Successfully reported this slideshow.

TOC training KeyCloak Redhat SSO core

0

Share

Loading in …3
×
1 of 7
1 of 7

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

TOC training KeyCloak Redhat SSO core

  1. 1. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 4 / 304 Table of contents 1 Introduction to Keycloak for Identity and Access Management .............................................................11 1.1 Keycloak overview.............................................................................................................................11 1.2 Keycloak competitors ........................................................................................................................12 1.3 Prerequisites .....................................................................................................................................12 1.3.1 Hardware requirements ............................................................................................................12 1.3.2 Software requirements..............................................................................................................12 1.3.3 Tools..........................................................................................................................................13 1.4 Documentation ..................................................................................................................................14 1.4.1 Keycloak documentation...........................................................................................................14 1.4.2 White papers.............................................................................................................................14 1.5 Keycloak code sources .....................................................................................................................16 1.6 Build Keycloak...................................................................................................................................17 1.7 Environment variables.......................................................................................................................18 2 Starting with Keycloak ............................................................................................................................19 2.1 Overview............................................................................................................................................19 2.2 Install Keycloak .................................................................................................................................19 2.3 Keycloak Layout................................................................................................................................19 2.4 Start Standalone Server distribution .................................................................................................20 2.5 Deployment on Tomcat/Jetty.............................................................................................................22 2.6 Keycloak on Quarkus ........................................................................................................................23 2.7 Keycloak healthcheck........................................................................................................................26 2.8 Considerations on Keycloak persistence ..........................................................................................31 2.9 Keycloak core concepts ....................................................................................................................31 2.10 Path to integration with Keycloak .................................................................................................32 2.11 Integration with Keycloak..................................................................................................................33 2.12 Usages of keycloak and corresponding technologies ..................................................................33 2.13 Access the admin console ............................................................................................................35 2.14 Create Admin account ..................................................................................................................37 2.15 Create a realm ..............................................................................................................................39 2.16 Define roles for users....................................................................................................................40 2.17 Add users......................................................................................................................................42 2.18 Access user account Service........................................................................................................45 2.19 Add a client to realm demo...........................................................................................................46 2.19.1 Client Protocol Types............................................................................................................47 2.19.2 Access Types........................................................................................................................48 2.20 Define roles for the client app.......................................................................................................49 2.21 Create a group..............................................................................................................................51 3 Starting with WildFly...............................................................................................................................53 3.1 Overview............................................................................................................................................53 3.2 Install WildFly server .........................................................................................................................53 3.3 Start WildFly Server ..........................................................................................................................53 3.4 Access the admin console.................................................................................................................54 3.5 Install Keycloak adapters ..................................................................................................................56 3.5.1 OpenID Connect adapter..........................................................................................................56 3.5.2 SAML 2.0 adapter .....................................................................................................................57 3.5.3 Check adapters installation.......................................................................................................59 4 Secure a JavaEE application with Keycloak ..........................................................................................60 4.1 Prerequisites .....................................................................................................................................60 4.2 Basic application deployment............................................................................................................60 4.3 Configure HTTP basic authentication with WildFly ...........................................................................60 4.4 Basic application login.......................................................................................................................61
  2. 2. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 5 / 304 4.5 Integrate the Vanilla application with Keycloak .................................................................................62 4.5.1 Install Keycloak OIDC adapter..................................................................................................62 4.5.2 Register the Vanilla application with Keycloak .........................................................................62 4.5.3 Display Keycloak Vanilla client information ..............................................................................64 4.5.4 Update Vanilla application configuration in WildFly..................................................................64 4.6 Test the application............................................................................................................................65 5 Use Keycloak with client applications.....................................................................................................67 5.1 Overview............................................................................................................................................67 5.2 Prerequisites .....................................................................................................................................67 5.3 Database service setup.....................................................................................................................68 5.3.1 Create Realm............................................................................................................................68 5.3.2 Enable user registration............................................................................................................68 5.3.3 Create user ...............................................................................................................................69 5.3.4 Create Database service application........................................................................................69 5.3.5 Build and deploy database-service webapp.............................................................................71 5.4 Customer application setup...............................................................................................................72 5.4.1 Create Customer client application...........................................................................................72 5.4.2 Build and deploy customer-portal webapp ...............................................................................75 5.5 Customer application test..................................................................................................................76 5.6 Product application