SlideShare a Scribd company logo
1 of 6
Training KeyCloak - Redhat SSO advanced
Avril 2019
Table des matières
1 History.............................................................................................................................................9
2 Prerequisites..................................................................................................................................10
2.1 Presentation................................................................................................................................10
2.2 Cloning Rh-SSO quickstart examples........................................................................................10
2.3 Cloning Keycloak examples.......................................................................................................11
2.3.1 Clone Project........................................................................................................................11
2.3.2 Compiling keycloak.............................................................................................................11
3 Using Keycloak SPI – adding a custom Event Listener module...................................................12
3.1 Presentation................................................................................................................................12
3.2 Installing event Listener jar module...........................................................................................12
4 Using Eclipse to debug Keycloak SPIs.........................................................................................22
4.1 Presentation................................................................................................................................22
4.2 Requirements..............................................................................................................................22
4.3 Creating a new eclipse debugging workspace............................................................................22
4.4 Importing keycloak examples maven project.............................................................................23
4.5 Launching keycloak server in debug mode................................................................................24
4.6 Attaching Eclipse Debugger to Keycloak...................................................................................25
4.6.1 Setting the Eclipse Debug configuration.............................................................................26
4.6.2 Filling Debug configuration information.............................................................................26
4.6.3 Debug Connexion................................................................................................................28
4.7 Debugging example....................................................................................................................28
4.7.1 Set a breakpoint...................................................................................................................28
4.7.2 Triggering breakpoint in EventListener SPI........................................................................29
5 Keycloak logger.............................................................................................................................31
5.1 Presentation................................................................................................................................31
5.2 Adjusting the log dynamically....................................................................................................31
5.2.1 Reading the current root-logger value.................................................................................31
5.2.2 Updating the root-logger value............................................................................................32
6 Keycloak Multifactor authentication (MFA) using OTP...............................................................33
6.1 Presentation................................................................................................................................33
6.2 Demo_otp realm.........................................................................................................................33
6.3 Modifying demo_otp Authentication Workflow........................................................................33
6.4 Mobile Authenticator..................................................................................................................34
6.5 Authentication of a user for the 1st
time......................................................................................34
6.6 Authentication of a user (after 1st
time)......................................................................................37
6.7 Keycloak OTP............................................................................................................................38
7 MFA with Keycloak.......................................................................................................................39
7.1 Presentation................................................................................................................................39
7.2 Keycloak OTP MFA versus SMS-OTP......................................................................................39
7.3 LOA concepts and MFA usage..................................................................................................39
7.4 Keycloak/RH-SSO Authentication flow and MFA....................................................................40
7.4.1 RH-SSO 7.2/ (Keycloak 3.4.3)............................................................................................40
7.4.2 Keycloak 4.6 (Latest)...........................................................................................................40
7.4.3 Upcoming release 5.X – Jira tickets....................................................................................41
7.5 Keycloak/RH-SSO MFA synthesis.............................................................................................41
8 Mapping LDAP Group to Keycloak Roles....................................................................................42
8.1 Presentation................................................................................................................................42
8.2 LDAP Group to keycloak Roles mapping workflow.................................................................42
8.3 Concrete application: creating an ldap/SSO admin....................................................................42
8.4 Use case example.......................................................................................................................42
8.4.1 Example requirements.........................................................................................................42
8.4.2 Installing keycloak example ldap........................................................................................43
8.4.3 Connecting with Jexplorer to the embedded LDAP server.................................................43
8.4.4 Browsing the embedding ldap.............................................................................................44
8.5 User Federation with Ldap.........................................................................................................45
8.5.1 Setting up ldap user federation connector...........................................................................45
8.5.2 defining LDAP synchronisation..........................................................................................46
8.6 Adding group ldap mapper.........................................................................................................48
8.6.1 Creating ldap group mapping..............................................................................................48
8.6.2 Synchronizing ldap group mapping.....................................................................................49
8.7 Adding SSO Role to keycloak group..........................................................................................50
8.7.1 Keycloak ldap-admin group................................................................................................50
8.7.2 Adding a Keycloak role to this ldap-admin group...............................................................50
8.8 Testing workflow........................................................................................................................51
8.8.1 Creation of a new ldap user.................................................................................................51
8.8.2 Ldap-user part part of ldap-admin group.............................................................................51
8.8.3 Keycloak ldap synchronization............................................................................................51
8.8.4 new user with keycloak role admin rights...........................................................................52
8.9 Logging to the admin console with a new admin user-basis......................................................52
9 Getting Keycloak Access Token from LDAP values.....................................................................54
9.1 Installing wildfly 14...................................................................................................................54
9.1.1 Installation of wildfly 14.....................................................................................................54
9.1.2 Installation of Jboss EAP connector for wildfly..................................................................54
9.2 Starting keycloak auth server (port 8180)..................................................................................55
9.3 Registering ldap-app client into keycloak server......................................................................55
9.4 Import LDAP user......................................................................................................................56
9.4.1 Starting embedded LDAP server.........................................................................................56
9.4.2 Defining LDAP User Federation.........................................................................................56
9.4.3 Defining Role Ldap-mapper................................................................................................57
9.4.4 LDAP role synchronization.................................................................................................58
9.4.5 Postal code...........................................................................................................................59
9.4.6 Syncing Ldap User..............................................................................................................59
9.5 Deploying ldap-portal webapp...................................................................................................61
9.5.1 Fix Keycloak Auth URI.......................................................................................................61
9.5.2 Compiling and installing ldap-portal webapp......................................................................61
9.6 Testing the example....................................................................................................................62
9.6.1 Postal code for user bwilson................................................................................................62
9.6.2 Testing the ldap-portal webapp............................................................................................62
9.7 Examining Source code example...............................................................................................64
9.7.1 ldap-portal source code........................................................................................................64
9.7.2 Java documentation: Security Context................................................................................65
10 Using Client Scope with Keycloak..............................................................................................67
10.1 Presentation..............................................................................................................................67
10.2 Scope and claims Openid Core definition................................................................................67
10.3 Using Scope and Claims...........................................................................................................68
10.4 Using scope with keycloak.......................................................................................................68
10.4.1 Using Keycloak Access Token..........................................................................................68
10.4.2 Keycloak attribute and role scope......................................................................................69
10.4.3 Keycloak access token example using scope.....................................................................69
10.5 Accessing the access token using direct grant..........................................................................69
10.5.1 ROPC workflow definition................................................................................................69
10.5.2 Enabling ROPC with keycloak..........................................................................................70
10.6 Scripting Token Access using ROPC workflow.......................................................................71
10.7 Creating a new scope to expose postalcode claim....................................................................72
10.7.1 Creating info scope within ldap-demo realm.....................................................................72
