Scopes vs permissions .............................................................................................................87 6.2.4 Types of clients .........................................................................................................................88 6.2.5 Standard OAuth 2.0 / OpenID Connect endpoints ...................................................................88 6.2.6 Callback routes .........................................................................................................................89 6.2.7 OAuth 2.0 grant types...............................................................................................................89 6.2.8 Https is mandatory....................................................................................................................90 6.3 OAuth 2.0 grant types in details ........................................................................................................90 6.3.1 Authorization Code Grant .........................................................................................................90 6.3.2 Implicit.......................................................................................................................................90 6.3.3 Resource Owner Password Credential (ROPC).......................................................................91 6.3.4 Client credentials grant .............................................................................................................92 6.3.5 Refresh token flow ....................................................................................................................92 6.4 Which OAuth 2.0 Grant to Use..........................................................................................................93 6.4.1 Resource owner and client application are same / Machine to machine communication........93 6.4.2 Web / SPA (single page application) / Mobile applications.......................................................93 6.5 Authorization code grant flow with Proof Key for Code Exchange (PKCE) ......................................93 6.6 Use of refresh tokens ........................................................................................................................95 7 Understanding OpenID Connect (OIDC)................................................................................................96 7.1 Overview............................................................................................................................................96 7.2 OpenID sequence flow......................................................................................................................97 7.3 OpenID flows.....................................................................................................................................97 7.3.1 Authorization Code Flow...........................................................................................................97 7.3.2 Implicit Flow ..............................................................................................................................97
  • 3. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 6 / 304 7.3.3 Hybrid Flow...............................................................................................................................98 7.3.4 Flow features ............................................................................................................................98 7.3.5 Response types by flow............................................................................................................98 7.4 Authorization Code flow ....................................................................................................................99 7.5 Implicit Flow.....................................................................................................................................103 7.6 ID token analysis .............................................................................................................................105 8 Debug and analyse a Keycloak example .............................................................................................107 8.1 Overview..........................................................................................................................................107 8.2 Prerequisites ...................................................................................................................................107 8.3 Create service-jaxrs application ......................................................................................................107 8.4 Create app-jsp application...............................................................................................................109 8.5 Create a user...................................................................................................................................112 8.6 Login to the app...............................................................................................................................113 8.7 Check Request Headers and Response Headers of the /authenticate endpoint request ..............116 8.8 Use jwt.io debugger.........................................................................................................................117 8.9 Verify the signature..........................................................................................................................119 8.10 Check Cookie within Chrome .....................................................................................................119 9 Use REST API with Keycloak...............................................................................................................121 9.1 Presentation ....................................................................................................................................121 9.2 App-js application............................................................................................................................121 9.3 Realm endpoints - .well-known/openid-configuration .....................................................................121 9.4 admin-cli Client application..............................................................................................................123 9.4.1 Getting an admin Bearer token with the admin CLI................................................................123 9.4.2 Use admin Bearer Token in Rest API query ...........................................................................125 9.4.3 Use another admin user with admin-cli ..................................................................................126 9.4.4 List the number of sessions present on a realm.....................................................................127 9.5 Use Kcadm......................................................................................................................................128 9.5.1 Create .Keycloak registry........................................................................................................128 9.5.2 Use Kcadm .............................................................................................................................130 9.5.3 Security measure with Kcadm ................................................................................................130 9.6 Usage of REST API with realm endpoints.......................................................................................130 9.6.1 App-jsp information.................................................................................................................131 9.6.2 Perform a ROPC query to the /token endpoint.......................................................................131 9.6.3 Call the userinfo endpoint .......................................................................................................132 9.6.4 Call the introspect endpoint ....................................................................................................132 9.7 Call Refresh Token using ROPC.....................................................................................................133 9.7.1 ROPC query to generate access and refresh tokens.............................................................133 9.7.2 Perform the query using the refresh token .............................................................................135 10 Use OpenID protocol to connect to an IDP provider ............................................................................137 10.1 Presentation................................................................................................................................137 10.2 Prerequisites...............................................................................................................................137 10.3 France Connect Endpoints .........................................................................................................138 10.4 France Connect Identity Provider deployment ...........................................................................138 10.5 Create an identity provider..........................................................................................................139 10.6 Add identity provider mappers....................................................................................................139 10.7 Setup the France Connect theme...............................................................................................140 10.8 Test the application .....................................................................................................................141 10.9 Account Linking...........................................................................................................................144 11 SAML V2 Presentation .........................................................................................................................146 11.1 What is SAML ? ..............................................................................................................................146 11.2 SAML 2.0 in short ...........................................................................................................................146 11.2.1 SAML V2 features...............................................................................................................146 11.2.2 Major Key elements ............................................................................................................146 11.3 Examples of SSO flows ..................................................................................................................148
