SlideShare a Scribd company logo

Challenge to Implementing "Scalable" Authorization with Keycloak

Download as PPTX, PDF
Hitachi, Ltd. OSS Solution Center.
Hitachi, Ltd. OSS Solution Center.

The document discusses the challenge of implementing scalable authorization and describes how to use Keycloak's authorization service to achieve it. Keycloak allows defining fine-grained authorization policies and centralizing authorization data, improving scalability. Combined with OPA and CockroachDB, Keycloak can also enhance performance and availability while maintaining a centralized approach. The document provides an overview of Keycloak's authorization capabilities and how they enable scalable and standards-based authorization.

Technology
1 of 34
© Hitachi, Ltd. 2023. All rights reserved. Challenge to Implementing “Scalable” Authorization with Keycloak KUBECON + CLOUDNATIVECON NA 2023 Hitachi, Ltd. OSS Solution Center 11/07/2023 Yoshiyuki Tabata
1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Senior OSS Consultant  Hitachi, Ltd.  GitHub: @y-tabata  CNCF Ambassador
© Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 2 4. Advanced Challenge with OPA and CockroachDB
© Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 3 4. Advanced Challenge with OPA and CockroachDB
4 © Hitachi, Ltd. 2023. All rights reserved. What is Authorization • Authorization is different from Authentication. • Authentication is the process of verifying an entity's identity. • Authenticated does not mean Authorized to access all resources. • Authentication is not always required for accessing resources, there are public resources that can be accessed without Authentication. Authorization is the process of verifying that a requested action or service is approved for a specific entity. (according to NIST Glossary)
5 © Hitachi, Ltd. 2023. All rights reserved. Authorization in OWASP Top 10 API Security Risks Three of the top 5 security risks include the word "Authorization". * OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/ #1 Broken Object Level Authorization #3 Broken Object Property Level Authorization #5 Broken Function Level Authorization #2 Broken Authentication #6 Unrestricted Access to Sensitive Business Flows #8 Security Misconfiguration #4 Unrestricted Resource Consumption #7 Server Side Request Forgery #9 Improper Inventory Management #10 Unsafe Consumption of APIs
6 © Hitachi, Ltd. 2023. All rights reserved. Authorization in OWASP Top 10 API Security Risks There are various levels of Authorization. #1 Broken Object Level Authorization Must not allow user 101 to obtain user 102's resources. #3 Broken Object Property Level Authorization Must not allow a general user to change sensitive object properties like "rank". #5 Broken Function Level Authorization Must not allow a general user to call administrator function. User 101 GET /users/102 PUT /users/101 {"rank": "gold"} GET /admin/users/all
© Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 7 4. Advanced Challenge with OPA and CockroachDB
8 © Hitachi, Ltd. 2023. All rights reserved. The Simplest Authorization Implementation The simplest authorization implementation is implementing it in application logic. User GET /resources/{resourceId} if (user.isAdmin()) { // can access the protected resource }
9 © Hitachi, Ltd. 2023. All rights reserved. The Simplest Authorization Implementation The simplest authorization implementation is implementing it in application logic. User GET /resources/{resourceId} if (user.isAdmin() || (user.isFullTime() && user.isOwner(resource)) || group.isResourceManagement() || …) { // can access the protected resource } -> But, as the service grows, the authorization logic quickly gets difficult. Duplicate implementations are required in multiple places in the application logic for multiple services. -> Low scalability...
10 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management There is an approach to ensure scalability by managing roles in a hierarchical structure. resource service Resource User User Layer's Role Resource Layer's Role User 101 User 102 manag er director membe r full time perman ent adminis tration develo per admin user resource service role position role employment status role department role
11 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management There is an approach to ensure scalability by managing roles in a hierarchical structure. User GET /resources/{resourceId} if (user.hasRole("resource- service.admin")) { // can access the protected resource } -> Even if the authorization conditions change later, the change will be absorbed by the role hierarchy, reducing the impact on application logic. -> High scalability?
12 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management As the service grows, the number of roles increases and there is a risk of "Role Explosion". resource service xxx service yyy service Resource User User Layer's Role Resource Layer's Role User 101 User 102 User 103 manag er chief director membe r full time perman ent adminis tration sales develo per admin user admin user admin user resource service role xxx service role yyy service role position role employment status role department role
13 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management Furthermore, to authorize users by these roles, multiple services may need to store duplicate role data. -> In the end, low scalability… User GET /xxx PUT /yyy POST /zzz xxx service yyy service zzz service
14 © Hitachi, Ltd. 2023. All rights reserved. Ideal Scalable Authorization User GET /xxx PUT /yyy POST /zzz xxx service yyy service zzz service if (user.can($http_method, $uri)) { // can access the protected resource } To use the same application logic for multiple services and to eliminate duplicate data as much as possible. -> Separate authorization from app logic and Centralize authorization data.
© Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 15 4. Advanced Challenge with OPA and CockroachDB
16 © Hitachi, Ltd. 2023. All rights reserved. How to Separate Authorization from Application Logic To separate authorization from application logic, implementing authorization logic from scratch or using an external authorization service is necessary. • From scratch: If simple-purpose, from scratch, is better. However, it is difficult to achieve fine-grained authorization. • External service: Many services allow to definition of general-purpose policies to achieve fine-grained authorization. However, the more general-purpose policy definitions are made possible, the higher the learning costs for defining policies tend to be. • Here, I will introduce Keycloak's authorization service as a just-right-purpose authorization service. • Based on ABAC architecture, act as PDP. • Configure using GUI ( i.e. Low-code/No-code).
17 © Hitachi, Ltd. 2023. All rights reserved. Major features  Supporting standards. ex. OAuth 2.0, OpenID Connect 1.0, SAML v2, …  Connect to existing user stores. ex. LDAP, Active Directory, …  Login with social networks.  Policy-based authorization service. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. • Keycloak became a CNCF incubating project this April. Supporting Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect 1.0 SAML v2 GitHub Twitter Facebook Identity Management Social Login OAuth 2.0