10.7.2 Mappers of info scope.......................................................................................................73
10.8 Using the new scope in REST API query.................................................................................75
10.9 Configuring keycloak client scope...........................................................................................76
10.9.1 Configuring info scope as an optional client scope...........................................................76
10.9.2 ResT API query displaying info scope..............................................................................76
10.10 Using keycloak Generator to evaluate scope..........................................................................77
11 Understanding client Authenticator security...............................................................................80
11.1 client_id/client_secret security issue........................................................................................80
11.2 Using other Keycloak client authenticator...............................................................................80
11.3 Using Signed JWT client authenticator....................................................................................80
11.4 JWKS_URI...............................................................................................................................81
11.5 Signed JWT allocator – example..............................................................................................81
11.5.1 Product-portal example......................................................................................................82
11.5.2 Registration of the product-portal client application in keycloak......................................82
11.5.3 Keycloak.json file (product-portal app).............................................................................82
11.5.4 Client-app keystore............................................................................................................83
11.6 Log trace...................................................................................................................................83
12 Understanding Token usage.........................................................................................................86
12.1 Token Lifecycle........................................................................................................................86
12.2 Understanding Keycloak session scope....................................................................................86
12.2.1 session creation..................................................................................................................86
12.2.2 Session usage.....................................................................................................................86
12.2.3 Session termination............................................................................................................87
12.2.4 Importance of session control – potential security vulnerability.......................................87
12.3 Keycloak Access Token............................................................................................................87
12.4 Offline access token..................................................................................................................89
12.4.1 Methods to deliver an access token...................................................................................89
12.4.2 Offline token presentation.................................................................................................89
12.4.3 How to use keycloak offline token....................................................................................90
12.4.4 Difference between an offline and refresh token...............................................................90
12.4.5 Offline Session Max Limited.............................................................................................90
12.5 Lifecycle of offline token.........................................................................................................90
12.5.1 Offline token creation........................................................................................................91
12.5.2 Offline token flow operations............................................................................................91
12.5.3 Offline token usage – getting an access token...................................................................91
12.5.4 Revoking offline token......................................................................................................91
13 Examples of Offline token usage.................................................................................................92
13.1 Using offline Token through direct access grant flow..............................................................92
13.1.1 Requirement.......................................................................................................................92
13.1.2 Token lifespan....................................................................................................................92
13.1.3 Setting the maximum invokation of refresh token............................................................93
13.1.4 Script used to offline token................................................................................................94
13.2 Revoking the offline token.......................................................................................................96
13.2.1 Revokation of the offline token through the admin UI......................................................96
13.2.2 Through the user self service panel...................................................................................97
13.3 Necessity of adding offline in client request scope..................................................................97
13.3.1 Request without client scope.............................................................................................97
13.3.2 Request with client scope..................................................................................................98
13.4 Keycloak offline example.........................................................................................................98
13.4.1 Step1 – User needs to log to the app An offline access token is generated.......................99
13.4.2 Step 2 – user logs out from app.........................................................................................99
13.4.3 step3 – the app can access to the resources using the offline access token.....................100
14 Understanding keycloak user Fedaration..................................................................................100
14.1 Overview................................................................................................................................100
14.2 User Federation storage Provider...........................................................................................100
14.3 Keycloak default local userstorage (SQL database)...............................................................100
14.3.1 Synchronizing LDAP users to keycloak..........................................................................100
14.3.2 Synchronizing newly created Keycloak users to LDAP..................................................101
14.3.3 Dealing with keycloak – LDAP synchronization parameter...........................................102
14.4 Using Keycloak user Federation SPI......................................................................................102
14.5 Using Keycloak Provider interfaces.......................................................................................103
14.6 keycloak user storage simple (read-only)...............................................................................103
14.6.1 Deploying providers........................................................................................................103
14.7 User storega simple provider (write only)..............................................................................106
14.7.1 Configuring the write only provider................................................................................106
14.7.2 example-user.properties...................................................................................................106
14.7.3 Logging to keycloak........................................................................................................107
14.7.4 Displaying all the users....................................................................................................107
14.8 Keycloak user storage JPA provider.......................................................................................108
14.8.1 Presentation......................................................................................................................109
14.8.2 Using JPA........................................................................................................................109
14.8.3 Keycloak user storage jpa example.................................................................................109
14.8.4 Testing XA data source with keycloak console management..........................................111
14.8.5 Testing with with the Ejb appl.........................................................................................112
14.8.6 Rendering users visible in the admin console..................................................................112
14.9 Pointers...................................................................................................................................113
15 Understanding Keycloak Authentication...................................................................................114
15.1 Presentation.............................................................................................................................114
15.2 Authentication TAB selection.................................................................................................114
15.3 Authentication Binding...........................................................................................................115
15.4 Authentication Flow................................................................................................................116
15.4.1 Authentication flow presentation.....................................................................................116
15.4.2 Browser authentication flow............................................................................................117
15.4.3 Direct Authentication Grant flow....................................................................................117
15.4.4 Registration Flow.............................................................................................................118
15.4.5 Reset Credentials.............................................................................................................118
15.4.6 First Broker Login Flow..................................................................................................119
15.4.7 Client authentication flow................................................................................................120
15.5 Required Actions....................................................................................................................120
15.6 Customising authenticator flow..............................................................................................121
15.6.1 Reference.........................................................................................................................122
15.6.2 Installing the authenticator example................................................................................122
15.6.3 Deploying the customized authenticator flow.................................................................122
16 Using apache2 mod_auth_openidc module with Keycloak (OpenID Connect)........................129
16.1 Presentation............................................................................................................................129
16.2 openID protocol recap............................................................................................................129
16.3 Putting mod_auth_openidc in place.......................................................................................131
16.4 Enabling mod_auth_openidc module with apache2...............................................................131
16.4.1 Getting hold of the library...............................................................................................131
16.4.2 Configuring keycloak Server for mod_auth_openidc......................................................131
16.5 Configuration of mod_auth_openidc module.........................................................................132
16.6 Example.................................................................................................................................134
16.7 6) Using the hook mod_auth_openidc....................................................................................135
16.8 Keycloak and NGINX............................................................................................................135
17 Protecting Keycloak/RH-SSO in production with a Reverse Proxy Architecture....................136
17.1 1) Why adding a reverse proxy...............................................................................................136
17.2 2) Architectural deployment example....................................................................................136

