SlideShare a Scribd company logo

Identity management and single sign on - how much flexibility

Download as PPTX, PDF
R
Ryan Dawson

https://skillsmatter.com/skillscasts/13120-identity-management-and-single-sign-on-how-much-flexibility

Software
1 of 44
Identity Management and Single Sign-on - How Much Flexibility? Experiences with Keycloak Ryan Dawson @ryandawsongb Marcello Teodori @magomarcelo Alfresco London Microservices 14/11/18
What we’ll talk about -Auth and identity background -Where Keycloak sits -Examples of what we do in our projects -Tradeoffs we make -Why we made the decisions we did with Keycloak -Other key challenges
Our Starting Problem(s) We provide an open source product and an enterprise one on top of it Both used in lots of ways Lots of auth scenarios Lots of protocols Wanted consistent approach
Remember Writing This?
Or this?
Meaning... ...everyone doing things their own way so interoperability becomes tricky
Now We Have OAuth
And OpenID Connect (OIDC) And OIDC Helps to Nail this down further by building on OAuth and formalising the content of the ID token as JWT that asserts identity, coming from an issuing authority, with a particular audience (client) and expiration and signature…
Of Course We’re Simplifying -The details of OAuth and OIDC do get complex -Especially when you get into the different flows and scopes -For us we’d still need to support a range of protocols -Also there is more to be solved - we need to break the problems down more
Auth and IDM are not the same - Authentication = am I who I claim to be? - Authorisation = can I access this? - Identity management = who am I and what is stored about me?
Auth and IDM from a dev perspective Login code will normally be doing authentication and authorisation. It just needs to know my ID and permission. Capturing my name and address might would under IDM. More subtly, my LDAP groups might be IDM. Could be department I’m in. But you could also create roles that mirror LDAP groups in some situations. Auth and IDM are different concerns but they can be related. You might apply a role to all users in a group.
It’s a Complex Landscape OAUTH2
And Still Kinda Boring -Even with OAuth, Auth code still not fun -Auth server implementation not fun -Maintenance definitely not fun
But could it become cool?
A Keycloak Journey: monolithic architecture
A Keycloak Journey: microservices architecture
A Keycloak Journey: authentication
A Keycloak Journey: microservices with Keycloak
Commoditization of Auth and IDM Protocols offer standardisation. But Keycloak is a move towards commoditization. It handles federated identity as well as SSO And it aims to provide OOTB ways of using it. Auth0 and Okta have a similar range of features but they are SaaS. Other products that can work on-premises like CloudFoundry UAA are less rich in features for our needs.
Commoditization = somebody did it for you
So Why Keycloak? - Not to be cool. Or because others are using it. - To make it easy. - To let experts manage that code. - I don’t want or need to implement an auth server. Or to write different code for different protocols. I’ll just use keycloak adapter code in my microservices. - I don’t want to write code to manage users or interact directly with LDAP. - If it all works out well, I can just google for ‘keycloak spring boot’ and get something working with copy-paste. Or ‘keycloak angular’ or whatever I’m using.
Cool =
All this for free? -There are other tools out there that aim to help in this field. There are tradeoffs all over the place. -First let’s look at some concrete examples, so that we can appreciate the tradeoffs better.
Let’s See
Here’s a Cool UI
The Code is Cool Too https://github.com/Activiti/activiti-modeling-app https://github.com/Alfresco/alfresco-js-api#authentication-js-api "oauth2": { "host": "http://activiti-keycloak.activiti.envalfresco.com/auth/realms/activiti", "authPath": "/protocol/openid-connect/token/", "clientId": "activiti", "scope": "openid", "implicitFlow": true, "silentLogin": true, "redirectSilentIframeUri": "/activiti-cloud-modeling/assets/silent-refresh.html", "redirectUri": "/activiti-cloud-modeling", "redirectUriLogout": "/activiti-cloud-modeling" }
And It’s Dockerized
A Cool Backend Behind It
Also Cool Code https://github.com/Activiti/activiti-cloud-modeling/
A Configured Realm There’s shared configuration across all apps that use this realm. It contains details of which ‘clients’ (apps or app profiles) should be authorized for logins under the realm as well as user roles and user details (or the source of user details)
SSO in action
Here’s another Cool UI with SSO! https://github.com/Alfresco/alfresco-content-app
Tradeoffs and Decisions -There are some tricky decisions and tradeoffs involved in designing implementations using keycloak -Let’s look at the key ones and see the flavour of the various challenges
Key Tradeoff 1 - Just OAuth2? Or just keycloak? -In both UI and backend cases - do you use the keycloak adapter and get support for other protocols? Or are you just doing OAuth2? -If you’re just doing OAuth, then implementing your code in a generic OAuth way with an OAuth library would let you swap in another auth system e.g. UAA.
Key Tradeoff 2 - How Much Coding? - In the backend we could’ve gone for plain spring security. This is a configuration over coding approach. But can still be pretty involved - the configuration is still there in your code. -The keycloak adapters make it a bit more out of the box
Our choice - Will you really be doing all these different protocols? Important for us because we’re a vendor… our customers will! - JHipster went the other way - they decided supporting multiple OAuth2 SSO implementations (e.g. UAA) without having to switch adapters was more important for them. -The variety of use-cases was key for us, especially: -Social login -Kerberos and SAML -Brokering Options in General, especially the range -LDAP Support -LDAP sync also a big plus.
So Is Keycloak Cool? -For us it lets us provide super-flexible security out of the box. -That delivers value, so that’s pretty cool. -And it lets us do it in a way that the software community can recognise and work with.
Thanks for Listening! Please do ask questions! (Or we can talk about additional challenges if we have time.) And by the way, if you want to work with Keycloak and other cool technologies… We’re hiring in our team! Check https://careers.smartrecruiters.com/Alfresco Contact Us: Ryan Dawson @ryandawsongb and Marcello Teodori @magomarcelo
There are Challenges Making these decisions solves some problems But still leaves a lot of work to be done Let’s see some of the challenges you have to address
CORS CORS - keycloak libraries can kinda help with this but only a bit. Partly because putting keycloak on the same host is tricky. It really wants to be on the root path. But everyone wants that, don’t they? Gateways love root path. UIs love it… So does keycloak.
SSL
Data Restrictions Access restrictions on data, not just endpoints. You can add restrictions at code-level with spring But in our case we wanted the restrictions to be configurable at deploy time and to be able to apply them or not apply them with configuration options, including to dynamic queries not just static ones. We also needed the restrictions to be able to apply for a chosen group or user rather than a role. So we wrote something. https://github.com/Activiti/activiti-cloud-query- service/blob/b6ff8c630fb4d171188b4262bd4bccffd8ee10e4/activiti-cloud-services- query/activiti-cloud-services-query-
What if Not All User Info is in Keycloak? What if you’ve got extra attributes about users that are not stored in keycloak? Ideally that could be handled via federated identity brokering Otherwise you’ll need to take some identifier and use it in both keycloak and your app’s database/persistence Probably then you’ll also be querying the REST api to find out about users and groups from within your app. If so using the OOTB java adapter library makes a lot of sense as it wraps the REST API.
Upgrades Upgrading keycloak itself tends to be fairly smooth as minor versions are backward- compatible and major ones will have migration path. But realm changes can be a pain. The realm import/export feature can help with some limitations. { "realm": "activiti", "enabled": true, "sslRequired" : "none", "roles": { "realm": [{ "name": "ACTIVITI_USER" }, { "name": "ACTIVITI_ADMIN" },] "groups": [{ "name": "hr" }], "users": [{ "username": "admin", "enabled": true, "credentials": [{ "type": "password", "value": "admin" }, "realmRoles": [ "ACTIVITI_ADMIN" ] }] }

