Recommended
Recommended
More Related Content
Similar to Building an Effective Architecture for Identity and Access Management.pdf
Similar to Building an Effective Architecture for Identity and Access Management.pdf (20)
Recently uploaded
Recently uploaded (20)
Building an Effective Architecture for Identity and Access Management.pdf
- 1. Building an Effective Architecture for Identity and Access Management JorgeAlvarez alvarez.jeap@gmail.com GitHub: @jealvarez Twitter: @edlask8
- 2. Disclaimer The point of views, thoughts and opinions expressed in this presentation belongs only to the presenter and not necessarily to the presenter’s employer, organization, committee or other group or individual.
- 3. About Me
- 4. Agenda • Challenges • Keycloak Overview • Why shouldI use Keycloak? • CoreConcepts • TechnologyStack • Server Architecture • Single Sign-on/ Single Logout • Tokens • Calling Backing Services • Supported Platforms • Demo • Summary • Bibliography
- 5. Challenges
- 7. The old way • Securing monolithic web application relatively easy • Username and Password • Credentials verified against table in database • HTTP Session stores in security context User Interface Logic Data
- 8. The new way • Multiple applications • Multiple variants of each application • Multiple services • Multiple logins • Multiple databases • Multiple devices
- 13. Are you lookingfor a single sign-on solutionthatenables you to secure newor legacy applicationsandeasilyuse federatedidentityproviders such as socialnetworks?
- 14. You should look at Keycloak
- 17. Project • Java based AuthN and AuthZ server • Started in 2013 • Current Version 11.0.3 • ~ Every 5 weeks • Commercial Offering Available • Red Hat SSO • Have you logged into developers.redhat.com or www.openshift.com? • Community • 400+ Contributors • Very robust, good documentation, many examples
- 18. Why should I use Keycloak?
- 19. Features (1/3) • Support multiple database engines Adaptability • Social networking logins • Federation • LDAP • Active Directory • Adapters for different frameworks • Spring • NodeJS • NetCore • … Integration
- 20. Features (2/3) • Clustering Scalability • Keycloak Service Provider Interface • Enables to implement your own authenticatoror federator Extensibility • Session management • Force logouts • Determine how many sessions your system currently has Centralization Features
- 21. Features (3/3)
- 22. Core Concepts
- 24. Technology Stack
- 25. Technology Stack Admin Console ❖ AngularJS ❖ React ❖ PatternFly ❖ Bootstrap Keycloak Server ❖ WildFly ❖ JPA ❖ RestEasy ❖ Freemarker ❖ Arquillian ❖ Infinispan
- 27. Keycloak 2 Keycloak1 SSO Protocols Protocol Mapper Infinispan Events Social Login User Storage JPA User Federation Realm Clients, Users, AuthN, AuthZ, Policies, … Account Login Identity Brokering Sessions Realms Settings … Replication Infinispan HTTP Endpoint
- 28. Single Sign-on How it works?
- 29. Single Sign-on • Login only once to access all applications SSO • OpenID Connect • Build on top of OAuth2 Standardized Protocols • Logouts can be propagated to applications Support for Single Logout
- 30. Tokens are associatedwith a session Unauthenticated User Unauthenticated user accesses to Application 1 Application redirectsto Keycloak 2 User submits credentials 2.1 Credentials 2.2 Keycloak creates SSO Session and Emits Cookies Generates Code and redirects the user back to the Application 3 Application exchangesCode to Tokens 4 Application verifies receivedTokens 5 User is signed-in to the application 6 1 2.2 2.1 5 3 2 4 6
- 31. Generates Code Keycloak detects SSO Session 9 Authenticated User … Authenticateduse accesses other application 7 Other application redirects user to Keycloak to sign-in 8 Other application exchangescode for tokens 10 Other application verifies receivedtokens 11 7 11 9 8 10 12 Redirectsto other application Tokens are associatedwith a session User is signed-in to the other application 12
- 32. Keycloak creates logout request to another application 3 Single Logout User initiates logout 1 Application creates logoutrequest to Keycloak 2 Keycloak terminates session 4 2 4 1 Application returns response logout to Keycloak 3.1 Applicationsdo logout 5 2.1 3.1 3 5 5 Keycloak returns response logout to the application 2.1
- 33. Tokens Overview
- 34. Essential Token Types • Access Token • Short lived [Minutes+] • Used for accessingresources • RefreshToken • Long lived [Hours+] • Used for requestingnew tokens • ID Token • Containsuser information(OIDC) • Offline Token • Long lived [Days+] • Refreshtoken that never expires
- 35. Keycloak Tokens • OAuth2 / OpenID Connect • Signed self-contained JWT • Claims • Key-Value Pairs + User Information + Metadata • Issued by Keycloak • Signed with Realm Private Key • Verified with Realm • Realm Public Key • Limited lifespan • Can be revoked
- 36. JSON Web Tokens <header-base64>. <payload-base64>. <signature-base64> Note Base64 means Encoding Encoding != Encryption
- 38. The backend looks up the Realm Public Key in cache with the kid from the JWT 3 Calling Backend Services Authenticateduse accesses to the application 1 Application uses the access token in the http header to access to the backend 2 The backend verifies signature of the access token with the Realm Public Key 4 2 4 1 The backend grants access and returns data 5 If not found, then fetch Public Key with kid from Keycloak 3.1 Keycloak returnsRealm Public Key 3.2 The applicationcan displaythe data 6 Authorization:Bearer eyJhbGciOiJSUzI1NiIsInR5cCIg… 5 3 3.1 3.2 6 kid public key access token data User can access to the data 7 7
- 44. Summary
- 45. Summary (1/2) • Unzip and Run • Docker Images So easy to get started with • Single Sign-on • Single Logout • Federation • User Management • Social Logins • … Provides many features out of the box
- 46. Summary (2/2) Build on proven a robust standards • OAuth 2.0 • OpenID Connect 1.0 • SAML2.0 Extensible • Custom • Authenticationmechanisms • Event Listeners • Themes • … Easy to integrate • Adapters available for different frameworks …
- 47. Bibliography