AK
Uploaded byAbhishek Koserwal
PPTX, PDF9,582 views

Building secure applications with keycloak

The document outlines the use of Keycloak, an open-source identity and access management solution that provides authentication and authorization through OAuth 2.0 and OpenID Connect. It highlights key concepts such as user identity, roles, and groups, as well as the importance of security measures like token validation and the proper setup of Keycloak in a stateless architecture. Additionally, it discusses potential scalability issues and compares Keycloak's capabilities with other solutions.

Technology
In this document
Powered by AI

Introduction to building secure applications using Keycloak, focusing on OIDC/JWT protocols.

Explanation of IAAA framework: Identification, Authentication, Authorization, and Accounting.

Clarifying OAuth 2's role in authorization vs. OpenID Connect's comprehensive identity management.

Keycloak as an open-source identity solution for applications, services, and APIs.

Benefits of Keycloak: reliability, open-source advantages, cost efficiency, customization, and community support.

Overview of key components in Keycloak: users, roles, identity providers, authentication methods, and security.

Integration of frontend and backend applications with Keycloak using various adapters and protocols.

Diagram depicting Keycloak's architecture with backend services, load balancing, and session management.

Discussing scalability issues, problems with sticky sessions, and transitioning to a containerized environment.

Mechanisms to verify user identities across services, addressing complex authorization challenges.

Illustration of the confused deputy problem related to service permission management and validation.

Explaining stateless architecture in Keycloak, emphasizing token validation and secure JWT handling.

Step-by-step guide to setting up Keycloak using Docker for application security management.

Presentation of a demo showcasing the functionality and features of applications secured by Keycloak.

Examining JWT usage in Keycloak for secure authenticated sessions and token handling best practices.

Comparative analysis of Keycloak, highlighting its unique features and ease of setup.

Security practices for Keycloak, including endpoint protection and measures against attacks.

Summary of the presentation with a Q&A session for further clarification.

Embed presentation

Downloaded 335 times
Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
Application Demo
JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
Q & A Thank You!

More Related Content

PPTX
Secure your app with keycloak
byGuy Marom
 
PDF
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PDF
Keycloak Single Sign-On
byRavi Yasas
 
PDF
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PPTX
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
PDF
Introduction to OpenID Connect
byNat Sakimura
 
Secure your app with keycloak
byGuy Marom
 
Keycloak SSO basics
byJuan Vicente Herrera Ruiz de Alejo
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
Keycloak Single Sign-On
byRavi Yasas
 
“How to Secure Your Applications With a Keycloak?
byGlobalLogic Ukraine
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
User Management Life Cycle with Keycloak
byMuhammad Edwin
 
Introduction to OpenID Connect
byNat Sakimura
 

What's hot

PPTX
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
PDF
Introduction to Kong API Gateway
byYohann Ciurlik
 
PDF
Secure Spring Boot Microservices with Keycloak
byRed Hat Developers
 
PDF
Introduction to SAML 2.0
byMika Koivisto
 
PPTX
Json Web Token - JWT
byPrashant Walke
 
PPTX
Identity management and single sign on - how much flexibility
byRyan Dawson
 
PDF
Implementing security requirements for banking API system using Open Source ...
byYuichi Nakamura
 
PDF
Apigee Demo: API Platform Overview
byApigee | Google Cloud
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
PPTX
REST API Design & Development
byAshok Pundit
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
Introducing Vault
byRamit Surana
 
PDF
Microservices
byStephan Lindauer
 
PPTX
Vault Open Source vs Enterprise v2
byStenio Ferreira
 
PDF
OAuth2 and Spring Security
byOrest Ivasiv
 
PPTX
Hashicorp Vault Open Source vs Enterprise
byStenio Ferreira
 
PDF
SAML VS OAuth 2.0 VS OpenID Connect
byUbisecure
 
PDF
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
PDF
Spring Security
byKnoldus Inc.
 
PPTX
Monoliths and Microservices
byBozhidar Bozhanov
 
Draft: building secure applications with keycloak (oidc/jwt)
byAbhishek Koserwal
 
Introduction to Kong API Gateway
byYohann Ciurlik
 
Secure Spring Boot Microservices with Keycloak
byRed Hat Developers
 
Introduction to SAML 2.0
byMika Koivisto
 
Json Web Token - JWT
byPrashant Walke
 
Identity management and single sign on - how much flexibility
byRyan Dawson
 
Implementing security requirements for banking API system using Open Source ...
byYuichi Nakamura
 
Apigee Demo: API Platform Overview
byApigee | Google Cloud
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
REST API Design & Development
byAshok Pundit
 
OAuth 2.0
byUwe Friedrichsen
 
Introducing Vault
byRamit Surana
 
Microservices
byStephan Lindauer
 
Vault Open Source vs Enterprise v2
byStenio Ferreira
 
OAuth2 and Spring Security
byOrest Ivasiv
 
Hashicorp Vault Open Source vs Enterprise
byStenio Ferreira
 
SAML VS OAuth 2.0 VS OpenID Connect
byUbisecure
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
byKangaroot
 
Spring Security
byKnoldus Inc.
 
Monoliths and Microservices
byBozhidar Bozhanov
 

Similar to Building secure applications with keycloak

PPTX
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
bymarcuschristie
 
PDF
Guide of authentication and authorization for cloud native applications with ...
byHitachi, Ltd. OSS Solution Center.
 