Recommended

Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 

Recommended

Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with KeycloakJulien Pivotto
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinarmarcuschristie
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
How to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams SafeHow to Lock Down Apache Kafka and Keep Your Streams Safe
How to Lock Down Apache Kafka and Keep Your Streams Safeconfluent
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basicsJuan Vicente Herrera Ruiz de Alejo
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSOracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSDoug Gault
 
AWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSAWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSMassimo Ferre'
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastDataWorks Summit
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 
Vault
VaultVault
VaultJean-Philippe Bélanger
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 

More Related Content

What's hot

Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakRed Hat Developers
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursJ V
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?GlobalLogic Ukraine
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSOracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSDoug Gault
 
AWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSAWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSMassimo Ferre'
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastDataWorks Summit
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysAngel Alberici
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes NetworkingCJ Cullen
 

What's hot (20)

Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
 
Keycloak SSO basics
Keycloak SSO basicsKeycloak SSO basics
Keycloak SSO basics
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18Hashicorp Vault: Open Source Secrets Management at #OPEN18
Hashicorp Vault: Open Source Secrets Management at #OPEN18
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower security
 
Alfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy BehavioursAlfresco Content Modelling and Policy Behaviours
Alfresco Content Modelling and Policy Behaviours
 
“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?“How to Secure Your Applications With a Keycloak?
“How to Secure Your Applications With a Keycloak?
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)
 
Oracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDSOracle Office Hours - Exposing REST services with APEX and ORDS
Oracle Office Hours - Exposing REST services with APEX and ORDS
 
AWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWSAWS Summit London 2019 - Containers on AWS
AWS Summit London 2019 - Containers on AWS
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security Hardening
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the BeastTroubleshooting Kerberos in Hadoop: Taming the Beast
Troubleshooting Kerberos in Hadoop: Taming the Beast
 
IBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparisonIBM DataPower Gateway appliances feature & virtual edition comparison
IBM DataPower Gateway appliances feature & virtual edition comparison
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
MuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleysMuleSoft Sizing Guidelines - VirtualMuleys
MuleSoft Sizing Guidelines - VirtualMuleys
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Vault
VaultVault
Vault
 