More Related Content

What's hot

Statutory Demand Law in Australia
Statutory Demand Law in AustraliaStatutory Demand Law in Australia
Statutory Demand Law in AustraliaWayne Davis
 
E&Y 2013 proxy statements reports
E&Y 2013 proxy statements reportsE&Y 2013 proxy statements reports
E&Y 2013 proxy statements reportsBKoontz
 
Relazione forno orizzontale
Relazione forno orizzontaleRelazione forno orizzontale
Relazione forno orizzontaleALESSANDRO LOTTI
 
ICT SBA final
ICT SBA finalICT SBA final
ICT SBA finalLuke Chen
 
C202 construction planning and programming
C202   construction planning and programmingC202   construction planning and programming
C202 construction planning and programmingALEXANDRASUWANN
 
Candy - Construction Estimating & Valuations - rev 2.01
Candy - Construction Estimating & Valuations - rev 2.01Candy - Construction Estimating & Valuations - rev 2.01
Candy - Construction Estimating & Valuations - rev 2.01Jerico Awat
 
Yahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideYahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideAndrew Talcott
 
דו"ח פשיטת הרגל של סולינדרה
דו"ח פשיטת הרגל של סולינדרהדו"ח פשיטת הרגל של סולינדרה
דו"ח פשיטת הרגל של סולינדרהTashtiot media
 
Visualforce Workbook
Visualforce WorkbookVisualforce Workbook
Visualforce WorkbookSLMaster
 
Credit Suisse sellers guide (secondary market) August 2006
Credit Suisse sellers guide (secondary market) August 2006Credit Suisse sellers guide (secondary market) August 2006
Credit Suisse sellers guide (secondary market) August 2006Bitsytask
 
Byron Schaller - Challenge 1 - Virtual Design Master
Byron Schaller - Challenge 1 - Virtual Design MasterByron Schaller - Challenge 1 - Virtual Design Master
Byron Schaller - Challenge 1 - Virtual Design Mastervdmchallenge
 
Chapter 00-table ofcontents
Chapter 00-table ofcontentsChapter 00-table ofcontents
Chapter 00-table ofcontentsjps619
 
SessionEight_PlottingInBaseR
SessionEight_PlottingInBaseRSessionEight_PlottingInBaseR
SessionEight_PlottingInBaseRHellen Gakuruh
 
Seth Forgosh - - Challenge 1 - Virtual Design Master
Seth Forgosh - - Challenge 1 - Virtual Design MasterSeth Forgosh - - Challenge 1 - Virtual Design Master
Seth Forgosh - - Challenge 1 - Virtual Design Mastervdmchallenge
 

What's hot (18)

Statutory Demand Law in Australia
Statutory Demand Law in AustraliaStatutory Demand Law in Australia
Statutory Demand Law in Australia
 
E&Y 2013 proxy statements reports
E&Y 2013 proxy statements reportsE&Y 2013 proxy statements reports
E&Y 2013 proxy statements reports
 
Relazione forno orizzontale
Relazione forno orizzontaleRelazione forno orizzontale
Relazione forno orizzontale
 
ICT SBA final
ICT SBA finalICT SBA final
ICT SBA final
 
2002annualreport[1]
2002annualreport[1]2002annualreport[1]
2002annualreport[1]
 
C202 construction planning and programming
C202   construction planning and programmingC202   construction planning and programming
C202 construction planning and programming
 
Candy - Construction Estimating & Valuations - rev 2.01
Candy - Construction Estimating & Valuations - rev 2.01Candy - Construction Estimating & Valuations - rev 2.01
Candy - Construction Estimating & Valuations - rev 2.01
 
Yahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference GuideYahoo Web Analytics API Reference Guide
Yahoo Web Analytics API Reference Guide
 
דו"ח פשיטת הרגל של סולינדרה
דו"ח פשיטת הרגל של סולינדרהדו"ח פשיטת הרגל של סולינדרה
דו"ח פשיטת הרגל של סולינדרה
 