setup..................................................................................................................77 5.6.1 Create Product client application..............................................................................................77 5.6.2 Build product-portal webapp.....................................................................................................81 5.7 Product application Test ....................................................................................................................83 5.8 Common mistakes.............................................................................................................................83 5.8.1 Invalid client secret (WildFly server).........................................................................................83 5.8.2 Invalid user credentials .............................................................................................................84 6 Understanding Oauth2 ...........................................................................................................................85 6.1 Oauth2 Presentation .........................................................................................................................85 6.2 Oauth2 Elements...............................................................................................................................87 6.2.1 Oauth Roles..............................................................................................................................87 6.2.2 Tokens.......................................................................................................................................87 6.2.3 Scopes vs permissions .............................................................................................................87 6.2.4 Types of clients .........................................................................................................................88 6.2.5 Standard OAuth 2.0 / OpenID Connect endpoints ...................................................................88 6.2.6 Callback routes .........................................................................................................................89 6.2.7 OAuth 2.0 grant types...............................................................................................................89 6.2.8 Https is mandatory....................................................................................................................90 6.3 OAuth 2.0 grant types in details ........................................................................................................90 6.3.1 Authorization Code Grant .........................................................................................................90 6.3.2 Implicit.......................................................................................................................................90 6.3.3 Resource Owner Password Credential (ROPC).......................................................................91 6.3.4 Client credentials grant .............................................................................................................92 6.3.5 Refresh token flow ....................................................................................................................92 6.4 Which OAuth 2.0 Grant to Use..........................................................................................................93 6.4.1 Resource owner and client application are same / Machine to machine communication........93 6.4.2 Web / SPA (single page application) / Mobile applications.......................................................93 6.5 Authorization code grant flow with Proof Key for Code Exchange (PKCE) ......................................93 6.6 Use of refresh tokens ........................................................................................................................95 7 Understanding OpenID Connect (OIDC)................................................................................................96 7.1 Overview............................................................................................................................................96 7.2 OpenID sequence flow......................................................................................................................97 7.3 OpenID flows.....................................................................................................................................97 7.3.1 Authorization Code Flow...........................................................................................................97 7.3.2 Implicit Flow ..............................................................................................................................97
  3. 3. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 6 / 304 7.3.3 Hybrid Flow...............................................................................................................................98 7.3.4 Flow features ............................................................................................................................98 7.3.5 Response types by flow............................................................................................................98 7.4 Authorization Code flow ....................................................................................................................99 7.5 Implicit Flow.....................................................................................................................................103 7.6 ID token analysis .............................................................................................................................105 8 Debug and analyse a Keycloak example .............................................................................................107 8.1 Overview..........................................................................................................................................107 8.2 Prerequisites ...................................................................................................................................107 8.3 Create service-jaxrs application ......................................................................................................107 8.4 Create app-jsp application...............................................................................................................109 8.5 Create a user...................................................................................................................................112 8.6 Login to the app...............................................................................................................................113 8.7 Check Request Headers and Response Headers of the /authenticate endpoint request ..............116 8.8 Use jwt.io debugger.........................................................................................................................117 8.9 Verify the signature..........................................................................................................................119 8.10 Check Cookie within Chrome .....................................................................................................119 9 Use REST API with Keycloak...............................................................................................................121 9.1 Presentation ....................................................................................................................................121 9.2 App-js application............................................................................................................................121 9.3 Realm endpoints - .well-known/openid-configuration .....................................................................121 9.4 admin-cli Client application..............................................................................................................123 9.4.1 Getting an admin Bearer token with the admin CLI................................................................123 9.4.2 Use admin Bearer Token in Rest API query ...........................................................................125 9.4.3 Use another admin user with admin-cli ..................................................................................126 9.4.4 List the number of sessions present on a realm.....................................................................127 9.5 Use Kcadm......................................................................................................................................128 9.5.1 Create .Keycloak registry........................................................................................................128 9.5.2 Use Kcadm .............................................................................................................................130 9.5.3 Security measure with Kcadm ................................................................................................130 9.6 Usage of REST API with realm endpoints.......................................................................................130 9.6.1 App-jsp information.................................................................................................................131 9.6.2 Perform a ROPC query to the /token endpoint.......................................................................131 9.6.3 Call the userinfo endpoint .......................................................................................................132 9.6.4 Call the introspect endpoint ....................................................................................................132 9.7 Call Refresh Token using ROPC.....................................................................................................133 9.7.1 ROPC query to generate access and refresh tokens.............................................................133 9.7.2 Perform the query using the refresh token .............................................................................135 10 Use OpenID protocol to connect to an IDP provider ............................................................................137 10.1 