Similar to Identity management and single sign on - how much flexibility

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 
The Ball Launch on 2013 Microsoft TechDays Part 1/2
The Ball Launch on 2013 Microsoft TechDays Part 1/2The Ball Launch on 2013 Microsoft TechDays Part 1/2
The Ball Launch on 2013 Microsoft TechDays Part 1/2Kallex
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ONOWASP EEE
 
Secret Sprawl and Electric Vehicle Charging Stations
Secret Sprawl and Electric Vehicle Charging StationsSecret Sprawl and Electric Vehicle Charging Stations
Secret Sprawl and Electric Vehicle Charging StationsRoger Qiu
 
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET Journal
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
 
2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...
2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...
2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...Peter Rosenberg
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public SafetyAdam Lewis
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Đỗ Duy Trung
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CloudIDSummit
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3Gaurav Sethi
 
TechRadarCon 2022 | Have you built your platform yet ?
TechRadarCon 2022 | Have you built your platform yet ?TechRadarCon 2022 | Have you built your platform yet ?
TechRadarCon 2022 | Have you built your platform yet ?Haggai Philip Zagury
 
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Quentin Adam
 
An Introduction to Microservices
An Introduction to MicroservicesAn Introduction to Microservices
An Introduction to MicroservicesAd van der Veer
 
Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Laure Vergeron
 
I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...
I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...
I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...Grégory Engels
 

Similar to Identity management and single sign on - how much flexibility (20)

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
 
The Ball Launch on 2013 Microsoft TechDays Part 1/2
The Ball Launch on 2013 Microsoft TechDays Part 1/2The Ball Launch on 2013 Microsoft TechDays Part 1/2
The Ball Launch on 2013 Microsoft TechDays Part 1/2
 
[Cluj] Turn SSL ON
[Cluj] Turn SSL ON[Cluj] Turn SSL ON
[Cluj] Turn SSL ON
 
Secret Sprawl and Electric Vehicle Charging Stations
Secret Sprawl and Electric Vehicle Charging StationsSecret Sprawl and Electric Vehicle Charging Stations
Secret Sprawl and Electric Vehicle Charging Stations
 
IRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and EthereumIRJET- Proof of Document using Multichain and Ethereum
IRJET- Proof of Document using Multichain and Ethereum
 
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...
 
2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...
2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...
2009 10-08 soa-og_itil_does service in it service rhyme with service as in so...
 
Identity as a Matter of Public Safety
Identity as a Matter of Public SafetyIdentity as a Matter of Public Safety
Identity as a Matter of Public Safety
 
App Security with Keycloak and Quarkus
App Security with Keycloak and QuarkusApp Security with Keycloak and Quarkus
App Security with Keycloak and Quarkus
 
Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?Single sign on (SSO) How does your company apply?
Single sign on (SSO) How does your company apply?
 
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
CIS13: Identity as a Matter of Public Safety: A Case Study in Secure API Acce...
 
Stackato v6
Stackato v6Stackato v6
Stackato v6
 
Mule soft Meetup #3
Mule soft Meetup #3 Mule soft Meetup #3
Mule soft Meetup #3
 
TechRadarCon 2022 | Have you built your platform yet ?
TechRadarCon 2022 | Have you built your platform yet ?TechRadarCon 2022 | Have you built your platform yet ?
TechRadarCon 2022 | Have you built your platform yet ?
 
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...Problems you’ll face in the Microservices World: Configuration, Authenticatio...
Problems you’ll face in the Microservices World: Configuration, Authenticatio...
 
An Introduction to Microservices
An Introduction to MicroservicesAn Introduction to Microservices
An Introduction to Microservices
 
Stackato v5
Stackato v5Stackato v5
Stackato v5
 
Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018Zenko @Cloud Native Foundation London Meetup March 6th 2018
Zenko @Cloud Native Foundation London Meetup March 6th 2018
 
I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...
I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...
I Know What Youll Do Next Summer - The Skills You Will Be Learning 
as a Domi...
 

More from Ryan Dawson

mlops.community meetup - ML Governance_ A Practical Guide.pptx
mlops.community meetup - ML Governance_ A Practical Guide.pptxmlops.community meetup - ML Governance_ A Practical Guide.pptx
mlops.community meetup - ML Governance_ A Practical Guide.pptxRyan Dawson
 
Conspiracy Theories in the Information Age
Conspiracy Theories in the Information AgeConspiracy Theories in the Information Age
Conspiracy Theories in the Information AgeRyan Dawson
 
Why is dev ops for machine learning so different - dataxdays
Why is dev ops for machine learning so different - dataxdaysWhy is dev ops for machine learning so different - dataxdays
Why is dev ops for machine learning so different - dataxdaysRyan Dawson
 
Maximising teamwork in delivering software products
Maximising teamwork in delivering software productsMaximising teamwork in delivering software products
Maximising teamwork in delivering software productsRyan Dawson
 