PixStix Business Plan (1)
PixStix Business Plan  (1)PixStix Business Plan  (1)
PixStix Business Plan (1)
 
Visualforce Workbook
Visualforce WorkbookVisualforce Workbook
Visualforce Workbook
 
Credit Suisse sellers guide (secondary market) August 2006
Credit Suisse sellers guide (secondary market) August 2006Credit Suisse sellers guide (secondary market) August 2006
Credit Suisse sellers guide (secondary market) August 2006
 
Ale i doc-complete-tutorial
Ale i doc-complete-tutorialAle i doc-complete-tutorial
Ale i doc-complete-tutorial
 
Byron Schaller - Challenge 1 - Virtual Design Master
Byron Schaller - Challenge 1 - Virtual Design MasterByron Schaller - Challenge 1 - Virtual Design Master
Byron Schaller - Challenge 1 - Virtual Design Master
 
E book lplt
E book lplt E book lplt
E book lplt
 
Chapter 00-table ofcontents
Chapter 00-table ofcontentsChapter 00-table ofcontents
Chapter 00-table ofcontents
 
SessionEight_PlottingInBaseR
SessionEight_PlottingInBaseRSessionEight_PlottingInBaseR
SessionEight_PlottingInBaseR
 
Seth Forgosh - - Challenge 1 - Virtual Design Master
Seth Forgosh - - Challenge 1 - Virtual Design MasterSeth Forgosh - - Challenge 1 - Virtual Design Master
Seth Forgosh - - Challenge 1 - Virtual Design Master
 

Similar to TOC training Keycloak RedhatSSO advanced

Spring Reference
Spring ReferenceSpring Reference
Spring Referenceasas
 
Manual tutorial-spring-java
Manual tutorial-spring-javaManual tutorial-spring-java
Manual tutorial-spring-javasagicar
 
Spring Reference
Spring ReferenceSpring Reference
Spring ReferenceSyed Shahul
 
3GPP Release 10 and beyond
3GPP Release 10 and beyond3GPP Release 10 and beyond
3GPP Release 10 and beyondskripnikov
 
Net app v-c_tech_report_3785
Net app v-c_tech_report_3785Net app v-c_tech_report_3785
Net app v-c_tech_report_3785ReadWrite
 
monografia de redacción
monografia de redacción monografia de redacción
monografia de redacción yubis96
 
Hibernate Reference
Hibernate ReferenceHibernate Reference
Hibernate ReferenceSyed Shahul
 
System administration guide
System administration guideSystem administration guide
System administration guidemeoconhs2612
 
Spring 2.0 技術手冊目錄
Spring 2.0 技術手冊目錄Spring 2.0 技術手冊目錄
Spring 2.0 技術手冊目錄Justin Lin
 
SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...
SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...
SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...Phil Carr
 
Configuring and managing a red
Configuring and managing a redConfiguring and managing a red
Configuring and managing a redzied01
 
spring-security-reference.pdf
spring-security-reference.pdfspring-security-reference.pdf
spring-security-reference.pdfhorica9300
 
Primavera P6 User guide.pdf
Primavera P6 User guide.pdfPrimavera P6 User guide.pdf
Primavera P6 User guide.pdfssuseraaebbd
 
Sappress sap governance risk and compliance
Sappress sap governance risk and complianceSappress sap governance risk and compliance
Sappress sap governance risk and complianceSiva Pradeep Bolisetti
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrFelippe Costa
 

Similar to TOC training Keycloak RedhatSSO advanced (20)

Spring Reference
Spring ReferenceSpring Reference
Spring Reference
 
Manual tutorial-spring-java
Manual tutorial-spring-javaManual tutorial-spring-java
Manual tutorial-spring-java
 
Spring Reference
Spring ReferenceSpring Reference
Spring Reference
 
3GPP Release 10 and beyond
3GPP Release 10 and beyond3GPP Release 10 and beyond
3GPP Release 10 and beyond
 
Drools expert-docs
Drools expert-docsDrools expert-docs
Drools expert-docs
 
Net app v-c_tech_report_3785
Net app v-c_tech_report_3785Net app v-c_tech_report_3785
Net app v-c_tech_report_3785
 
monografia de redacción
monografia de redacción monografia de redacción
monografia de redacción
 
Hibernate Reference
Hibernate ReferenceHibernate Reference
Hibernate Reference
 
System administration guide
System administration guideSystem administration guide
System administration guide
 
Spring 2.0 技術手冊目錄
Spring 2.0 技術手冊目錄Spring 2.0 技術手冊目錄
Spring 2.0 技術手冊目錄
 
SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...
SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...
SSTRM - StrategicReviewGroup.ca - Workshop 2: Power/Energy and Sustainability...
 
Configuring and managing a red
Configuring and managing a redConfiguring and managing a red
Configuring and managing a red
 
Cluster administration rh
Cluster administration rhCluster administration rh
Cluster administration rh
 
Hibernate reference
Hibernate referenceHibernate reference
Hibernate reference
 
spring-security-reference.pdf
spring-security-reference.pdfspring-security-reference.pdf
spring-security-reference.pdf
 
Primavera P6 User guide.pdf
Primavera P6 User guide.pdfPrimavera P6 User guide.pdf
Primavera P6 User guide.pdf
 
Lfa
LfaLfa
Lfa
 
Hibernate Reference
Hibernate ReferenceHibernate Reference
Hibernate Reference
 
Sappress sap governance risk and compliance
Sappress sap governance risk and complianceSappress sap governance risk and compliance
Sappress sap governance risk and compliance
 