18 © Hitachi, Ltd. 2023. All rights reserved. Keycloak's Authorization Service User GET /xxx xxx service Keycloak PEP PDP delegate authorization authorization decision Keycloak enables fine-grained authorization by Resource, Scope, Policy, and Permission management. • Resource: the protected resource • Scope: action that can be performed on resources • Policy: condition that must be satisfied to access or perform operations • Permission: coupling the policy with the protected resources and scopes
19 © Hitachi, Ltd. 2023. All rights reserved. Scalable Authorization w/ Keycloak's Authorization Service User GET /xxx xxx service Keycloak PEP PDP delegate authorization authorization decision if (user.can($http_method, $uri)) { // can access the protected resource } Delegating authorization to Keycloak and getting an authorization decision previously required multiple API requests, but now you can get an authorization decision with just one API request. *enhanced in Keycloak 22 (PR#20237), committed by the speaker. <<delegate authorization>> POST /realms/{realm}/protocol/openid-connect/token HTTP/1.1 Host: keycloak.example.com Authorization: Bearer {access token} Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:uma- ticket&audience={client_id}&response_mode=decision&permiss ion={uri}#{scope}&permission_resource_format=uri <<authorization decision>> HTTP/1.1 200 OK Content-Type: application/json { "result": true }
20 © Hitachi, Ltd. 2023. All rights reserved. Scalable Authorization w/ Keycloak's Authorization Service User 7. API request w/ access token xxx service Keycloak PEP PDP 8. delegate authorization w/ access token 9. authorization decision According to OAuth 2.0, the standard protocol for API authorization, the overall flow is as follows. Client 1. use 10. API response 3. user authentication/authorization 2. authorization request 5. token request 4. authorization response 6. token response (including access token) OAuth 2.0 Authorization Server
21 © Hitachi, Ltd. 2023. All rights reserved. Scalable Authorization w/ Keycloak's Authorization Service User 7. API request w/ access token xxx service Keycloak PEP PDP 8. delegate authorization w/ access token 9. authorization decision According to OAuth 2.0, the standard protocol for API authorization, the overall flow is as follows. Client 1. use 10. API response 3. user authentication/authorization 2. authorization request 5. token request 4. authorization response 6. token response (including access token) OAuth 2.0 Authorization code grant (RFC6749) OAuth 2.0 Authenticated request (RFC6750) ABAC OAuth 2.0 Authorization Server
22 © Hitachi, Ltd. 2023. All rights reserved. cf. User-Managed Access (UMA) 2.0 Grant Keycloak is a UMA 2.0-compliant authorization server that provides most UMA capabilities. -> Resource owners can define permissions for their resources to third parties. -> More flexible authorization support is possible with various use cases! 3rd party GET /xxx xxx service Keycloak PEP PDP delegate authorization authorization decision Resource owner define permission
© Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 23 4. Advanced Challenge with OPA and CockroachDB
24 © Hitachi, Ltd. 2023. All rights reserved. Centralized Authorization vs Distributed Authorization Advanced challenge that reducing the disadvantages of centralized authorization (using Keycloak) compared to distributed authorization at the edge of each service. Centralized Authorization Distributed Authorization Scalability/ Data Management ✔ • Multiple services do not need to store duplicate authorization data and authorization logic. ✘ • Multiple services need to store duplicate authorization data and authorization logic. Performance ✘ • Services need to access the centralized authorization service for every API request. ✔ • Services only need to access local authorization logic. Availability ✘ • When the centralized authorization service goes down, all services deny every API request. ✔ • Even if some services go down, the rest services go well using their local authorization logic. Consistency ✔ • Only the centralized authorization service makes authorization decisions so consistency is guaranteed. ✘ • Local authorization logics make authorization decisions individually so consistency is not guaranteed.
25 © Hitachi, Ltd. 2023. All rights reserved. Tackle Performance Challenge Fortunately, Keycloak is in CNCF family and can be built in local Kubernetes, communication to the centralized authorization service less has negative impact. -> When performance requirements are severe, Keycloak can be combined with OPA. User GET /xxx xxx service Keycloak PEP PAP delegate authorization authorization decision OPA MongoDB event notification save authorization data/ check authorization data PDP PIP
26 © Hitachi, Ltd. 2023. All rights reserved. Keycloak + OPA User GET /xxx xxx service Keycloak PEP PAP delegate authorization authorization decision OPA MongoDB event notification save authorization data/ check authorization data PDP PIP • Option-1: OPA as just a cache. Performance improvement can be expected by simply caching authorization decisions from Keycloak in sidecar OPA. Of course, there is a trade-off with consistency in authorization decisions. • Option-2: OPA as PDP. Moving the PDP functions to OPA and dedicating Keycloak to PAP (notifying policy update events, etc.) is possible, as shown below. Of course, OPA requires storing duplicate authorization information.
27 © Hitachi, Ltd. 2023. All rights reserved. Tackle Availability Challenge Combined with OPA, mentioned before, Keycloak resolves availability challenge to some extent. -> For mission-critical services that cannot stop, combined with CockroachDB, Keycloak can withstand regional failures and operate in multi-cloud environments. * Keycloak plans to support CockroachDB, but does not officially support it as of September 2023. Kubernetes Cluster A Kubernetes Cluster B Keycloak Keycloak Keycloak Keycloak CockroachDB CockroachDB CockroachDB Cluster
28 © Hitachi, Ltd. 2023. All rights reserved. Keycloak + CockroachDB Kubernetes Cluster B Keycloak Keycloak Keycloak Keycloak CockroachDB CockroachDB CockroachDB Cluster • Even in the event of regional failures or large-scale cloud failures, services can go well by changing the connection destination. User Kubernetes Cluster A
29 © Hitachi, Ltd. 2023. All rights reserved. Summary • Authorization is becoming more and more important to security considerations. -> Three of the top 5 security risks include "Authorization." • To achieve "Scalable" Authorization, separating authorization from application logic and centralizing authorization data is the keywords. • Centralized Authorization vs Distributed Authorization. -> Combined with OPA / CockroachDB, centralized authorization using Keycloak can improve performance / availability.
30 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Twitter is a trademark or registered trademark of X Corp. in the United States and other countries. • Facebook is a trademark or registered trademark of Meta Platforms, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
© Hitachi, Ltd. 2023. All rights reserved. Yoshiyuki Tabata 11/07/2023 Hitachi, Ltd. OSS Solution Center END Challenge to Implementing “Scalable” Authorization with Keycloak 31
33 © Hitachi, Ltd. 2023. All rights reserved. QR CODE FOR FEEDBACK