Maximising teamwork in delivering software products
Maximising teamwork in delivering software products Maximising teamwork in delivering software products
Maximising teamwork in delivering software products Ryan Dawson
 
Java vs challenger languages
Java vs challenger languagesJava vs challenger languages
Java vs challenger languagesRyan Dawson
 
Challenges for AI in prod
Challenges for AI in prodChallenges for AI in prod
Challenges for AI in prodRyan Dawson
 
From training to explainability via git ops
From training to explainability via git opsFrom training to explainability via git ops
From training to explainability via git opsRyan Dawson
 
Why is dev ops for machine learning so different
Why is dev ops for machine learning so differentWhy is dev ops for machine learning so different
Why is dev ops for machine learning so differentRyan Dawson
 
How open source is funded the enterprise differentiation tightrope (1)
How open source is funded the enterprise differentiation tightrope (1)How open source is funded the enterprise differentiation tightrope (1)
How open source is funded the enterprise differentiation tightrope (1)Ryan Dawson
 
From java monolith to kubernetes microservices - an open source journey with ...
From java monolith to kubernetes microservices - an open source journey with ...From java monolith to kubernetes microservices - an open source journey with ...
From java monolith to kubernetes microservices - an open source journey with ...Ryan Dawson
 
Whirlwind tour of activiti 7
Whirlwind tour of activiti 7Whirlwind tour of activiti 7
Whirlwind tour of activiti 7Ryan Dawson
 
Jdk.io cloud native business automation
Jdk.io cloud native business automationJdk.io cloud native business automation
Jdk.io cloud native business automationRyan Dawson
 
Activiti Cloud Deep Dive
Activiti Cloud Deep DiveActiviti Cloud Deep Dive
Activiti Cloud Deep DiveRyan Dawson
 

More from Ryan Dawson (14)

mlops.community meetup - ML Governance_ A Practical Guide.pptx
mlops.community meetup - ML Governance_ A Practical Guide.pptxmlops.community meetup - ML Governance_ A Practical Guide.pptx
mlops.community meetup - ML Governance_ A Practical Guide.pptx
 
Conspiracy Theories in the Information Age
Conspiracy Theories in the Information AgeConspiracy Theories in the Information Age
Conspiracy Theories in the Information Age
 
Why is dev ops for machine learning so different - dataxdays
Why is dev ops for machine learning so different - dataxdaysWhy is dev ops for machine learning so different - dataxdays
Why is dev ops for machine learning so different - dataxdays
 
Maximising teamwork in delivering software products
Maximising teamwork in delivering software productsMaximising teamwork in delivering software products
Maximising teamwork in delivering software products
 
Maximising teamwork in delivering software products
Maximising teamwork in delivering software products Maximising teamwork in delivering software products
Maximising teamwork in delivering software products
 
Java vs challenger languages
Java vs challenger languagesJava vs challenger languages
Java vs challenger languages
 
Challenges for AI in prod
Challenges for AI in prodChallenges for AI in prod
Challenges for AI in prod
 
From training to explainability via git ops
From training to explainability via git opsFrom training to explainability via git ops
From training to explainability via git ops
 
Why is dev ops for machine learning so different
Why is dev ops for machine learning so differentWhy is dev ops for machine learning so different
Why is dev ops for machine learning so different
 
How open source is funded the enterprise differentiation tightrope (1)
How open source is funded the enterprise differentiation tightrope (1)How open source is funded the enterprise differentiation tightrope (1)
How open source is funded the enterprise differentiation tightrope (1)
 
From java monolith to kubernetes microservices - an open source journey with ...
From java monolith to kubernetes microservices - an open source journey with ...From java monolith to kubernetes microservices - an open source journey with ...
From java monolith to kubernetes microservices - an open source journey with ...
 
Whirlwind tour of activiti 7
Whirlwind tour of activiti 7Whirlwind tour of activiti 7
Whirlwind tour of activiti 7
 
Jdk.io cloud native business automation
Jdk.io cloud native business automationJdk.io cloud native business automation
Jdk.io cloud native business automation
 
Activiti Cloud Deep Dive
Activiti Cloud Deep DiveActiviti Cloud Deep Dive
Activiti Cloud Deep Dive
 

Recently uploaded

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsMehedi Hasan Shohan
 

Recently uploaded (20)

why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
XpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software SolutionsXpertSolvers: Your Partner in Building Innovative Software Solutions
XpertSolvers: Your Partner in Building Innovative Software Solutions
 