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltrHp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
Hp networking-and-cisco-cli-reference-guide june-10_ww_eng_ltr
 

More from Pascal Flamand

Start14 french tech startuffe nation
Start14 french tech startuffe nationStart14 french tech startuffe nation
Start14 french tech startuffe nationPascal Flamand
 
Article "Un an de télétravail et de COVID" dans le magazine Start
Article "Un an de télétravail et de COVID" dans le magazine StartArticle "Un an de télétravail et de COVID" dans le magazine Start
Article "Un an de télétravail et de COVID" dans le magazine StartPascal Flamand
 
Article "La tyrannie du risque zéro" dans le magazine Start
Article "La tyrannie du risque zéro" dans le magazine StartArticle "La tyrannie du risque zéro" dans le magazine Start
Article "La tyrannie du risque zéro" dans le magazine StartPascal Flamand
 
Article "quand les licornes voleront..." dans le magazine Start
Article "quand les licornes voleront..." dans le magazine StartArticle "quand les licornes voleront..." dans le magazine Start
Article "quand les licornes voleront..." dans le magazine StartPascal Flamand
 
Article sur "Le temps des c(e)rises" dans le magazine Start
Article sur "Le temps des c(e)rises" dans le magazine StartArticle sur "Le temps des c(e)rises" dans le magazine Start
Article sur "Le temps des c(e)rises" dans le magazine StartPascal Flamand
 
Article sur l'Agilité dans le magazine Start
Article sur l'Agilité dans le magazine StartArticle sur l'Agilité dans le magazine Start
Article sur l'Agilité dans le magazine StartPascal Flamand
 
Article sur l'IA dans le magazine Start
Article sur l'IA dans le magazine StartArticle sur l'IA dans le magazine Start
Article sur l'IA dans le magazine StartPascal Flamand
 
Article sur la Smart City dans le magazine Start
Article sur la Smart City dans le magazine StartArticle sur la Smart City dans le magazine Start
Article sur la Smart City dans le magazine StartPascal Flamand
 
Article sur les Startup dans le magazine Start
Article sur les Startup dans le magazine StartArticle sur les Startup dans le magazine Start
Article sur les Startup dans le magazine StartPascal Flamand
 
Article sur les Pitchs dans le magazine Start
Article sur les Pitchs dans le magazine StartArticle sur les Pitchs dans le magazine Start
Article sur les Pitchs dans le magazine StartPascal Flamand
 
Article sur la Transformation Digitale dans le Magazine Start
Article sur la Transformation Digitale dans le Magazine StartArticle sur la Transformation Digitale dans le Magazine Start
Article sur la Transformation Digitale dans le Magazine StartPascal Flamand
 
Article sur l'IA dans le magazine Start
Article sur l'IA dans le magazine StartArticle sur l'IA dans le magazine Start
Article sur l'IA dans le magazine StartPascal Flamand
 
Tribune paca jaguards 12.12.18
Tribune paca jaguards 12.12.18Tribune paca jaguards 12.12.18
Tribune paca jaguards 12.12.18Pascal Flamand
 
Partenariat Jaguards - Busit
Partenariat Jaguards - BusitPartenariat Jaguards - Busit
Partenariat Jaguards - BusitPascal Flamand
 
La tribune ce que booster apporte à semantic experts
La tribune   ce que booster apporte à semantic expertsLa tribune   ce que booster apporte à semantic experts
La tribune ce que booster apporte à semantic expertsPascal Flamand
 
OPENAM 13.5 - Core Token Service
OPENAM 13.5 - Core Token ServiceOPENAM 13.5 - Core Token Service
OPENAM 13.5 - Core Token ServicePascal Flamand
 
La tribune Jaguards juillet 2017
La tribune Jaguards juillet 2017La tribune Jaguards juillet 2017
La tribune Jaguards juillet 2017Pascal Flamand
 
Rapport d'activité Telecom Valley 2016
Rapport d'activité Telecom Valley 2016Rapport d'activité Telecom Valley 2016
Rapport d'activité Telecom Valley 2016Pascal Flamand
 
Presse pf-tv-octobre2016-mars2017
Presse pf-tv-octobre2016-mars2017Presse pf-tv-octobre2016-mars2017
Presse pf-tv-octobre2016-mars2017Pascal Flamand
 

More from Pascal Flamand (20)

Start14 french tech startuffe nation
Start14 french tech startuffe nationStart14 french tech startuffe nation
Start14 french tech startuffe nation
 
Article "Un an de télétravail et de COVID" dans le magazine Start
Article "Un an de télétravail et de COVID" dans le magazine StartArticle "Un an de télétravail et de COVID" dans le magazine Start
Article "Un an de télétravail et de COVID" dans le magazine Start
 
Article "La tyrannie du risque zéro" dans le magazine Start
Article "La tyrannie du risque zéro" dans le magazine StartArticle "La tyrannie du risque zéro" dans le magazine Start
Article "La tyrannie du risque zéro" dans le magazine Start
 
Article "quand les licornes voleront..." dans le magazine Start
Article "quand les licornes voleront..." dans le magazine StartArticle "quand les licornes voleront..." dans le magazine Start
Article "quand les licornes voleront..." dans le magazine Start
 
Article sur "Le temps des c(e)rises" dans le magazine Start
Article sur "Le temps des c(e)rises" dans le magazine StartArticle sur "Le temps des c(e)rises" dans le magazine Start
Article sur "Le temps des c(e)rises" dans le magazine Start
 
Article sur l'Agilité dans le magazine Start
Article sur l'Agilité dans le magazine StartArticle sur l'Agilité dans le magazine Start
Article sur l'Agilité dans le magazine Start
 