Presentation................................................................................................................................137 10.2 Prerequisites...............................................................................................................................137 10.3 France Connect Endpoints .........................................................................................................138 10.4 France Connect Identity Provider deployment ...........................................................................138 10.5 Create an identity provider..........................................................................................................139 10.6 Add identity provider mappers....................................................................................................139 10.7 Setup the France Connect theme...............................................................................................140 10.8 Test the application .....................................................................................................................141 10.9 Account Linking...........................................................................................................................144 11 SAML V2 Presentation .........................................................................................................................146 11.1 What is SAML ? ..............................................................................................................................146 11.2 SAML 2.0 in short ...........................................................................................................................146 11.2.1 SAML V2 features...............................................................................................................146 11.2.2 Major Key elements ............................................................................................................146 11.3 Examples of SSO flows ..................................................................................................................148
  4. 4. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 7 / 304 11.3.1 SAML Service Provider Initiated SSO Flow........................................................................148 11.3.2 SAML Identity Provider Initiated SSO Flow ........................................................................149 11.3.3 SAML components..............................................................................................................150 11.4 SAML Components detailed ...........................................................................................................151 11.4.1 SAML 2.0 Protocols ............................................................................................................151 11.4.2 SAML 2.0 Bindings .............................................................................................................152 11.4.3 SAML 2.0 profiles................................................................................................................152 11.5 SAML elements (used by Keycloak)...............................................................................................153 11.5.1 General Adapter Config ......................................................................................................153 11.5.2 SP Element.........................................................................................................................154 11.5.3 SP Keys and Key elements ................................................................................................156 11.5.4 KeyStore element ...............................................................................................................156 11.5.5 Key PEMS...........................................................................................................................157 11.5.6 SP PrincipalNameMapping element...................................................................................157 11.5.7 RoleIdentifiers element .......................................................................................................158 11.5.8 IDP Element........................................................................................................................158 11.5.9 IDP SingleSignOnService sub element ..............................................................................159 11.5.10 IDP SingleLogoutService sub element ...............................................................................159 11.5.11 IDP Keys subelement .........................................................................................................160 11.6 XML SAML Examples .....................................................................................................................161 11.6.1 Post Request example........................................................................................................161 11.6.2 Response Extract ...............................................................................................................162 12 SAML broker example with Keycloak...................................................................................................163 12.1 Presentation................................................................................................................................163 12.2 Prerequisites...............................................................................................................................163 12.3 Import saml-broker-authentication-realm realm in Keycloak ......................................................163 12.4 Import saml-broker-realm realm in Keycloak..............................................................................165 12.5 Build and deploy saml-broker-authentication application ...........................................................167 12.6 Test .............................................................................................................................................169 12.7 Add SAML builtin protocol mapper .............................................................................................174 12.8 Check details of a built-in member (givenName)........................................................................175 12.9 Analyze content of a response with SAML tracer.......................................................................176 12.10 Map SAML attributes at identity provider level ...........................................................................177 12.11 Complete test scenario ...............................................................................................................178 12.12 Account linking............................................................................................................................178 13 SAML Integration with an external identity provider (Okta)..................................................................180 13.1 Overview.....................................................................................................................................180 13.2 Prerequisites...............................................................................................................................180 13.3 Configure Okta as an identity provider .......................................................................................180 13.3.1 Create an Okta account......................................................................................................180 13.3.2 Configure Okta identity provider .........................................................................................184 13.3.3 Assign a user to OKTA_SAML_IDP....................................................................................193 13.4 Configure Keycloak as a service provider ..................................................................................195 13.4.1 Create saml_okta_idp identity provider ..............................................................................195 13.4.2 Add attributes mapping.......................................................................................................196 13.5 Test .............................................................................................................................................197 13.6 Account Linking...........................................................................................................................199 14 Understanding Authorization Services with Keycloak ..........................................................................201 14.1 Presentation................................................................................................................................201 14.2 Key Concepts of Keycloak Authorization service .......................................................................201 14.3 Components of an Authorization Service ...................................................................................202 14.4 Resources...................................................................................................................................202 14.5 Authorization Scopes..................................................................................................................202 14.6 Policies........................................................................................................................................203