Identity management and single sign on - how much flexibility

  • 1. Identity Management and Single Sign-on - How Much Flexibility? Experiences with Keycloak Ryan Dawson @ryandawsongb Marcello Teodori @magomarcelo Alfresco London Microservices 14/11/18
  • 2. What we’ll talk about -Auth and identity background -Where Keycloak sits -Examples of what we do in our projects -Tradeoffs we make -Why we made the decisions we did with Keycloak -Other key challenges
  • 3. Our Starting Problem(s) We provide an open source product and an enterprise one on top of it Both used in lots of ways Lots of auth scenarios Lots of protocols Wanted consistent approach
  • 6. Meaning... ...everyone doing things their own way so interoperability becomes tricky
  • 7. Now We Have OAuth
  • 8. And OpenID Connect (OIDC) And OIDC Helps to Nail this down further by building on OAuth and formalising the content of the ID token as JWT that asserts identity, coming from an issuing authority, with a particular audience (client) and expiration and signature…
  • 9. Of Course We’re Simplifying -The details of OAuth and OIDC do get complex -Especially when you get into the different flows and scopes -For us we’d still need to support a range of protocols -Also there is more to be solved - we need to break the problems down more
  • 10. Auth and IDM are not the same - Authentication = am I who I claim to be? - Authorisation = can I access this? - Identity management = who am I and what is stored about me?
  • 11. Auth and IDM from a dev perspective Login code will normally be doing authentication and authorisation. It just needs to know my ID and permission. Capturing my name and address might would under IDM. More subtly, my LDAP groups might be IDM. Could be department I’m in. But you could also create roles that mirror LDAP groups in some situations. Auth and IDM are different concerns but they can be related. You might apply a role to all users in a group.
  • 12. It’s a Complex Landscape OAUTH2
  • 13. And Still Kinda Boring -Even with OAuth, Auth code still not fun -Auth server implementation not fun -Maintenance definitely not fun
  • 14. But could it become cool?
  • 15. A Keycloak Journey: monolithic architecture
  • 16. A Keycloak Journey: microservices architecture
  • 17. A Keycloak Journey: authentication
  • 18. A Keycloak Journey: microservices with Keycloak
  • 19. Commoditization of Auth and IDM Protocols offer standardisation. But Keycloak is a move towards commoditization. It handles federated identity as well as SSO And it aims to provide OOTB ways of using it. Auth0 and Okta have a similar range of features but they are SaaS. Other products that can work on-premises like CloudFoundry UAA are less rich in features for our needs.
  • 20. Commoditization = somebody did it for you
  • 21. So Why Keycloak? - Not to be cool. Or because others are using it. - To make it easy. - To let experts manage that code. - I don’t want or need to implement an auth server. Or to write different code for different protocols. I’ll just use keycloak adapter code in my microservices. - I don’t want to write code to manage users or interact directly with LDAP. - If it all works out well, I can just google for ‘keycloak spring boot’ and get something working with copy-paste. Or ‘keycloak angular’ or whatever I’m using.
  • 23. All this for free? -There are other tools out there that aim to help in this field. There are tradeoffs all over the place. -First let’s look at some concrete examples, so that we can appreciate the tradeoffs better.
  • 26. The Code is Cool Too https://github.com/Activiti/activiti-modeling-app https://github.com/Alfresco/alfresco-js-api#authentication-js-api "oauth2": { "host": "http://activiti-keycloak.activiti.envalfresco.com/auth/realms/activiti", "authPath": "/protocol/openid-connect/token/", "clientId": "activiti", "scope": "openid", "implicitFlow": true, "silentLogin": true, "redirectSilentIframeUri": "/activiti-cloud-modeling/assets/silent-refresh.html", "redirectUri": "/activiti-cloud-modeling", "redirectUriLogout": "/activiti-cloud-modeling" }
  • 28. A Cool Backend Behind It