Recommended

Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~
Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~
Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~NTT DATA OSS Professional Services
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方Yoshiyasu SAEKI
 
IBM Cloud: Direct Link Guide (Japanese)
IBM Cloud: Direct Link Guide (Japanese)IBM Cloud: Direct Link Guide (Japanese)
IBM Cloud: Direct Link Guide (Japanese)Tomoyuki Niijima
 
CloudFrontのリアルタイムログをKibanaで可視化しよう
CloudFrontのリアルタイムログをKibanaで可視化しようCloudFrontのリアルタイムログをKibanaで可視化しよう
CloudFrontのリアルタイムログをKibanaで可視化しようEiji KOMINAMI
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus
Replacing and Augmenting F5 BIG-IP with NGINX PlusReplacing and Augmenting F5 BIG-IP with NGINX Plus
Replacing and Augmenting F5 BIG-IP with NGINX PlusNGINX, Inc.
 
Vue.js で XSS
Vue.js で XSSVue.js で XSS
Vue.js で XSStobaru_yuta
 
카프카, 산전수전 노하우
카프카, 산전수전 노하우카프카, 산전수전 노하우
카프카, 산전수전 노하우if kakao
 

Recommended

Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~
Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~
Apache Kafkaって本当に大丈夫?~故障検証のオーバービューと興味深い挙動の紹介~NTT DATA OSS Professional Services
 
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationMTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS AuthenticationLaurentiu Meirosu
 
ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方ストリーム処理を支えるキューイングシステムの選び方
ストリーム処理を支えるキューイングシステムの選び方Yoshiyasu SAEKI
 
IBM Cloud: Direct Link Guide (Japanese)
IBM Cloud: Direct Link Guide (Japanese)IBM Cloud: Direct Link Guide (Japanese)
IBM Cloud: Direct Link Guide (Japanese)Tomoyuki Niijima
 
CloudFrontのリアルタイムログをKibanaで可視化しよう
CloudFrontのリアルタイムログをKibanaで可視化しようCloudFrontのリアルタイムログをKibanaで可視化しよう
CloudFrontのリアルタイムログをKibanaで可視化しようEiji KOMINAMI
 
Replacing and Augmenting F5 BIG-IP with NGINX Plus
Replacing and Augmenting F5 BIG-IP with NGINX PlusReplacing and Augmenting F5 BIG-IP with NGINX Plus
Replacing and Augmenting F5 BIG-IP with NGINX PlusNGINX, Inc.
 
Vue.js で XSS
Vue.js で XSSVue.js で XSS
Vue.js で XSStobaru_yuta
 
카프카, 산전수전 노하우
카프카, 산전수전 노하우카프카, 산전수전 노하우
카프카, 산전수전 노하우if kakao
 
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化Amazon Web Services Japan
 
이스티오 (Istio) 자습서 v0.5.0
이스티오 (Istio) 자습서 v0.5.0이스티오 (Istio) 자습서 v0.5.0
이스티오 (Istio) 자습서 v0.5.0Jo Hoon
 
Jakarta EE 9 と これから
Jakarta EE 9 と これからJakarta EE 9 と これから
Jakarta EE 9 と これからKenji Kazumura
 
PostgreSQL 9.5 CPU Read Scalability
PostgreSQL 9.5 CPU Read ScalabilityPostgreSQL 9.5 CPU Read Scalability
PostgreSQL 9.5 CPU Read ScalabilityOhyama Masanori
 
ニワトリでもわかるECS入門
ニワトリでもわかるECS入門ニワトリでもわかるECS入門
ニワトリでもわかるECS入門Yoshiki Kobayashi
 
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)NTT DATA Technology & Innovation
 
AWSでのバースト ― GP2 T2 ご紹介資料
AWSでのバースト ― GP2 T2 ご紹介資料AWSでのバースト ― GP2 T2 ご紹介資料
AWSでのバースト ― GP2 T2 ご紹介資料Rasmus Ekman
 
Oracle GoldenGate入門
Oracle GoldenGate入門Oracle GoldenGate入門
Oracle GoldenGate入門オラクルエンジニア通信
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with KubernetesArun Gupta
 
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)NTT DATA Technology & Innovation
 
Fargate起動歴1日の男が語る運用の勘どころ
Fargate起動歴1日の男が語る運用の勘どころFargate起動歴1日の男が語る運用の勘どころ
Fargate起動歴1日の男が語る運用の勘どころYuto Komai
 