  5. 5. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 8 / 304 14.6.1 Role Policy..........................................................................................................................203 14.6.2 JavaScript Role...................................................................................................................203 14.7 Permission ..................................................................................................................................204 14.7.1 Resource – policy permission match..................................................................................204 14.7.2 Scope – policy permission match .......................................................................................204 14.8 Putting it all together – Tailoring authorization Service to your architecture needs....................204 15 Use a simple Keycloak Authorization example ....................................................................................206 15.1 Secure a Servlet Application.......................................................................................................206 15.2 Prerequisites...............................................................................................................................206 15.3 Configure Keycloak.....................................................................................................................206 15.4 Get the adapter configuration .....................................................................................................211 15.5 Build and Deploy the application ................................................................................................211 15.6 Test the application .....................................................................................................................212 16 Authorization access using Role based users .....................................................................................214 16.1 Overview.....................................................................................................................................214 16.2 Prerequisites...............................................................................................................................214 16.3 Configure Keycloak.....................................................................................................................214 16.4 Build and deploy the application.................................................................................................215 16.5 Authorization example test .........................................................................................................216 16.5.1 Log in with restricted privileges...........................................................................................216 16.5.2 Log in as Premium user......................................................................................................217 16.6 Detailed authorization scheme analysis .....................................................................................218 16.6.1 Resources details ...............................................................................................................219 16.6.2 Scopes details.....................................................................................................................219 16.6.3 Policies details ....................................................................................................................220 16.6.4 Permissions details.............................................................................................................221 17 Fine Grain Authorization – UMA policy.................................................................................................224 17.1 Presentation................................................................................................................................224 17.2 Prerequisites...............................................................................................................................226 17.3 About the Example application ...................................................................................................226 17.4 Configure Keycloak.....................................................................................................................227 17.5 Deploy the Example Applications ...............................................................................................228 17.6 Test the application .....................................................................................................................229 17.6.1 Create albums.....................................................................................................................229 17.6.2 Share albums......................................................................................................................230 17.6.3 View shared albums............................................................................................................234 17.6.4 Request permissions ..........................................................................................................236 17.6.5 Manage permission requests..............................................................................................237 17.6.6 View all resources...............................................................................................................239 17.6.7 Revoke permissions ...........................................................................................................241 17.6.8 Summary.............................................................................................................................243 18 Keycloak LDAP integration...................................................................................................................244 18.1 Presentation................................................................................................................................244 18.2 Prerequisites...............................................................................................................................244 18.3 About the Keycloak LDAP example............................................................................................244 18.4 Run and load the LDAP server ...................................................................................................244 18.5 Examine LDAP example using JXplorer.....................................................................................245 18.6 Configure Keycloak.....................................................................................................................247 18.6.1 Define LDAP synchronization policy...................................................................................249 18.6.2 Configure user federation mappers ....................................................................................250 18.7 Build and deploy the application.................................................................................................252 18.8 Test .............................................................................................................................................254 19 Relational Database Setup...................................................................................................................255 19.1 Presentation................................................................................................................................255
  6. 6. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 9 / 304 19.2 PostgreSQL DB installation and preparation..............................................................................255 19.2.1 Installing PostgreSQL on Ubuntu .......................................................................................255 19.2.2 Installing PostgreSQL on RedHat Linux .............................................................................255 19.2.3 Change PostgreSQL password ..........................................................................................256 19.2.4 Authentication test ..............................................................................................................256 19.2.5 Create keycloak user ..........................................................................................................256 19.2.6 Create keycloak DB ............................................................................................................256 19.2.7 Create keycloak schema ....................................................................................................257 19.3 Keycloak configurations..............................................................................................................257 19.3.1 PostgreSQL driver installation ............................................................................................257 19.3.2 JDBC driver declaration......................................................................................................258 19.3.3 Datasource declaration.......................................................................................................258 19.3.4 Connection Jpa update to accommodate dedicated schema.............................................259 19.4 Test the configuration..................................................................................................................259 20 Import / Export Keycloak configuration.................................................................................................261 20.1 Presentation................................................................................................................................261 20.2 Import/export commands............................................................................................................261 20.2.1 Exporting to a single file......................................................................................................261 20.2.2 Exporting to a directory.......................................................................................................261 20.2.3 Imports................................................................................................................................261 20.3 Options........................................................................................................................................261 21 Protect Keycloak in production with a Reverse Proxy architecture......................................................263 21.1 Why adding a reverse proxy.......................................................................................................263 21.2 Architectural deployment example .............................................................................................263 21.2.1 Role of the DMZ..................................................................................................................263 21.2.2 First firewall (internet - DMZ) ..............................................................................................264 21.2.3 Second Firewall ..................................................................................................................264 21.2.4 Reverse Proxy - DMZ .........................................................................................................264 21.2.5 Keycloak authentication Server - LAN................................................................................264 21.3 HTTPS everywhere ....................................................................................................................264 21.4 Reverse Proxy server used with Keycloak .................................................................................264 22 Keycloak Security.................................................................................................................................265 22.1 Security Best Practices...............................................................................................................265 22.2 Enable SSL/HTTPS for the Keycloak Server .............................................................................265 22.2.1 PKI – Self Cert – CA Authorithy ..........................................................................................265 22.2.2 Generate self cert ...............................................................................................................265 22.2.3 Customize standalone.xml with ssl.....................................................................................266 22.2.4 Check SSL connection using openssl ................................................................................266 22.2.5 Check HTTPS connection ..................................................................................................268 22.3 Outgoing Http Requests .............................................................................................................269 22.4 Differences between when using self signed and signed certificates ........................................270 23 Keycloak Networking............................................................................................................................271 23.1 Keycloak Port presentation – standalone.xml (standalone-ha.xml) ...........................................271 23.2 Usage of each port .....................................................................................................................271 23.3 Disabling http and AJP for Keycloak...........................................................................................272 23.4 Keycloak Multicast Groups .........................................................................................................272 23.5 Keycloak multicast Group with clustering ...................................................................................273 23.5.1 Jgroups - multicast..............................................................................................................273 23.5.2 Mod_Cluster - multicast......................................................................................................273 24 Keycloak Clustering Operating Modes.................................................................................................275 24.1 Presentation................................................................................................................................275 24.2 Standalone clustered mode........................................................................................................275 24.2.1 Configure a shared external database ...............................................................................277 24.2.2 Set up a load balancer........................................................................................................277
  7. 7. Janua – SARL au capital de 30 000 € - 8 Chemin du bas Lauron – 06 650 Le Rouret Tél. 0 950 260 370 – Fax. 0 955 260 370 Siret : 478 075 369 00015 - http://www.janua.fr Page 10 / 304 24.2.3 Enable HTTPS/SSL with a Reverse Proxy.........................................................................278 24.2.4 Test the cluster....................................................................................................................279 24.3 Domain clustered mode..............................................................................................................280 24.3.1 Master node configuration ..................................................................................................281 24.3.2 Slave node configuration ....................................................................................................281 24.4 Clustered Domain Example........................................................................................................282 24.4.1 Prerequisites.......................................................................................................................282 24.4.2 Configure the slave secret key ...........................................................................................282 24.4.3 Create an admin master user .............................................................................................284 24.4.4 Start the servers..................................................................................................................285 24.5 Add app_vanilla profile client application to the cluster..............................................................286 24.6 Limitation of the domain cluster example ...................................................................................287 25 Mod_cluster with Standalone HA cluster deployment ..........................................................................287 25.1 Presentation................................................................................................................................287 25.2 Mod_cluster – Apache SW load Balancer ..................................................................................287 25.2.1 Presentation........................................................................................................................287 25.2.2 Mod_cluster and multicast group........................................................................................287 25.2.3 Mod_cluster with Keycloak .................................................................................................287 25.3 Clustering standalone HA example ............................................................................................288 25.3.1 Presentation........................................................................................................................288 25.3.2 Limitation.............................................................................................................................288 25.3.3 Set Keycloak requires SSL to none ....................................................................................288 25.3.1 Mod_Cluster configuration..................................................................................................289 25.3.2 Apache installation..............................................................................................................289 25.3.3 Mod_Cluster configuration..................................................................................................290 25.3.4 Commands used.................................................................................................................291 25.3.5 Test Mod_cluster.................................................................................................................291 25.4 Testing application failover..........................................................................................................292 26 SPI testing integration – High available environment...........................................................................294 26.1 Overview.....................................................................................................................................294 26.2 Event SPI....................................................................................................................................294 26.2.1 Deploying the Jar file ..........................................................................................................294 26.2.2 Registering the SPI in standalone-ha.xml ..........................................................................294 26.3 SPI various use cases ................................................................................................................294 26.3.1 Use case 1 – Both nodes are Up........................................................................................294 26.3.2 Use case 2 – Node1 brought Down....................................................................................295 26.4 SPI interaction with keycloak in clustering mode........................................................................296 27 Keycloak Clustering best practices – Recommendation......................................................................297 28 Annex : Oauth 2.0, OIDC, PKCE, Refresh tokens (French) ................................................................298 28.1 Considération sur la sécurité des applications Web...................................................................298 28.2 Introduction à OAuth 2................................................................................................................298 28.3 Introduction d’OpenID Connect (OIDC)......................................................................................298 28.4 Oauth 2 en détails.......................................................................................................................299 28.4.1 Vocabulaire .........................................................................................................................299 28.4.2 Flux de codes d’autorisation (Authorization Code Flow) ....................................................299 28.4.3 Flux de codes d'autorisation avec PKCE (Authorization Code with PKCE Flow) ..............301 28.4.4 Flux implicite (Implicit Flow)................................................................................................303 28.4.5 Jeton de rafraîchissement ..................................................................................................304

×