  • 30. A Configured Realm There’s shared configuration across all apps that use this realm. It contains details of which ‘clients’ (apps or app profiles) should be authorized for logins under the realm as well as user roles and user details (or the source of user details)
  • 32. Here’s another Cool UI with SSO! https://github.com/Alfresco/alfresco-content-app
  • 33. Tradeoffs and Decisions -There are some tricky decisions and tradeoffs involved in designing implementations using keycloak -Let’s look at the key ones and see the flavour of the various challenges
  • 34. Key Tradeoff 1 - Just OAuth2? Or just keycloak? -In both UI and backend cases - do you use the keycloak adapter and get support for other protocols? Or are you just doing OAuth2? -If you’re just doing OAuth, then implementing your code in a generic OAuth way with an OAuth library would let you swap in another auth system e.g. UAA.
  • 35. Key Tradeoff 2 - How Much Coding? - In the backend we could’ve gone for plain spring security. This is a configuration over coding approach. But can still be pretty involved - the configuration is still there in your code. -The keycloak adapters make it a bit more out of the box
  • 36. Our choice - Will you really be doing all these different protocols? Important for us because we’re a vendor… our customers will! - JHipster went the other way - they decided supporting multiple OAuth2 SSO implementations (e.g. UAA) without having to switch adapters was more important for them. -The variety of use-cases was key for us, especially: -Social login -Kerberos and SAML -Brokering Options in General, especially the range -LDAP Support -LDAP sync also a big plus.
  • 37. So Is Keycloak Cool? -For us it lets us provide super-flexible security out of the box. -That delivers value, so that’s pretty cool. -And it lets us do it in a way that the software community can recognise and work with.
  • 38. Thanks for Listening! Please do ask questions! (Or we can talk about additional challenges if we have time.) And by the way, if you want to work with Keycloak and other cool technologies… We’re hiring in our team! Check https://careers.smartrecruiters.com/Alfresco Contact Us: Ryan Dawson @ryandawsongb and Marcello Teodori @magomarcelo
  • 39. There are Challenges Making these decisions solves some problems But still leaves a lot of work to be done Let’s see some of the challenges you have to address
  • 40. CORS CORS - keycloak libraries can kinda help with this but only a bit. Partly because putting keycloak on the same host is tricky. It really wants to be on the root path. But everyone wants that, don’t they? Gateways love root path. UIs love it… So does keycloak.
  • 41. SSL
  • 42. Data Restrictions Access restrictions on data, not just endpoints. You can add restrictions at code-level with spring But in our case we wanted the restrictions to be configurable at deploy time and to be able to apply them or not apply them with configuration options, including to dynamic queries not just static ones. We also needed the restrictions to be able to apply for a chosen group or user rather than a role. So we wrote something. https://github.com/Activiti/activiti-cloud-query- service/blob/b6ff8c630fb4d171188b4262bd4bccffd8ee10e4/activiti-cloud-services- query/activiti-cloud-services-query-
  • 43. What if Not All User Info is in Keycloak? What if you’ve got extra attributes about users that are not stored in keycloak? Ideally that could be handled via federated identity brokering Otherwise you’ll need to take some identifier and use it in both keycloak and your app’s database/persistence Probably then you’ll also be querying the REST api to find out about users and groups from within your app. If so using the OOTB java adapter library makes a lot of sense as it wraps the REST API.
  • 44. Upgrades Upgrading keycloak itself tends to be fairly smooth as minor versions are backward- compatible and major ones will have migration path. But realm changes can be a pain. The realm import/export feature can help with some limitations. { "realm": "activiti", "enabled": true, "sslRequired" : "none", "roles": { "realm": [{ "name": "ACTIVITI_USER" }, { "name": "ACTIVITI_ADMIN" },] "groups": [{ "name": "hr" }], "users": [{ "username": "admin", "enabled": true, "credentials": [{ "type": "password", "value": "admin" }, "realmRoles": [ "ACTIVITI_ADMIN" ] }] }