PDF
Implementing WebAuthn & FAPI supports on Keycloak
byYuichi Nakamura
 
PDF
Implementing Microservices Security Patterns & Protocols with Spring
byVMware Tanzu
 
PPTX
How to implement Keycloak authentication in React.pptx
byKnoldus Inc.
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
PDF
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
byIoan Eugen Stan
 
PDF
Building an Effective Architecture for Identity and Access Management.pdf
byJorge Alvarez
 
PDF
OSDC 2019 | Single Sign On with Keycloak: why and how by Julien Pivotto
byNETWAYS
 
PDF
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
byHitachi, Ltd. OSS Solution Center.
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
PDF
Cloud Native App Security
byDominik Guhr
 
PDF
RoadSec 2017 - Trilha AppSec - APIs Authorization
byErick Belluci Tedeschi
 
PDF
App Security with Keycloak and Quarkus
byConSol Consulting & Solutions Software GmbH
 
PDF
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
PPTX
Microservices Security Patterns & Protocols with Spring & PCF
byVMware Tanzu
 
PDF
stackconf 2020 | Securing Infrastructure with Keycloak by Rahul Bajaj
byNETWAYS
 
PDF
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
byVMware Tanzu
 
PDF
Keycloak cloud native
byJonathan Vila
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
bymarcuschristie
 
Guide of authentication and authorization for cloud native applications with ...
byHitachi, Ltd. OSS Solution Center.
 
Implementing WebAuthn & FAPI supports on Keycloak
byYuichi Nakamura
 
Implementing Microservices Security Patterns & Protocols with Spring
byVMware Tanzu
 
How to implement Keycloak authentication in React.pptx
byKnoldus Inc.
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
byAndreas Falk
 
Modern authentication in Sling with Openid Connect and Keycloak - Adapt.to 20...
byIoan Eugen Stan
 
Building an Effective Architecture for Identity and Access Management.pdf
byJorge Alvarez
 
OSDC 2019 | Single Sign On with Keycloak: why and how by Julien Pivotto
byNETWAYS
 
DevConf.CZ 2020 @ Brno, Czech Republic : WebAuthn support for keycloak
byHitachi, Ltd. OSS Solution Center.
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
byBrian Campbell
 
Cloud Native App Security
byDominik Guhr
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
byErick Belluci Tedeschi
 
App Security with Keycloak and Quarkus
byConSol Consulting & Solutions Software GmbH
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
bySouth Tyrol Free Software Conference
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
byPROIDEA
 
Microservices Security Patterns & Protocols with Spring & PCF
byVMware Tanzu
 
stackconf 2020 | Securing Infrastructure with Keycloak by Rahul Bajaj
byNETWAYS
 
Building Highly Secure Cloud-Native Applications on PAS with Ease - Jignesh S...
byVMware Tanzu
 
Keycloak cloud native
byJonathan Vila
 

Recently uploaded

PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PPTX
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
PDF
AI Technology important knowledge ......
byutkarshj2007
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Usage Control for Process Discovery through a Trusted Execution Environment
byValerioGoretti
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
Generative AI in 2026: Hype, Bubble, Winter or The Real Deal?
byDr. Tathagat Varma
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
THIS IS CYBER SECURITY NOTES USED IN CLASS ON VARIOUS TOPICS USED IN CYBERSEC...
byMelissaGblinwon
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Ethics in AI - Artificial Intelligence Fundamentals.pptx
byemenyiblessing
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
AI Technology important knowledge ......
byutkarshj2007
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Building secure applications with keycloak

  • 1.
    Building secure applications withkeycloak (OIDC/JWT) Abhishek Koserwal Red Hat
  • 2.
    ● Identification: aset of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
  • 3.
    Oauth 2 &OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
  • 4.
    What is Keycloak? OpenSource Identity Solution for Applications, Services and APIs
  • 5.
    Why to usekeycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
  • 6.
    Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github,Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
  • 7.
    App: Integration Keycloak Frontend App ClientID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
  • 8.
  • 9.
    How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF LoadBalancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
  • 10.
    Problems ● Scalability withserver side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
  • 11.
    Service-to-Service : Authentication& Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
  • 12.
    The Confused DeputyProblem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
  • 13.
    Stateless Architecture Keycloak Load Balancer/ Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
  • 14.
    Stateless Architecture Keycloak Load Balancer/ Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
  • 15.
    Setup: keycloak docker pulljboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
  • 16.
  • 17.
    JWT: Json WebTokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
  • 18.
    Keycloak vs Others ● Designed asa single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
  • 19.
    Securing keycloak ● Makesure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
  • 20.

Editor's Notes

  • #4 https://www.x2u.club/work-delegation-memes.html
  • #5 https://www.keycloak.org/
  • #7 https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
  • #8 https://www.keycloak.org/docs/3.1/securing_apps/topics/overview/what-are-client-adapters.html
  • #9 https://www.keycloak.org/docs/3.1/server_admin/topics/sso-protocols/saml.html
  • #11 http://www.chaosincomputing.com/2012/05/sticky-sessions-are-evil/
  • #12 https://dzone.com/articles/api-security-ways-to-authenticate-and-authorize
  • #13 https://blogs.mulesoft.com/dev/connectivity-dev/google-oauth-security-confused-deputy/ https://samnewman.io/books/building_microservices/
  • #14 https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html
  • #15 https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html https://jwt.io/ https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/ https://github.com/akoserwal/keycloak-jwt https://www.npmjs.com/package/keycloak-angular https://github.com/akoserwal/keycloak-jwt https://github.com/akoserwal/statelessappdemo
  • #16 https://www.keycloak.org/downloads.html
  • #18 https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage https://www.owasp.org/index.php/HttpOnly https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
  • #19 https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd https://www.keycloak.org/docs/3.3/server_admin/topics/sso-protocols/docker.html
  • #20 https://www.keycloak.org/docs/latest/server_admin/index.html#threat-model-mitigation