Keycloak is an open source identity and access management solution that provides single sign-on for both legacy and new applications. It uses established standards like OAuth 2.0, OpenID Connect and SAML to securely authenticate users and manage authorization for multiple applications and services. Keycloak offers out-of-the-box features like social logins, user management, tokens and federation that make it easy to get started. It is also extensible through custom authentication mechanisms, event listeners and themes. Keycloak provides adapters to easily integrate with different frameworks and platforms.
VICTOR MAESTRE RAMIREZ - Planetary Defender on NASA's Double Asteroid Redirec...
Building an Effective Architecture for Identity and Access Management.pdf
1. Building an Effective Architecture for
Identity and Access Management
JorgeAlvarez
alvarez.jeap@gmail.com
GitHub: @jealvarez
Twitter: @edlask8
2. Disclaimer
The point of views, thoughts and opinions
expressed in this presentation belongs only to
the presenter and not necessarily to the
presenter’s employer, organization, committee
or other group or individual.
7. The old way
• Securing monolithic web application
relatively easy
• Username and Password
• Credentials verified against table in
database
• HTTP Session stores in security
context
User Interface
Logic
Data
8. The new way
• Multiple applications
• Multiple variants of each application
• Multiple services
• Multiple logins
• Multiple databases
• Multiple devices
13. Are you lookingfor a single
sign-on solutionthatenables
you to secure newor legacy
applicationsandeasilyuse
federatedidentityproviders
such as socialnetworks?
17. Project
• Java based AuthN and AuthZ server
• Started in 2013
• Current Version 11.0.3
• ~ Every 5 weeks
• Commercial Offering Available
• Red Hat SSO
• Have you logged into
developers.redhat.com or
www.openshift.com?
• Community
• 400+ Contributors
• Very robust, good documentation, many
examples
19. Features (1/3)
• Support multiple database engines
Adaptability
• Social networking logins
• Federation
• LDAP
• Active Directory
• Adapters for different frameworks
• Spring
• NodeJS
• NetCore
• …
Integration
20. Features (2/3)
• Clustering
Scalability
• Keycloak Service Provider Interface
• Enables to implement your own authenticatoror federator
Extensibility
• Session management
• Force logouts
• Determine how many sessions your system currently has
Centralization
Features
29. Single Sign-on
• Login only once to access all
applications
SSO
• OpenID Connect
• Build on top of OAuth2
Standardized Protocols
• Logouts can be propagated to
applications
Support for Single Logout
30. Tokens are associatedwith a session
Unauthenticated User
Unauthenticated user accesses to Application
1
Application redirectsto Keycloak
2
User submits credentials
2.1
Credentials
2.2
Keycloak creates SSO Session and
Emits Cookies
Generates Code and redirects the user back to
the Application
3
Application exchangesCode to Tokens
4
Application verifies receivedTokens
5
User is signed-in to the application
6
1
2.2
2.1
5
3
2
4
6
31. Generates Code
Keycloak detects SSO Session
9
Authenticated User
…
Authenticateduse accesses other application
7
Other application redirects user to Keycloak to
sign-in
8
Other application exchangescode for tokens
10
Other application verifies receivedtokens
11
7
11
9
8
10
12
Redirectsto other application
Tokens are associatedwith a session
User is signed-in to the other application
12
32. Keycloak creates logout request to another
application
3
Single Logout
User initiates logout
1
Application creates logoutrequest to Keycloak
2
Keycloak terminates session
4
2
4
1
Application returns response logout to
Keycloak
3.1
Applicationsdo logout
5
2.1
3.1
3
5
5
Keycloak returns response logout to the
application
2.1
34. Essential Token Types
• Access Token
• Short lived [Minutes+]
• Used for accessingresources
• RefreshToken
• Long lived [Hours+]
• Used for requestingnew tokens
• ID Token
• Containsuser information(OIDC)
• Offline Token
• Long lived [Days+]
• Refreshtoken that never expires
35. Keycloak Tokens
• OAuth2 / OpenID Connect
• Signed self-contained JWT
• Claims
• Key-Value Pairs + User Information +
Metadata
• Issued by Keycloak
• Signed with Realm Private Key
• Verified with Realm
• Realm Public Key
• Limited lifespan
• Can be revoked
38. The backend looks up the Realm Public Key in
cache with the kid from the JWT
3
Calling Backend Services
Authenticateduse accesses to the application
1
Application uses the access token in the http
header to access to the backend
2
The backend verifies signature of the access
token with the Realm Public Key
4
2
4
1
The backend grants access and returns data
5
If not found, then fetch Public Key with
kid from Keycloak
3.1
Keycloak returnsRealm Public Key
3.2
The applicationcan displaythe data
6
Authorization:Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIg…
5
3
3.1
3.2
6
kid
public key
access
token
data
User can access to the data
7
7
45. Summary (1/2)
• Unzip and Run
• Docker Images
So easy to get started with
• Single Sign-on
• Single Logout
• Federation
• User Management
• Social Logins
• …
Provides many features out of the box
46. Summary (2/2)
Build on proven a robust standards
• OAuth 2.0
• OpenID Connect 1.0
• SAML2.0
Extensible
• Custom
• Authenticationmechanisms
• Event Listeners
• Themes
• …
Easy to integrate
• Adapters available for different frameworks
…