  • 4. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 7 / 304 11.3.1 SAML Service Provider Initiated SSO Flow........................................................................148 11.3.2 SAML Identity Provider Initiated SSO Flow ........................................................................149 11.3.3 SAML components..............................................................................................................150 11.4 SAML Components detailed ...........................................................................................................151 11.4.1 SAML 2.0 Protocols ............................................................................................................151 11.4.2 SAML 2.0 Bindings .............................................................................................................152 11.4.3 SAML 2.0 profiles................................................................................................................152 11.5 SAML elements (used by Keycloak)...............................................................................................153 11.5.1 General Adapter Config ......................................................................................................153 11.5.2 SP Element.........................................................................................................................154 11.5.3 SP Keys and Key elements ................................................................................................156 11.5.4 KeyStore element ...............................................................................................................156 11.5.5 Key PEMS...........................................................................................................................157 11.5.6 SP PrincipalNameMapping element...................................................................................157 11.5.7 RoleIdentifiers element .......................................................................................................158 11.5.8 IDP Element........................................................................................................................158 11.5.9 IDP SingleSignOnService sub element ..............................................................................159 11.5.10 IDP SingleLogoutService sub element ...............................................................................159 11.5.11 IDP Keys subelement .........................................................................................................160 11.6 XML SAML Examples .....................................................................................................................161 11.6.1 Post Request example........................................................................................................161 11.6.2 Response Extract ...............................................................................................................162 12 SAML broker example with Keycloak...................................................................................................163 12.1 Presentation................................................................................................................................163 12.2 Prerequisites...............................................................................................................................163 12.3 Import saml-broker-authentication-realm realm in Keycloak ......................................................163 12.4 Import saml-broker-realm realm in Keycloak..............................................................................165 12.5 Build and deploy saml-broker-authentication application ...........................................................167 12.6 Test .............................................................................................................................................169 12.7 Add SAML builtin protocol mapper .............................................................................................174 12.8 Check details of a built-in member (givenName)........................................................................175 12.9 Analyze content of a response with SAML tracer.......................................................................176 12.10 Map SAML attributes at identity provider level ...........................................................................177 12.11 Complete test scenario ...............................................................................................................178 12.12 Account linking............................................................................................................................178 13 SAML Integration with an external identity provider (Okta)..................................................................180 13.1 Overview.....................................................................................................................................180 13.2 Prerequisites...............................................................................................................................180 13.3 Configure Okta as an identity provider .......................................................................................180 13.3.1 Create an Okta account......................................................................................................180 13.3.2 Configure Okta identity provider .........................................................................................184 13.3.3 Assign a user to OKTA_SAML_IDP....................................................................................193 13.4 Configure Keycloak as a service provider ..................................................................................195 13.4.1 Create saml_okta_idp identity provider ..............................................................................195 13.4.2 Add attributes mapping.......................................................................................................196 13.5 Test .............................................................................................................................................197 13.6 Account Linking...........................................................................................................................199 14 Understanding Authorization Services with Keycloak ..........................................................................201 14.1 Presentation................................................................................................................................201 14.2 Key Concepts of Keycloak Authorization service .......................................................................201 14.3 Components of an Authorization Service ...................................................................................202 14.4 Resources...................................................................................................................................202 14.5 Authorization Scopes..................................................................................................................202 14.6 Policies........................................................................................................................................203
  • 5. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 8 / 304 14.6.1 Role Policy..........................................................................................................................203 14.6.2 JavaScript Role...................................................................................................................203 14.7 Permission ..................................................................................................................................204 14.7.1 Resource – policy permission match..................................................................................204 14.7.2 Scope – policy permission match .......................................................................................204 14.8 Putting it all together – Tailoring authorization Service to your architecture needs....................204 15 Use a simple Keycloak Authorization example ....................................................................................206 15.1 Secure a Servlet Application.......................................................................................................206 15.2 Prerequisites...............................................................................................................................206 15.3 Configure Keycloak.....................................................................................................................206 15.4 Get the adapter configuration .....................................................................................................211 15.5 Build and Deploy the application ................................................................................................211 15.6 Test the application .....................................................................................................................212 16 Authorization access using Role based users .....................................................................................214 16.1 Overview.....................................................................................................................................214 16.2 Prerequisites...............................................................................................................................214 16.3 Configure Keycloak.....................................................................................................................214 16.4 Build and deploy the application.................................................................................................215 16.5 Authorization example test .........................................................................................................216 16.5.1 Log in with restricted privileges...........................................................................................216 16.5.2 Log in as Premium user......................................................................................................217 16.6 Detailed authorization scheme analysis .....................................................................................218 16.6.1 Resources details ...............................................................................................................219 16.6.2 Scopes details.....................................................................................................................219 16.6.3 Policies details ....................................................................................................................220 16.6.4 Permissions details.............................................................................................................221 17 Fine Grain Authorization – UMA policy.................................................................................................224 17.1 Presentation................................................................................................................................224 17.2 Prerequisites...............................................................................................................................226 17.3 About the Example application ...................................................................................................226 17.4 Configure Keycloak.....................................................................................................................227 17.5 Deploy the Example Applications ...............................................................................................228 17.6 Test the application .....................................................................................................................229 17.6.1 Create albums.....................................................................................................................229 17.6.2 Share albums......................................................................................................................230 17.6.3 View shared albums............................................................................................................234 17.6.4 Request permissions ..........................................................................................................236 17.6.5 Manage permission requests..............................................................................................237 17.6.6 View all resources...............................................................................................................239 17.6.7 Revoke permissions ...........................................................................................................241 17.6.8 Summary.............................................................................................................................243 18 Keycloak LDAP integration...................................................................................................................244 18.1 Presentation................................................................................................................................244 18.2 Prerequisites...............................................................................................................................244 18.3 About the Keycloak LDAP example............................................................................................244 18.4 Run and load the LDAP server ...................................................................................................244 18.5 Examine LDAP example using JXplorer.....................................................................................245 18.6 Configure Keycloak.....................................................................................................................247 18.6.1 Define LDAP synchronization policy...................................................................................249 18.6.2 Configure user federation mappers ....................................................................................250 18.7 Build and deploy the application.................................................................................................252 18.8 Test .............................................................................................................................................254 19 Relational Database Setup...................................................................................................................255 19.1 Presentation................................................................................................................................255
  • 6. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 9 / 304 19.2 PostgreSQL DB installation and preparation..............................................................................255 19.2.1 Installing PostgreSQL on Ubuntu .......................................................................................255 19.2.2 Installing PostgreSQL on RedHat Linux .............................................................................255 19.2.3 Change PostgreSQL password ..........................................................................................256 19.2.4 Authentication test ..............................................................................................................256 19.2.5 Create keycloak user ..........................................................................................................256 19.2.6 Create keycloak DB ............................................................................................................256 19.2.7 Create keycloak schema ....................................................................................................257 19.3 Keycloak configurations..............................................................................................................257 19.3.1 PostgreSQL driver installation ............................................................................................257 19.3.2 JDBC driver declaration......................................................................................................258 19.3.3 Datasource declaration.......................................................................................................258 19.3.4 Connection Jpa update to accommodate dedicated schema.............................................259 19.4 Test the configuration..................................................................................................................259 20 Import / Export Keycloak configuration.................................................................................................261 20.1 Presentation................................................................................................................................261 20.2 Import/export commands............................................................................................................261 20.2.1 Exporting to a single file......................................................................................................261 20.2.2 Exporting to a directory.......................................................................................................261 20.2.3 Imports................................................................................................................................261 20.3 Options........................................................................................................................................261 21 Protect Keycloak in production with a Reverse Proxy architecture......................................................263 21.1 Why adding a reverse proxy.......................................................................................................263 21.2 Architectural deployment example .............................................................................................263 21.2.1 Role of the DMZ..................................................................................................................263 21.2.2 First firewall (internet - DMZ) ..............................................................................................264 21.2.3 Second Firewall ..................................................................................................................264 21.2.4 Reverse Proxy - DMZ .........................................................................................................264 21.2.5 Keycloak authentication Server - LAN................................................................................264 