Editor's Notes

  1. Ryan: I’m Ryan Dawson, one of the core developers on the Activiti project. We do open source Business Process Management and Automation. Marcello: I’m Marcello Teodori, Architect for the Alfresco Process Services enterprise BPM product. Ryan: We both work on Business Process Management but we’re not going to talk about that. We’re going to talk about single sign-on and identity management. We’ve changed the approach to authentication and IDM in Activiti and Alfresco products recently as we’ve increasingly moved to cloud-based and distributed systems. Marcello: So we’ve been breaking down monoliths and refactoring out responsibilities. We looked at the market to see what we could leverage and we’d like to share what we decided upon. Comments and other experiences are welcome - do feel free to ask questions as we go.
  2. Ryan: Rather than dive straight into our decision-making, we’ll start with some background. We did end up choosing redhat’s open source offering keycloak, at least as our first/primary auth and IDM integration. We’ll explain why. Marcello: We’ll show you what we’ve done with keycloak by demoing just the relevant parts of some of our open source apps and digging into the code. We’ll also explain what trade-offs we encountered and challenges we faced.
  3. Ryan: Let’s briefly summarise the position we started from when we were reviewing our auth setup. Our products get used in lots of ways, both open source and enterprise. This means lots of auth scenarios. So we’re talking cases with our backends talking to 3rd-party frontends and our frontends talking to 3rd-party backends and backends talking to backends. Also cases where authentication is with basic auth or OAuth or SAML or kerberos. And parts of the user record could be internal to the system (in the DB) or in LDAP or somewhere else. Marcello: Sometimes we provide the integration code and we know all about it. Sometimes users extend our products themselves. We wanted to unify this and make it more manageable. We wanted a set of services in a distributed system - consistency. And that meant externalizing auth where it was done internal to service. But we couldn’t lose functionality. Ryan: to understand this better let’s break the problems down and get a picture of how they evolved.
  4. Ryan: You might well be thinking that the problems we described with systems having their own approaches to authentication are unusual. But If you’re old enough you probably wrote something like this. You wrote all the pages and all the code behind the pages and dealt with all the pain of controlling access to specific resources. It wasn’t unusual to write login and access control code.
  5. Ryan: You also modeled all the users in the system. That meant storing passwords and securing within your application.
  6. Ryan: This isn’t to say we were all neglectful back then. But in a sense we were cowboys. Without established practices everyone is a cowboy. One of the big problems we were looking at was systems storing user and password details in the database and requiring them for access. Encrypted passwords but the key problem is interoperability (how can a user do an action spanning systems without multiple login?) and consistency (what if the same user has slightly different names in different systems?) rather than security.
  7. Ryan: OAuth means there are standard ways for different types of applications to do authentication and authorisation. And they don’t all have to store their own user-password records as they can use an OAuth server. The application can pass requests on to an OAuth Authorization server and that can issue a time-limited access token that grants access to specific resources.
  8. Marcello: And OpenID Connect adds to OAuth, making it more specific. A big addition is a formal specification for an access token as a JWT (Json Web Token). The basic principle is that a token should come from a recognised issuing authority and be signed by that authority and the client should be able to verify this. The token should contain everything needed to know who the token is for and what it entitles them to be able to do.
  9. Ryan: There’s much more to OAuth and OIDC than we can fully go into - choosing to use them does help us out but doesn’t solve all of our problems. One reason for this is that we’d still need a way to support a range of protocols. But more importantly OIDC alone doesn’t address all of our core problems. To understand why, we need to break the problems down more.
  10. Ryan: First we we need to break down what problems we’re trying to solve. That means being clear that authentication and identity management are not the same. For a user, you’re getting authenticated when you login. You might also get authorised at login. Probably authorisation happens every time you move from one function to another. You engage with IDM when you modify your user details - think of going to a ‘my account’ page. Different functions from a user perspective and they could be implemented by different systems or parts of systems.
  11. Ryan: So let’s think from a dev perspective. Can we think of examples of functions implementing parts of these concerns? Login code is an obvious one. Authentication will take place when login happens. Authorisation will happen right after that to decide if the user can go where they want to go. Login needs to know my ID and maybe my password or whatever entitles me to access. Authorisation needs to know that I’m entitled but it doesn’t need to verify my identity again. Functions that involve updating or using my name and address will be IDM-related. That is part of my identity but probably not relevant to authentication. These distinctions can get tricky. For example, what if I’m a member of a group in LDAP? Say I’m in the finance department. Is that an IDM concern or an authorisation concern? The way to think of it is that groups are a way of organising users/people but roles are ways of organising rights/entitlements. My being in the finance department means I’m in a group. It might be used to grant me certain roles too as finance can have certain privileges (access to accounts). The point is that OAuth is a standard for authorization and OIDC adds to it and helps it cover authorization. Identity management including managing changes to groups and extended user details can still be a problem and it can relate to auth.
  12. Marcello: There are other standards flying around. Some might be called legacy but they are still around and sometimes it is very hard for organisations to migrate. Even if you could ignore legacy, there are still other protocols and tools in the auth and IDM area that are too important to comfortably ignore.
  13. Ryan: The point is even if we were to just choose OIDC/Oauth, implementing everything according that standard would be a lot of work without off the shelf tools. Especially if it is going to incorporate user and group management and integration with roles. Then there’s all the maintenance of patching security code when new updates to a protocol come out in response to vulnerabilities. So we wanted to be able to use an off the shelf system as far as we could.
  14. Ryan: The one that stood out was Keycloak. It’s an open source project from redhat. It is getting pretty popular and showing up at the cool conferences. It has the potential to address auth and IDM concerns and provide ways to handle various protocols and legacy stuff. You set up a keycloak server and that becomes your single point of interface for your apps. That would be kinda cool.
  15. Marcello: the Alfresco Content and Process enterprise applications did fall into this category, handling user credentials and profile storage, role and group mappings for authorisation, then LDAP sync, then SSO, all implemented in Java with Spring, a lot of Spring…. and duplicating effort