Article sur l'IA dans le magazine Start
Article sur l'IA dans le magazine StartArticle sur l'IA dans le magazine Start
Article sur l'IA dans le magazine Start
 
Article sur la Smart City dans le magazine Start
Article sur la Smart City dans le magazine StartArticle sur la Smart City dans le magazine Start
Article sur la Smart City dans le magazine Start
 
Article sur les Startup dans le magazine Start
Article sur les Startup dans le magazine StartArticle sur les Startup dans le magazine Start
Article sur les Startup dans le magazine Start
 
TOC training OpenIDM
TOC training OpenIDMTOC training OpenIDM
TOC training OpenIDM
 
Article sur les Pitchs dans le magazine Start
Article sur les Pitchs dans le magazine StartArticle sur les Pitchs dans le magazine Start
Article sur les Pitchs dans le magazine Start
 
Article sur la Transformation Digitale dans le Magazine Start
Article sur la Transformation Digitale dans le Magazine StartArticle sur la Transformation Digitale dans le Magazine Start
Article sur la Transformation Digitale dans le Magazine Start
 
Article sur l'IA dans le magazine Start
Article sur l'IA dans le magazine StartArticle sur l'IA dans le magazine Start
Article sur l'IA dans le magazine Start
 
Tribune paca jaguards 12.12.18
Tribune paca jaguards 12.12.18Tribune paca jaguards 12.12.18
Tribune paca jaguards 12.12.18
 
Partenariat Jaguards - Busit
Partenariat Jaguards - BusitPartenariat Jaguards - Busit
Partenariat Jaguards - Busit
 
La tribune ce que booster apporte à semantic experts
La tribune   ce que booster apporte à semantic expertsLa tribune   ce que booster apporte à semantic experts
La tribune ce que booster apporte à semantic experts
 
OPENAM 13.5 - Core Token Service
OPENAM 13.5 - Core Token ServiceOPENAM 13.5 - Core Token Service
OPENAM 13.5 - Core Token Service
 
La tribune Jaguards juillet 2017
La tribune Jaguards juillet 2017La tribune Jaguards juillet 2017
La tribune Jaguards juillet 2017
 
Rapport d'activité Telecom Valley 2016
Rapport d'activité Telecom Valley 2016Rapport d'activité Telecom Valley 2016
Rapport d'activité Telecom Valley 2016
 
Presse pf-tv-octobre2016-mars2017
Presse pf-tv-octobre2016-mars2017Presse pf-tv-octobre2016-mars2017
Presse pf-tv-octobre2016-mars2017
 

Recently uploaded

Naer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research SynthesisNaer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research Synthesisparimabajra
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfSrushith Repakula
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAlluxio, Inc.
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignNeo4j
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfQ-Advise
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMok TH
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...naitiksharma1124
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfVictor Lopez
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfFurqanuddin10
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfsteffenkarlsson2
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...rajkumar669520
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 

Recently uploaded (20)

Naer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research SynthesisNaer Toolbar Redesign - Usability Research Synthesis
Naer Toolbar Redesign - Usability Research Synthesis
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Lessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdfLessons Learned from Building a Serverless Notifications System.pdf
Lessons Learned from Building a Serverless Notifications System.pdf
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Malaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptxMalaysia E-Invoice digital signature docpptx
Malaysia E-Invoice digital signature docpptx
 
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
COMPUTER AND ITS COMPONENTS PPT.by naitik sharma Class 9th A mittal internati...
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
CompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdfCompTIA Security+ (Study Notes) for cs.pdf
CompTIA Security+ (Study Notes) for cs.pdf
 
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdfStrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
StrimziCon 2024 - Transition to Apache Kafka on Kubernetes with Strimzi.pdf
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
Facemoji Keyboard released its 2023 State of Emoji report, outlining the most...
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 