ロードバランスへの長い道
ロードバランスへの長い道ロードバランスへの長い道
ロードバランスへの長い道Jun Kato
 
[社内勉強会]ELBとALBと数万スパイク負荷テスト
[社内勉強会]ELBとALBと数万スパイク負荷テスト[社内勉強会]ELBとALBと数万スパイク負荷テスト
[社内勉強会]ELBとALBと数万スパイク負荷テストTakahiro Moteki
 
20200811 AWS Black Belt Online Seminar CloudEndure
20200811 AWS Black Belt Online Seminar CloudEndure20200811 AWS Black Belt Online Seminar CloudEndure
20200811 AWS Black Belt Online Seminar CloudEndureAmazon Web Services Japan
 
基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャスト基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャストNoritaka Sekiyama
 
AWS Black Belt Online Seminar 2017 AWS Storage Gateway
AWS Black Belt Online Seminar 2017 AWS Storage GatewayAWS Black Belt Online Seminar 2017 AWS Storage Gateway
AWS Black Belt Online Seminar 2017 AWS Storage GatewayAmazon Web Services Japan
 
いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方Hiroshi Tokumaru
 
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤Amazon Web Services Japan
 
AWS初心者向けWebinar AWSとのネットワーク接続入門
AWS初心者向けWebinar AWSとのネットワーク接続入門AWS初心者向けWebinar AWSとのネットワーク接続入門
AWS初心者向けWebinar AWSとのネットワーク接続入門Amazon Web Services Japan
 
分散トレーシング技術について(Open tracingやjaeger)
分散トレーシング技術について(Open tracingやjaeger)分散トレーシング技術について(Open tracingやjaeger)
分散トレーシング技術について(Open tracingやjaeger)NTT Communications Technology Development
 
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 

More Related Content

What's hot

AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化Amazon Web Services Japan
 
이스티오 (Istio) 자습서 v0.5.0
이스티오 (Istio) 자습서 v0.5.0이스티오 (Istio) 자습서 v0.5.0
이스티오 (Istio) 자습서 v0.5.0Jo Hoon
 
Jakarta EE 9 と これから
Jakarta EE 9 と これからJakarta EE 9 と これから
Jakarta EE 9 と これからKenji Kazumura
 
PostgreSQL 9.5 CPU Read Scalability
PostgreSQL 9.5 CPU Read ScalabilityPostgreSQL 9.5 CPU Read Scalability
PostgreSQL 9.5 CPU Read ScalabilityOhyama Masanori
 
ニワトリでもわかるECS入門
ニワトリでもわかるECS入門ニワトリでもわかるECS入門
ニワトリでもわかるECS入門Yoshiki Kobayashi
 
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)NTT DATA Technology & Innovation
 
AWSでのバースト ― GP2 T2 ご紹介資料
AWSでのバースト ― GP2 T2 ご紹介資料AWSでのバースト ― GP2 T2 ご紹介資料
AWSでのバースト ― GP2 T2 ご紹介資料Rasmus Ekman
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with KubernetesArun Gupta
 
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)NTT DATA Technology & Innovation
 
Fargate起動歴1日の男が語る運用の勘どころ
Fargate起動歴1日の男が語る運用の勘どころFargate起動歴1日の男が語る運用の勘どころ
Fargate起動歴1日の男が語る運用の勘どころYuto Komai
 
ロードバランスへの長い道
ロードバランスへの長い道ロードバランスへの長い道
ロードバランスへの長い道Jun Kato
 
[社内勉強会]ELBとALBと数万スパイク負荷テスト
[社内勉強会]ELBとALBと数万スパイク負荷テスト[社内勉強会]ELBとALBと数万スパイク負荷テスト
[社内勉強会]ELBとALBと数万スパイク負荷テストTakahiro Moteki
 
20200811 AWS Black Belt Online Seminar CloudEndure
20200811 AWS Black Belt Online Seminar CloudEndure20200811 AWS Black Belt Online Seminar CloudEndure
20200811 AWS Black Belt Online Seminar CloudEndureAmazon Web Services Japan
 
基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャスト基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャストNoritaka Sekiyama
 
AWS Black Belt Online Seminar 2017 AWS Storage Gateway
AWS Black Belt Online Seminar 2017 AWS Storage GatewayAWS Black Belt Online Seminar 2017 AWS Storage Gateway
AWS Black Belt Online Seminar 2017 AWS Storage GatewayAmazon Web Services Japan
 
いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方Hiroshi Tokumaru
 
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤Amazon Web Services Japan
 
AWS初心者向けWebinar AWSとのネットワーク接続入門
AWS初心者向けWebinar AWSとのネットワーク接続入門AWS初心者向けWebinar AWSとのネットワーク接続入門
AWS初心者向けWebinar AWSとのネットワーク接続入門Amazon Web Services Japan
 

What's hot (20)

AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
AWS Lambdaによるデータ処理理の⾃自動化とコモディティ化
 
이스티오 (Istio) 자습서 v0.5.0
이스티오 (Istio) 자습서 v0.5.0이스티오 (Istio) 자습서 v0.5.0
이스티오 (Istio) 자습서 v0.5.0
 
Jakarta EE 9 と これから
Jakarta EE 9 と これからJakarta EE 9 と これから
Jakarta EE 9 と これから
 
PostgreSQL 9.5 CPU Read Scalability
PostgreSQL 9.5 CPU Read ScalabilityPostgreSQL 9.5 CPU Read Scalability
PostgreSQL 9.5 CPU Read Scalability
 
ニワトリでもわかるECS入門
ニワトリでもわかるECS入門ニワトリでもわかるECS入門
ニワトリでもわかるECS入門
 
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
Grafana LokiではじめるKubernetesロギングハンズオン(NTT Tech Conference #4 ハンズオン資料)
 