  16. Marcello: sharing user database or calling a custom login service and a user profile service or inventing their own tokens and ways
  17. Marcello: enter keycloak, centralised login and standard protocols, LDAP sync, SSO all in one place
  18. Marcello: every service just relies on the token provided has the mean to validate, stateless!
  19. Marcello: Keycloak doesn’t just provide an OAuth2 server. It can handle other protocols too. And it can do identity management. It’s not alone in this but it seems to be the most popular.
  20. Ryan: The keycloak documentation doesn’t say Commoditization. But they do talk about range of use-cases, including using keycloak as a single point of interaction and putting it in front of other providers (e.g. even using OKTA as IDP behind keycloak). And they talk about their adapters as reducing boilerplate relative to libraries. Their demos tend to use the adapters to show things as ‘OOTB’.
  21. Ryan: Following the crowd can be good if it means that knowledge of the tool you choose is widespread - then it’s easier to developers and to find answers online. But popularity isn’t a reason in itself. We do want to let somebody else do the hard work for us. Again, not always a good reason but sometimes it can be. The less time we spend on auth and idm, the more we spend on our core business. We recognise it’s not our core expertise and are happy letting experts do it. And this is important because we have been doing this before. And there are still options around that will lead to you implementing your own auth server or writing code that handles different protocols. I don’t want to write auth code or idm code or code to interact with common idm systems unless I have to. The keycloak adapters have the promise of doing a lot for me.
  22. Ryan: Actually one better than copy-pasting would be not even having to copy-paste. That would be true commoditization. The point is you want to just add the library and do some configuration and be up and running.
  23. Ryan: It is open source and that was important for us when we were evaluating it. We wanted to externalise auth and idm from Activiti as Activiti moves to microservices (because microservices means separating out responsibilities). And Activiti is open source so we needed something open source. The range of use-cases was also important because we also use Activiti and build on it in enterprise products and enterprises have lots of use-cases, including lots of legacy stuff. So the promise is big. But does it really just work?
  24. Ryan: So how much does keycloak do for us? We need to look at some real applications to find out. We’ll show: end user login experience in your front-end app back-end API behind it Identity Service with its web ui
  25. Ryan: This is one of our angular UI apps. We hit the app URL, we get redirected to keycloak and after login we get into our app under our identity and we see the stuff we are meant to see - the stuff that belongs to us. Marcello: This flow is the implicit flow of OpenID Connect and allows the integration of SSO via external providers or 2FA as your application DOES not manage the login screen or is in charge of sending a username/password pair.
  26. Marcello: This is cool because it’s basically all config, very little code. But that’s just because logic is handled a library layer (Alfresco JS API) so actually there is oauth2 code but we’ve hidden it. In this case it is generic oauth2 code. We’ve a different UI that is using keycloak-angular and integrating that was fairly straightforward. This is a key choice between oauth2 code or a keycloak adapter.
  27. Marcello: It’s important this config is externalizable as this is one UI of several that need to work with lots of backends in kubernetes and be deployed to different clusters. We need to be able to pass in the external URL and config as environment variables so we can set at deploy time.
  28. Ryan: so the UI passes the token through to the backend, which also uses it: http://activiti-cloud-gateway.activiti.envalfresco.com/activiti-cloud-modeling-backend/swagger-ui.html#/applications
  29. Ryan: Here we’re using a keycloak adapter in our library code. Otherwise pretty similar to keycloak spring boot demos. Again it’s all externalised because spring boot properties map to environment variables. Notice the constraints section especially. This lets you restrict which user roles can access which endpoints. These restrictions are all at the config level out of the box with the keycloak adapter, whereas with spring security it is in the SecurityConfig class and you’d then have to externalise it yourself.
  30. Ryan: The configuration of users and roles and which apps are allowed to do what is all in keycloak. So outside of your apps. And again deployed in kubernetes - the helm chart has helped us a lot here. Obviously there’s a lot of detail in the realm config. There’s a lot to learn when it comes to configuring keycloak for different scenarios. However, we’ve found it pretty easy to get something up quickly by following examples.
  31. We’ve got multiple UIs and multiple backends and a single user can move seamlessly across them. So it really does work. Marcello: add a slide for alfresco-content-app and show SSO
  32. Marcello: SSO in Action, alfresco-content-app is the Angular front-end for Alfresco Content (both Community OSS and Enterprise) and they are configured to login on the same keycloak server, so we can switch seamlessly from on to the other with the same user identity.
  33. Ryan:
  34. Ryan: If you go with an Oauth library then you can support other Oauth servers. If you go for a keycloak library, you can support other protocols and scenarios. But with one library you can’t have both. We hit this with both backend and frontend. We used the keycloak adapter for the backend but we intend to add backend support for UAA as an alternative to keycloak for authentication. We use the keycloak adapter but we do so at a library level in our code, not to hide it but because we need the implementation to be pluggable so that apps built on Activiti can override and extend it. Currently the UI has gone the Oauth route but there is a keycloak angular adapter out there.
  35. Marcello: For us actually the key code-level challenges were integrating keycloak smoothly so that the configuration was all neatly externalised (actually this was quite easy with the adapter) and also making sure it could be swapped out or overridden. But many projects might choose to go plain spring security for Oauth and configure it for keycloak as the Oauth server. JHipster went that way. It avoids having to implement the Oauth server yourself but the code-level configuration is a bit more involved if you go that way.
  36. Marcello: focusing on enterprise solutions
  37. Ryan: Keycloak having a good open source community is really important for us. It means we can dig into the code and contribute and collaborate. The range of features and flexibility of keycloak is also key as it lets us cover a really wide range of cases, including the kinds of cases you hit in enterprise organisations. It lets us deliver value for our community and customers so that’s pretty cool.
  38. Marcello
  39. Ryan
  40. Ryan: Not strictly an IDM or SSO concern but if you’re doing SSO then you’ll probably hit it.
  41. Ryan: Again not an SSO or IDM concern but if you’re doing SSO then you’ll probably hit it. Keycloak does let you configure whether SSL is required for logging in to a given realm.
  42. Ryan
  43. Marcello
  44. Marcello: Clients with older versions of the adapters will tend to work when you upgrade the server, at least with minor versions. You do need to do testing on upgrades though. Changes you make to the configuration can be trickier than you might expect as not everything is currently exportable from the UI.