21.3 HTTPS everywhere ....................................................................................................................264 21.4 Reverse Proxy server used with Keycloak .................................................................................264 22 Keycloak Security.................................................................................................................................265 22.1 Security Best Practices...............................................................................................................265 22.2 Enable SSL/HTTPS for the Keycloak Server .............................................................................265 22.2.1 PKI – Self Cert – CA Authorithy ..........................................................................................265 22.2.2 Generate self cert ...............................................................................................................265 22.2.3 Customize standalone.xml with ssl.....................................................................................266 22.2.4 Check SSL connection using openssl ................................................................................266 22.2.5 Check HTTPS connection ..................................................................................................268 22.3 Outgoing Http Requests .............................................................................................................269 22.4 Differences between when using self signed and signed certificates ........................................270 23 Keycloak Networking............................................................................................................................271 23.1 Keycloak Port presentation – standalone.xml (standalone-ha.xml) ...........................................271 23.2 Usage of each port .....................................................................................................................271 23.3 Disabling http and AJP for Keycloak...........................................................................................272 23.4 Keycloak Multicast Groups .........................................................................................................272 23.5 Keycloak multicast Group with clustering ...................................................................................273 23.5.1 Jgroups - multicast..............................................................................................................273 23.5.2 Mod_Cluster - multicast......................................................................................................273 24 Keycloak Clustering Operating Modes.................................................................................................275 24.1 Presentation................................................................................................................................275 24.2 Standalone clustered mode........................................................................................................275 24.2.1 Configure a shared external database ...............................................................................277 24.2.2 Set up a load balancer........................................................................................................277
  • 7. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 10 / 304 24.2.3 Enable HTTPS/SSL with a Reverse Proxy.........................................................................278 24.2.4 Test the cluster....................................................................................................................279 24.3 Domain clustered mode..............................................................................................................280 24.3.1 Master node configuration ..................................................................................................281 24.3.2 Slave node configuration ....................................................................................................281 24.4 Clustered Domain Example........................................................................................................282 24.4.1 Prerequisites.......................................................................................................................282 24.4.2 Configure the slave secret key ...........................................................................................282 24.4.3 Create an admin master user .............................................................................................284 24.4.4 Start the servers..................................................................................................................285 24.5 Add app_vanilla profile client application to the cluster..............................................................286 24.6 Limitation of the domain cluster example ...................................................................................287 25 Mod_cluster with Standalone HA cluster deployment ..........................................................................287 25.1 Presentation................................................................................................................................287 25.2 Mod_cluster – Apache SW load Balancer ..................................................................................287 25.2.1 Presentation........................................................................................................................287 25.2.2 Mod_cluster and multicast group........................................................................................287 25.2.3 Mod_cluster with Keycloak .................................................................................................287 25.3 Clustering standalone HA example ............................................................................................288 25.3.1 Presentation........................................................................................................................288 25.3.2 Limitation.............................................................................................................................288 25.3.3 Set Keycloak requires SSL to none ....................................................................................288 25.3.1 Mod_Cluster configuration..................................................................................................289 25.3.2 Apache installation..............................................................................................................289 25.3.3 Mod_Cluster configuration..................................................................................................290 25.3.4 Commands used.................................................................................................................291 25.3.5 Test Mod_cluster.................................................................................................................291 25.4 Testing application failover..........................................................................................................292 26 SPI testing integration – High available environment...........................................................................294 26.1 Overview.....................................................................................................................................294 26.2 Event SPI....................................................................................................................................294 26.2.1 Deploying the Jar file ..........................................................................................................294 26.2.2 Registering the SPI in standalone-ha.xml ..........................................................................294 26.3 SPI various use cases ................................................................................................................294 26.3.1 Use case 1 – Both nodes are Up........................................................................................294 26.3.2 Use case 2 – Node1 brought Down....................................................................................295 26.4 SPI interaction with keycloak in clustering mode........................................................................296 27 Keycloak Clustering best practices – Recommendation......................................................................297 28 Annex : Oauth 2.0, OIDC, PKCE, Refresh tokens (French) ................................................................298 28.1 Considération sur la sécurité des applications Web...................................................................298 28.2 Introduction à OAuth 2................................................................................................................298 28.3 Introduction d’OpenID Connect (OIDC)......................................................................................298 28.4 Oauth 2 en détails.......................................................................................................................299 28.4.1 Vocabulaire .........................................................................................................................299 28.4.2 Flux de codes d’autorisation (Authorization Code Flow) ....................................................299 28.4.3 Flux de codes d'autorisation avec PKCE (Authorization Code with PKCE Flow) ..............301 28.4.4 Flux implicite (Implicit Flow)................................................................................................303 28.4.5 Jeton de rafraîchissement ..................................................................................................304