AWSでのバースト ― GP2 T2 ご紹介資料
AWSでのバースト ― GP2 T2 ご紹介資料AWSでのバースト ― GP2 T2 ご紹介資料
AWSでのバースト ― GP2 T2 ご紹介資料
 
Oracle GoldenGate入門
Oracle GoldenGate入門Oracle GoldenGate入門
Oracle GoldenGate入門
 
Chaos Engineering with Kubernetes
Chaos Engineering with KubernetesChaos Engineering with Kubernetes
Chaos Engineering with Kubernetes
 
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
IAM Roles Anywhereのない世界とある世界(2022年のAWSアップデートを振り返ろう ~Season 4~ 発表資料)
 
Fargate起動歴1日の男が語る運用の勘どころ
Fargate起動歴1日の男が語る運用の勘どころFargate起動歴1日の男が語る運用の勘どころ
Fargate起動歴1日の男が語る運用の勘どころ
 
ロードバランスへの長い道
ロードバランスへの長い道ロードバランスへの長い道
ロードバランスへの長い道
 
[社内勉強会]ELBとALBと数万スパイク負荷テスト
[社内勉強会]ELBとALBと数万スパイク負荷テスト[社内勉強会]ELBとALBと数万スパイク負荷テスト
[社内勉強会]ELBとALBと数万スパイク負荷テスト
 
20200811 AWS Black Belt Online Seminar CloudEndure
20200811 AWS Black Belt Online Seminar CloudEndure20200811 AWS Black Belt Online Seminar CloudEndure
20200811 AWS Black Belt Online Seminar CloudEndure
 
基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャスト基礎から学ぶ? EC2マルチキャスト
基礎から学ぶ? EC2マルチキャスト
 
AWS Black Belt Online Seminar 2017 AWS Storage Gateway
AWS Black Belt Online Seminar 2017 AWS Storage GatewayAWS Black Belt Online Seminar 2017 AWS Storage Gateway
AWS Black Belt Online Seminar 2017 AWS Storage Gateway
 
いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方いまさら聞けないパスワードの取り扱い方
いまさら聞けないパスワードの取り扱い方
 
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
Kinesis + Elasticsearchでつくるさいきょうのログ分析基盤
 
AWS初心者向けWebinar AWSとのネットワーク接続入門
AWS初心者向けWebinar AWSとのネットワーク接続入門AWS初心者向けWebinar AWSとのネットワーク接続入門
AWS初心者向けWebinar AWSとのネットワーク接続入門
 
分散トレーシング技術について(Open tracingやjaeger)
分散トレーシング技術について(Open tracingやjaeger)分散トレーシング技術について(Open tracingやjaeger)
分散トレーシング技術について(Open tracingやjaeger)
 

Similar to Challenge to Implementing "Scalable" Authorization with Keycloak

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...APIsecure_ Official
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Hitachi, Ltd. OSS Solution Center.
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Hitachi, Ltd. OSS Solution Center.
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud finalsapenov
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...Peter Selch Dahl
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...UiPathCommunity
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack ArchitectureMirantis
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellCA API Management
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsFredBrandonAuthorMCP
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityMphasis
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!Dayalan Punniyamoorthy
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential Oracle Korea
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Hitachi, Ltd. OSS Solution Center.
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Shravan (Sean) Pabba
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREÁlvaro Alonso González
 

Similar to Challenge to Implementing "Scalable" Authorization with Keycloak (20)

2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
2022 APIsecure_Why Assertion-based Access Token is preferred to Handle-based ...
 
Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?Why Assertion-based Access Token is preferred to Handle-based one?
Why Assertion-based Access Token is preferred to Handle-based one?
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the CloudGetting Started with API Management – Why It's Needed On-prem and in the Cloud
Getting Started with API Management – Why It's Needed On-prem and in the Cloud
 
An Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache KnoxAn Approach for Multi-Tenancy Through Apache Knox
An Approach for Multi-Tenancy Through Apache Knox
 
Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...Guide of authentication and authorization for cloud native applications with ...
Guide of authentication and authorization for cloud native applications with ...
 
Should healthcare abandon the cloud final
Should healthcare abandon the cloud finalShould healthcare abandon the cloud final
Should healthcare abandon the cloud final
 
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
CoLabora March 2022 - Improve security posture by implementing new Azure AD ...
 
Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...Dev Dives: Master advanced authentication and performance in Productivity Act...
Dev Dives: Master advanced authentication and performance in Productivity Act...
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OpenStack Architecture
OpenStack ArchitectureOpenStack Architecture
OpenStack Architecture
 
OAuth in the Real World featuring Webshell
OAuth in the Real World featuring WebshellOAuth in the Real World featuring Webshell
OAuth in the Real World featuring Webshell
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management SolutionsSC-900 Capabilities of Microsoft Identity and Access Management Solutions
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
 
KubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdfKubeConRecap_nakamura.pdf
KubeConRecap_nakamura.pdf
 
Attribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud SecurityAttribute-Based Encryption for Cloud Security
Attribute-Based Encryption for Cloud Security
 
Automating Security Management in PBCS!
Automating Security Management in PBCS!Automating Security Management in PBCS!
Automating Security Management in PBCS!
 
API Design Principles Essential 
API Design Principles Essential API Design Principles Essential 
API Design Principles Essential 
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 
Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015Hadoop security @ Philly Hadoop Meetup May 2015
Hadoop security @ Philly Hadoop Meetup May 2015
 
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWAREKeyRock and Wilma - Openstack-based Identity Management in FIWARE
KeyRock and Wilma - Openstack-based Identity Management in FIWARE
 

More from Hitachi, Ltd. OSS Solution Center.

KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みHitachi, Ltd. OSS Solution Center.
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...Hitachi, Ltd. OSS Solution Center.
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可Hitachi, Ltd. OSS Solution Center.
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Hitachi, Ltd. OSS Solution Center.
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するHitachi, Ltd. OSS Solution Center.
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...Hitachi, Ltd. OSS Solution Center.
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Hitachi, Ltd. OSS Solution Center.
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Hitachi, Ltd. OSS Solution Center.
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~Hitachi, Ltd. OSS Solution Center.
 

More from Hitachi, Ltd. OSS Solution Center. (20)

KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩みKeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
KeycloakのCNCF incubating project入りまでのアップストリーム活動の歩み
 
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
KubeCon NA 2023 Recap: Challenge to Implementing “Scalable” Authorization wit...
 
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
パスキーでリードする: NGINXとKeycloakによる効率的な認証・認可
 
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
Keycloakの全体像: 基本概念、ユースケース、そして最新の開発動向
 
NGINXでの認可について考える
NGINXでの認可について考えるNGINXでの認可について考える
NGINXでの認可について考える
 
Security Considerations for API Gateway Aggregation
Security Considerations for API Gateway AggregationSecurity Considerations for API Gateway Aggregation
Security Considerations for API Gateway Aggregation
 
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開するKeycloakでFAPIに対応した高セキュリティなAPIを公開する
KeycloakでFAPIに対応した高セキュリティなAPIを公開する
 
IDガバナンス&管理の基礎
IDガバナンス&管理の基礎IDガバナンス&管理の基礎
IDガバナンス&管理の基礎
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話NGINXをBFF (Backend for Frontend)として利用した話
NGINXをBFF (Backend for Frontend)として利用した話
 
KeycloakでAPI認可に入門する
KeycloakでAPI認可に入門するKeycloakでAPI認可に入門する
KeycloakでAPI認可に入門する
 
What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...What API Specifications and Tools Help Engineers to Construct a High-Security...
What API Specifications and Tools Help Engineers to Construct a High-Security...
 
Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...Implementing security and availability requirements for banking API system us...
Implementing security and availability requirements for banking API system us...
 
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
Overall pictures of Identity provider mix-up attack patterns and trade-offs b...
 
Apache con@home 2021_sha
Apache con@home 2021_shaApache con@home 2021_sha
Apache con@home 2021_sha
 
Node-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using ElectronNode-RED Installer, Standalone Installer using Electron
Node-RED Installer, Standalone Installer using Electron
 
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順Hacktoberfest 概要、Node-REDプロジェクト貢献手順
Hacktoberfest 概要、Node-REDプロジェクト貢献手順
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
 
Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介Node-RED v2.0新機能紹介
Node-RED v2.0新機能紹介
 
Node-REDからREST APIに接続
Node-REDからREST APIに接続Node-REDからREST APIに接続
Node-REDからREST APIに接続
 