TOC training Keycloak RedhatSSO advanced

  • 1. Training KeyCloak - Redhat SSO advanced Avril 2019
  • 2. Table des matières 1 History.............................................................................................................................................9 2 Prerequisites..................................................................................................................................10 2.1 Presentation................................................................................................................................10 2.2 Cloning Rh-SSO quickstart examples........................................................................................10 2.3 Cloning Keycloak examples.......................................................................................................11 2.3.1 Clone Project........................................................................................................................11 2.3.2 Compiling keycloak.............................................................................................................11 3 Using Keycloak SPI – adding a custom Event Listener module...................................................12 3.1 Presentation................................................................................................................................12 3.2 Installing event Listener jar module...........................................................................................12 4 Using Eclipse to debug Keycloak SPIs.........................................................................................22 4.1 Presentation................................................................................................................................22 4.2 Requirements..............................................................................................................................22 4.3 Creating a new eclipse debugging workspace............................................................................22 4.4 Importing keycloak examples maven project.............................................................................23 4.5 Launching keycloak server in debug mode................................................................................24 4.6 Attaching Eclipse Debugger to Keycloak...................................................................................25 4.6.1 Setting the Eclipse Debug configuration.............................................................................26 4.6.2 Filling Debug configuration information.............................................................................26 4.6.3 Debug Connexion................................................................................................................28 4.7 Debugging example....................................................................................................................28 4.7.1 Set a breakpoint...................................................................................................................28 4.7.2 Triggering breakpoint in EventListener SPI........................................................................29 5 Keycloak logger.............................................................................................................................31 5.1 Presentation................................................................................................................................31 5.2 Adjusting the log dynamically....................................................................................................31 5.2.1 Reading the current root-logger value.................................................................................31 5.2.2 Updating the root-logger value............................................................................................32 6 Keycloak Multifactor authentication (MFA) using OTP...............................................................33 6.1 Presentation................................................................................................................................33 6.2 Demo_otp realm.........................................................................................................................33 6.3 Modifying demo_otp Authentication Workflow........................................................................33 6.4 Mobile Authenticator..................................................................................................................34 6.5 Authentication of a user for the 1st time......................................................................................34 6.6 Authentication of a user (after 1st time)......................................................................................37 6.7 Keycloak OTP............................................................................................................................38 7 MFA with Keycloak.......................................................................................................................39 7.1 Presentation................................................................................................................................39 7.2 Keycloak OTP MFA versus SMS-OTP......................................................................................39 7.3 LOA concepts and MFA usage..................................................................................................39 7.4 Keycloak/RH-SSO Authentication flow and MFA....................................................................40 7.4.1 RH-SSO 7.2/ (Keycloak 3.4.3)............................................................................................40 7.4.2 Keycloak 4.6 (Latest)...........................................................................................................40 7.4.3 Upcoming release 5.X – Jira tickets....................................................................................41 7.5 Keycloak/RH-SSO MFA synthesis.............................................................................................41 8 Mapping LDAP Group to Keycloak Roles....................................................................................42 8.1 Presentation................................................................................................................................42
  • 3. 8.2 LDAP Group to keycloak Roles mapping workflow.................................................................42 8.3 Concrete application: creating an ldap/SSO admin....................................................................42 8.4 Use case example.......................................................................................................................42 8.4.1 Example requirements.........................................................................................................42 8.4.2 Installing keycloak example ldap........................................................................................43 8.4.3 Connecting with Jexplorer to the embedded LDAP server.................................................43 8.4.4 Browsing the embedding ldap.............................................................................................44 8.5 User Federation with Ldap.........................................................................................................45 8.5.1 Setting up ldap user federation connector...........................................................................45 8.5.2 defining LDAP synchronisation..........................................................................................46 8.6 Adding group ldap mapper.........................................................................................................48 8.6.1 Creating ldap group mapping..............................................................................................48 8.6.2 Synchronizing ldap group mapping.....................................................................................49 8.7 Adding SSO Role to keycloak group..........................................................................................50 8.7.1 Keycloak ldap-admin group................................................................................................50 8.7.2 Adding a Keycloak role to this ldap-admin group...............................................................50 8.8 Testing workflow........................................................................................................................51 8.8.1 Creation of a new ldap user.................................................................................................51 8.8.2 Ldap-user part part of ldap-admin group.............................................................................51 8.8.3 Keycloak ldap synchronization............................................................................................51 8.8.4 new user with keycloak role admin rights...........................................................................52 8.9 Logging to the admin console with a new admin user-basis......................................................52 9 Getting Keycloak Access Token from LDAP values.....................................................................54 9.1 Installing wildfly 14...................................................................................................................54 9.1.1 Installation of wildfly 14.....................................................................................................54 9.1.2 Installation of Jboss EAP connector for wildfly..................................................................54 9.2 Starting keycloak auth server (port 8180)..................................................................................55 9.3 Registering ldap-app client into keycloak server......................................................................55 9.4 Import LDAP user......................................................................................................................56 9.4.1 Starting embedded LDAP server.........................................................................................56 9.4.2 Defining LDAP User Federation.........................................................................................56 9.4.3 Defining Role Ldap-mapper................................................................................................57 9.4.4 LDAP role synchronization.................................................................................................58 9.4.5 Postal code...........................................................................................................................59 9.4.6 Syncing Ldap User..............................................................................................................59 9.5 Deploying ldap-portal webapp...................................................................................................61 9.5.1 Fix Keycloak Auth URI.......................................................................................................61 9.5.2 Compiling and installing ldap-portal webapp......................................................................61 9.6 Testing the example....................................................................................................................62 9.6.1 Postal code for user bwilson................................................................................................62 9.6.2 Testing the ldap-portal webapp............................................................................................62 9.7 Examining Source code example...............................................................................................64 9.7.1 ldap-portal source code........................................................................................................64 9.7.2 Java documentation: Security Context................................................................................65 10 Using Client Scope with Keycloak..............................................................................................67 10.1 Presentation..............................................................................................................................67 10.2 Scope and claims Openid Core definition................................................................................67 10.3 Using Scope and Claims...........................................................................................................68 10.4 Using scope with keycloak.......................................................................................................68