Recently uploaded

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

Challenge to Implementing "Scalable" Authorization with Keycloak

  • 1. © Hitachi, Ltd. 2023. All rights reserved. Challenge to Implementing “Scalable” Authorization with Keycloak KUBECON + CLOUDNATIVECON NA 2023 Hitachi, Ltd. OSS Solution Center 11/07/2023 Yoshiyuki Tabata
  • 2. 1 © Hitachi, Ltd. 2023. All rights reserved. About the speaker • Specialist in API authorization  Consulting for API management infrastructure and authentication/authorization systems in the financial, public, social, and industrial fields • Contributor to OSS related to authentication, authorization, and API management  Keycloak (IAM OSS)  3scale (API management OSS) • Other activities  Speaker at events such as Apidays, API Specifications Conference, OAuth Security Workshop, etc.  Author of Keycloak books (Japanese) and writer of web articles about IAM (Japanese) Yoshiyuki Tabata  Senior OSS Consultant  Hitachi, Ltd.  GitHub: @y-tabata  CNCF Ambassador
  • 3. © Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 2 4. Advanced Challenge with OPA and CockroachDB
  • 4. © Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 3 4. Advanced Challenge with OPA and CockroachDB
  • 5. 4 © Hitachi, Ltd. 2023. All rights reserved. What is Authorization • Authorization is different from Authentication. • Authentication is the process of verifying an entity's identity. • Authenticated does not mean Authorized to access all resources. • Authentication is not always required for accessing resources, there are public resources that can be accessed without Authentication. Authorization is the process of verifying that a requested action or service is approved for a specific entity. (according to NIST Glossary)
  • 6. 5 © Hitachi, Ltd. 2023. All rights reserved. Authorization in OWASP Top 10 API Security Risks Three of the top 5 security risks include the word "Authorization". * OWASP Top 10 API Security Risks - 2023 https://owasp.org/API-Security/editions/2023/en/0x11-t10/ #1 Broken Object Level Authorization #3 Broken Object Property Level Authorization #5 Broken Function Level Authorization #2 Broken Authentication #6 Unrestricted Access to Sensitive Business Flows #8 Security Misconfiguration #4 Unrestricted Resource Consumption #7 Server Side Request Forgery #9 Improper Inventory Management #10 Unsafe Consumption of APIs
  • 7. 6 © Hitachi, Ltd. 2023. All rights reserved. Authorization in OWASP Top 10 API Security Risks There are various levels of Authorization. #1 Broken Object Level Authorization Must not allow user 101 to obtain user 102's resources. #3 Broken Object Property Level Authorization Must not allow a general user to change sensitive object properties like "rank". #5 Broken Function Level Authorization Must not allow a general user to call administrator function. User 101 GET /users/102 PUT /users/101 {"rank": "gold"} GET /admin/users/all
  • 8. © Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 7 4. Advanced Challenge with OPA and CockroachDB
  • 9. 8 © Hitachi, Ltd. 2023. All rights reserved. The Simplest Authorization Implementation The simplest authorization implementation is implementing it in application logic. User GET /resources/{resourceId} if (user.isAdmin()) { // can access the protected resource }
  • 10. 9 © Hitachi, Ltd. 2023. All rights reserved. The Simplest Authorization Implementation The simplest authorization implementation is implementing it in application logic. User GET /resources/{resourceId} if (user.isAdmin() || (user.isFullTime() && user.isOwner(resource)) || group.isResourceManagement() || …) { // can access the protected resource } -> But, as the service grows, the authorization logic quickly gets difficult. Duplicate implementations are required in multiple places in the application logic for multiple services. -> Low scalability...
  • 11. 10 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management There is an approach to ensure scalability by managing roles in a hierarchical structure. resource service Resource User User Layer's Role Resource Layer's Role User 101 User 102 manag er director membe r full time perman ent adminis tration develo per admin user resource service role position role employment status role department role
  • 12. 11 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management There is an approach to ensure scalability by managing roles in a hierarchical structure. User GET /resources/{resourceId} if (user.hasRole("resource- service.admin")) { // can access the protected resource } -> Even if the authorization conditions change later, the change will be absorbed by the role hierarchy, reducing the impact on application logic. -> High scalability?
  • 13. 12 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management As the service grows, the number of roles increases and there is a risk of "Role Explosion". resource service xxx service yyy service Resource User User Layer's Role Resource Layer's Role User 101 User 102 User 103 manag er chief director membe r full time perman ent adminis tration sales develo per admin user admin user admin user resource service role xxx service role yyy service role position role employment status role department role
  • 14. 13 © Hitachi, Ltd. 2023. All rights reserved. Role Hierarchy Management Furthermore, to authorize users by these roles, multiple services may need to store duplicate role data. -> In the end, low scalability… User GET /xxx PUT /yyy POST /zzz xxx service yyy service zzz service
  • 15. 14 © Hitachi, Ltd. 2023. All rights reserved. Ideal Scalable Authorization User GET /xxx PUT /yyy POST /zzz xxx service yyy service zzz service if (user.can($http_method, $uri)) { // can access the protected resource } To use the same application logic for multiple services and to eliminate duplicate data as much as possible. -> Separate authorization from app logic and Centralize authorization data.
  • 16. © Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 15 4. Advanced Challenge with OPA and CockroachDB
  • 17. 16 © Hitachi, Ltd. 2023. All rights reserved. How to Separate Authorization from Application Logic To separate authorization from application logic, implementing authorization logic from scratch or using an external authorization service is necessary. • From scratch: If simple-purpose, from scratch, is better. However, it is difficult to achieve fine-grained authorization. • External service: Many services allow to definition of general-purpose policies to achieve fine-grained authorization. However, the more general-purpose policy definitions are made possible, the higher the learning costs for defining policies tend to be. • Here, I will introduce Keycloak's authorization service as a just-right-purpose authorization service. • Based on ABAC architecture, act as PDP. • Configure using GUI ( i.e. Low-code/No-code).
  • 18. 17 © Hitachi, Ltd. 2023. All rights reserved. Major features  Supporting standards. ex. OAuth 2.0, OpenID Connect 1.0, SAML v2, …  Connect to existing user stores. ex. LDAP, Active Directory, …  Login with social networks.  Policy-based authorization service. What is Keycloak • Keycloak is IAM (Identity and Access Management) OSS. • Keycloak provides OAuth 2.0 authorization server feature and single sign-on. • Keycloak became a CNCF incubating project this April. Supporting Standard Protocols Keycloak LDAP Active Directory RDB OpenID Connect 1.0 SAML v2 GitHub Twitter Facebook Identity Management Social Login OAuth 2.0
  • 19. 18 © Hitachi, Ltd. 2023. All rights reserved. Keycloak's Authorization Service User GET /xxx xxx service Keycloak PEP PDP delegate authorization authorization decision Keycloak enables fine-grained authorization by Resource, Scope, Policy, and Permission management. • Resource: the protected resource • Scope: action that can be performed on resources • Policy: condition that must be satisfied to access or perform operations • Permission: coupling the policy with the protected resources and scopes
  • 20. 19 © Hitachi, Ltd. 2023. All rights reserved. Scalable Authorization w/ Keycloak's Authorization Service User GET /xxx xxx service Keycloak PEP PDP delegate authorization authorization decision if (user.can($http_method, $uri)) { // can access the protected resource } Delegating authorization to Keycloak and getting an authorization decision previously required multiple API requests, but now you can get an authorization decision with just one API request. *enhanced in Keycloak 22 (PR#20237), committed by the speaker. <<delegate authorization>> POST /realms/{realm}/protocol/openid-connect/token HTTP/1.1 Host: keycloak.example.com Authorization: Bearer {access token} Content-Type: application/x-www-form-urlencoded grant_type=urn:ietf:params:oauth:grant-type:uma- ticket&audience={client_id}&response_mode=decision&permiss ion={uri}#{scope}&permission_resource_format=uri <<authorization decision>> HTTP/1.1 200 OK Content-Type: application/json { "result": true }
  • 21. 20 © Hitachi, Ltd. 2023. All rights reserved. Scalable Authorization w/ Keycloak's Authorization Service User 7. API request w/ access token xxx service Keycloak PEP PDP 8. delegate authorization w/ access token 9. authorization decision According to OAuth 2.0, the standard protocol for API authorization, the overall flow is as follows. Client 1. use 10. API response 3. user authentication/authorization 2. authorization request 5. token request 4. authorization response 6. token response (including access token) OAuth 2.0 Authorization Server
  • 22. 21 © Hitachi, Ltd. 2023. All rights reserved. Scalable Authorization w/ Keycloak's Authorization Service User 7. API request w/ access token xxx service Keycloak PEP PDP 8. delegate authorization w/ access token 9. authorization decision According to OAuth 2.0, the standard protocol for API authorization, the overall flow is as follows. Client 1. use 10. API response 3. user authentication/authorization 2. authorization request 5. token request 4. authorization response 6. token response (including access token) OAuth 2.0 Authorization code grant (RFC6749) OAuth 2.0 Authenticated request (RFC6750) ABAC OAuth 2.0 Authorization Server
  • 23. 22 © Hitachi, Ltd. 2023. All rights reserved. cf. User-Managed Access (UMA) 2.0 Grant Keycloak is a UMA 2.0-compliant authorization server that provides most UMA capabilities. -> Resource owners can define permissions for their resources to third parties. -> More flexible authorization support is possible with various use cases! 3rd party GET /xxx xxx service Keycloak PEP PDP delegate authorization authorization decision Resource owner define permission
  • 24. © Hitachi, Ltd. 2023. All rights reserved. 1. Importance of Authorization 2. What is "Scalable" Authorization 3. How to Implement Scalable Authorization with Keycloak Contents 23 4. Advanced Challenge with OPA and CockroachDB
  • 25. 24 © Hitachi, Ltd. 2023. All rights reserved. Centralized Authorization vs Distributed Authorization Advanced challenge that reducing the disadvantages of centralized authorization (using Keycloak) compared to distributed authorization at the edge of each service. Centralized Authorization Distributed Authorization Scalability/ Data Management ✔ • Multiple services do not need to store duplicate authorization data and authorization logic. ✘ • Multiple services need to store duplicate authorization data and authorization logic. Performance ✘ • Services need to access the centralized authorization service for every API request. ✔ • Services only need to access local authorization logic. Availability ✘ • When the centralized authorization service goes down, all services deny every API request. ✔ • Even if some services go down, the rest services go well using their local authorization logic. Consistency ✔ • Only the centralized authorization service makes authorization decisions so consistency is guaranteed. ✘ • Local authorization logics make authorization decisions individually so consistency is not guaranteed.
  • 26. 25 © Hitachi, Ltd. 2023. All rights reserved. Tackle Performance Challenge Fortunately, Keycloak is in CNCF family and can be built in local Kubernetes, communication to the centralized authorization service less has negative impact. -> When performance requirements are severe, Keycloak can be combined with OPA. User GET /xxx xxx service Keycloak PEP PAP delegate authorization authorization decision OPA MongoDB event notification save authorization data/ check authorization data PDP PIP
  • 27. 26 © Hitachi, Ltd. 2023. All rights reserved. Keycloak + OPA User GET /xxx xxx service Keycloak PEP PAP delegate authorization authorization decision OPA MongoDB event notification save authorization data/ check authorization data PDP PIP • Option-1: OPA as just a cache. Performance improvement can be expected by simply caching authorization decisions from Keycloak in sidecar OPA. Of course, there is a trade-off with consistency in authorization decisions. • Option-2: OPA as PDP. Moving the PDP functions to OPA and dedicating Keycloak to PAP (notifying policy update events, etc.) is possible, as shown below. Of course, OPA requires storing duplicate authorization information.
  • 28. 27 © Hitachi, Ltd. 2023. All rights reserved. Tackle Availability Challenge Combined with OPA, mentioned before, Keycloak resolves availability challenge to some extent. -> For mission-critical services that cannot stop, combined with CockroachDB, Keycloak can withstand regional failures and operate in multi-cloud environments. * Keycloak plans to support CockroachDB, but does not officially support it as of September 2023. Kubernetes Cluster A Kubernetes Cluster B Keycloak Keycloak Keycloak Keycloak CockroachDB CockroachDB CockroachDB Cluster
  • 29. 28 © Hitachi, Ltd. 2023. All rights reserved. Keycloak + CockroachDB Kubernetes Cluster B Keycloak Keycloak Keycloak Keycloak CockroachDB CockroachDB CockroachDB Cluster • Even in the event of regional failures or large-scale cloud failures, services can go well by changing the connection destination. User Kubernetes Cluster A
  • 30. 29 © Hitachi, Ltd. 2023. All rights reserved. Summary • Authorization is becoming more and more important to security considerations. -> Three of the top 5 security risks include "Authorization." • To achieve "Scalable" Authorization, separating authorization from application logic and centralizing authorization data is the keywords. • Centralized Authorization vs Distributed Authorization. -> Combined with OPA / CockroachDB, centralized authorization using Keycloak can improve performance / availability.
  • 31. 30 © Hitachi, Ltd. 2023. All rights reserved. Trademarks • OpenID is a trademark or registered trademark of OpenID Foundation in the United States and other countries. • GitHub is a trademark or registered trademark of GitHub, Inc. in the United States and other countries. • Red Hat is a registered trademark of Red Hat, Inc. in the United States and other countries. • NGINX and NGINX Plus are registered trademarks of F5, inc. in the United States and other countries. • Twitter is a trademark or registered trademark of X Corp. in the United States and other countries. • Facebook is a trademark or registered trademark of Meta Platforms, Inc. in the United States and other countries. • Other brand names and product names used in this material are trademarks, registered trademarks, or trade names of their respective holders.
  • 32. © Hitachi, Ltd. 2023. All rights reserved. Yoshiyuki Tabata 11/07/2023 Hitachi, Ltd. OSS Solution Center END Challenge to Implementing “Scalable” Authorization with Keycloak 31
  • 33.
  • 34. 33 © Hitachi, Ltd. 2023. All rights reserved. QR CODE FOR FEEDBACK