  • 4. 10.4.1 Using Keycloak Access Token..........................................................................................68 10.4.2 Keycloak attribute and role scope......................................................................................69 10.4.3 Keycloak access token example using scope.....................................................................69 10.5 Accessing the access token using direct grant..........................................................................69 10.5.1 ROPC workflow definition................................................................................................69 10.5.2 Enabling ROPC with keycloak..........................................................................................70 10.6 Scripting Token Access using ROPC workflow.......................................................................71 10.7 Creating a new scope to expose postalcode claim....................................................................72 10.7.1 Creating info scope within ldap-demo realm.....................................................................72 10.7.2 Mappers of info scope.......................................................................................................73 10.8 Using the new scope in REST API query.................................................................................75 10.9 Configuring keycloak client scope...........................................................................................76 10.9.1 Configuring info scope as an optional client scope...........................................................76 10.9.2 ResT API query displaying info scope..............................................................................76 10.10 Using keycloak Generator to evaluate scope..........................................................................77 11 Understanding client Authenticator security...............................................................................80 11.1 client_id/client_secret security issue........................................................................................80 11.2 Using other Keycloak client authenticator...............................................................................80 11.3 Using Signed JWT client authenticator....................................................................................80 11.4 JWKS_URI...............................................................................................................................81 11.5 Signed JWT allocator – example..............................................................................................81 11.5.1 Product-portal example......................................................................................................82 11.5.2 Registration of the product-portal client application in keycloak......................................82 11.5.3 Keycloak.json file (product-portal app).............................................................................82 11.5.4 Client-app keystore............................................................................................................83 11.6 Log trace...................................................................................................................................83 12 Understanding Token usage.........................................................................................................86 12.1 Token Lifecycle........................................................................................................................86 12.2 Understanding Keycloak session scope....................................................................................86 12.2.1 session creation..................................................................................................................86 12.2.2 Session usage.....................................................................................................................86 12.2.3 Session termination............................................................................................................87 12.2.4 Importance of session control – potential security vulnerability.......................................87 12.3 Keycloak Access Token............................................................................................................87 12.4 Offline access token..................................................................................................................89 12.4.1 Methods to deliver an access token...................................................................................89 12.4.2 Offline token presentation.................................................................................................89 12.4.3 How to use keycloak offline token....................................................................................90 12.4.4 Difference between an offline and refresh token...............................................................90 12.4.5 Offline Session Max Limited.............................................................................................90 12.5 Lifecycle of offline token.........................................................................................................90 12.5.1 Offline token creation........................................................................................................91 12.5.2 Offline token flow operations............................................................................................91 12.5.3 Offline token usage – getting an access token...................................................................91 12.5.4 Revoking offline token......................................................................................................91 13 Examples of Offline token usage.................................................................................................92 13.1 Using offline Token through direct access grant flow..............................................................92 13.1.1 Requirement.......................................................................................................................92 13.1.2 Token lifespan....................................................................................................................92
  • 5. 13.1.3 Setting the maximum invokation of refresh token............................................................93 13.1.4 Script used to offline token................................................................................................94 13.2 Revoking the offline token.......................................................................................................96 13.2.1 Revokation of the offline token through the admin UI......................................................96 13.2.2 Through the user self service panel...................................................................................97 13.3 Necessity of adding offline in client request scope..................................................................97 13.3.1 Request without client scope.............................................................................................97 13.3.2 Request with client scope..................................................................................................98 13.4 Keycloak offline example.........................................................................................................98 13.4.1 Step1 – User needs to log to the app An offline access token is generated.......................99 13.4.2 Step 2 – user logs out from app.........................................................................................99 13.4.3 step3 – the app can access to the resources using the offline access token.....................100 14 Understanding keycloak user Fedaration..................................................................................100 14.1 Overview................................................................................................................................100 14.2 User Federation storage Provider...........................................................................................100 14.3 Keycloak default local userstorage (SQL database)...............................................................100 14.3.1 Synchronizing LDAP users to keycloak..........................................................................100 14.3.2 Synchronizing newly created Keycloak users to LDAP..................................................101 14.3.3 Dealing with keycloak – LDAP synchronization parameter...........................................102 14.4 Using Keycloak user Federation SPI......................................................................................102 14.5 Using Keycloak Provider interfaces.......................................................................................103 14.6 keycloak user storage simple (read-only)...............................................................................103 14.6.1 Deploying providers........................................................................................................103 14.7 User storega simple provider (write only)..............................................................................106 14.7.1 Configuring the write only provider................................................................................106 14.7.2 example-user.properties...................................................................................................106 14.7.3 Logging to keycloak........................................................................................................107 14.7.4 Displaying all the users....................................................................................................107 14.8 Keycloak user storage JPA provider.......................................................................................108 14.8.1 Presentation......................................................................................................................109 14.8.2 Using JPA........................................................................................................................109 14.8.3 Keycloak user storage jpa example.................................................................................109 14.8.4 Testing XA data source with keycloak console management..........................................111 14.8.5 Testing with with the Ejb appl.........................................................................................112 14.8.6 Rendering users visible in the admin console..................................................................112 14.9 Pointers...................................................................................................................................113 15 Understanding Keycloak Authentication...................................................................................114 15.1 Presentation.............................................................................................................................114 15.2 Authentication TAB selection.................................................................................................114 15.3 Authentication Binding...........................................................................................................115 15.4 Authentication Flow................................................................................................................116 15.4.1 Authentication flow presentation.....................................................................................116 15.4.2 Browser authentication flow............................................................................................117 15.4.3 Direct Authentication Grant flow....................................................................................117 15.4.4 Registration Flow.............................................................................................................118 15.4.5 Reset Credentials.............................................................................................................118 15.4.6 First Broker Login Flow..................................................................................................119 15.4.7 Client authentication flow................................................................................................120 15.5 Required Actions....................................................................................................................120
  • 6. 15.6 Customising authenticator flow..............................................................................................121 15.6.1 Reference.........................................................................................................................122 15.6.2 Installing the authenticator example................................................................................122 15.6.3 Deploying the customized authenticator flow.................................................................122 16 Using apache2 mod_auth_openidc module with Keycloak (OpenID Connect)........................129 16.1 Presentation............................................................................................................................129 16.2 openID protocol recap............................................................................................................129 16.3 Putting mod_auth_openidc in place.......................................................................................131 16.4 Enabling mod_auth_openidc module with apache2...............................................................131 16.4.1 Getting hold of the library...............................................................................................131 16.4.2 Configuring keycloak Server for mod_auth_openidc......................................................131 16.5 Configuration of mod_auth_openidc module.........................................................................132 16.6 Example.................................................................................................................................134 16.7 6) Using the hook mod_auth_openidc....................................................................................135 16.8 Keycloak and NGINX............................................................................................................135 17 Protecting Keycloak/RH-SSO in production with a Reverse Proxy Architecture....................136 17.1 1) Why adding a reverse proxy...............................................................................................136 17.2 2) Architectural deployment example....................................................................................136