Identity Management with Thomas Darimont eurodata AG
29.03.2017
2
Thomas Darimont @thomasdarimont @jugsaar
● Software Architect @ ● Spring Team Alumni ● 14+ Years in the Industry ● Open Source Enthusiast ● Java User Group Saarland Organizer
3
The Journey
Identity Management Keycloak Securing Applications Keycloak Extensions 4
Identity Management
5
Identity and Access Management
Identity and Access Management (IAM) Identity Management (IdM) ● ● ● ● ●
Identity Proofing Creation Maintenance Identity Resolution Deactivation
Access Management (AM) ● ● ● ● ●
Policy Administration Entitlement Management Provisioning Authentication (AuthN) Authorization (AuthZ)
6
Typical Requirements of an Identity Management System
● Support for Single Sign-on ● State of the Art Standards ● Good Performance and Robustness ● Support for Web, Mobile and Desktop Apps ● Support for User Management ● Support for Multi-Tenancy ● Good Documentation & Support ● Extensible, Customizable ● ... 7
Keycloak
8
Keycloak Project
● Open Source Identity and Access Management Solution ○ JBoss Developers (Red Hat) ○ > 4 years, Release every 6 Weeks ○ Current Version 3.0.0.Final ● Vital Community ○ 165 Contributors, 700+ Forks ○ Active User and Developer Mailing Lists ● Commercial Offering Red Hat SSO available ○ RH-SSO based on Open Source version ○ Support & Additional Patches 9
http://www.keycloak.org
Keycloak Features
● Single Sign-on and Single Logout ● Flexible Authentication and Authorization ● Multi-Factor Authentication ● Standard Protocols OAuth 2.0, OpenID Connect 1.0, SAML 2.0 ● Social Login ● Provides centralized User Management ● Supports Directory Services ● Customizable and Extensible ● Clusterable self-hosted solution ● Easy Setup and Integration 10
Keycloak Main Concepts
11
Keycloak Admin Console
DEMO Admin Console Login 12
Technology Stack for Keycloak 2.x / 3.0
Admin Console ● ● ●
Angular JS (1.4.4) PatternFly Bootstrap
HTTP(S)
Auth Server ● ● ● ● ● ● ● ● ●
JAX-RS (Resteasy) Commons HTTP Client Freemarker Jackson 2.0 JPA (Hibernate) Infinispan (JGroups) JBoss Logging Apache Directory API Wildfly 10.1.x.Final 13
Anatomy of a Keycloak Server
HTTP Endpoint
INFO
Account
Account Frontend
Login Frontend Login
Realm
Protocol Mapper
Clients, Users, AuthN, AuthZ, Policies, ...
Events
User Federation
Keycloak1
Identity Brokering ODIC
Log
SSO Protocols
Directory Service LDAP(S) Active Directory
Kerberos
Social Login
User Storage JPA
SAML
Identity Provider
Google Database Facebook ...
Replication Users Sessions Keys Realms ...
Keycloak2 Keycloak 2
Admin CLI
SAML
Infinispan
Admin Client
Admin REST API
Account
ODIC
Infinispan
Admin Console
Keycloak Web SSO
Client Side Web APP
Mobile APP
15
Single Sign-on Protocols
● OpenID Connect 1.0 ○ Authentication protocol based on OAuth 2.0 ○ Uses JSON Web Tokens (JWT) ○ Recommended for Mobile- and Web-Applications
○ Requires communication over secure channel (HTTPS/TLS) ● SAML 2.0 (Security Assertion Markup Language) ○ XML based authentication protocol ○ Uses XML signature and encryption ○ Very mature standard ○ Common in enterprise environments
16
Keycloak Standard Flow → OAuth 2.0 Authorization Code Flow <- Code -> Tokens 4 3
Code
Keycloak
Web App
Auth Server
Confidential 2
2.1
Browser 5
Credentials
1
Stateless REST Service Bearer-only
User
Unauthenticated User accesses Web App
2
Web App redirects User to Keycloak for Login
User submits Credentials to 2.1 Keycloak Token
2.2
1
Keycloak validates User 2.2 Credentials 3
Keycloak redirects User with Code to Web App
4
Web App exchanges Code to Tokens with Keycloak on separate Channel
5
Web App uses Token to access Backend Service on users behalf 17
Keycloak Tokens
● ● ● ●
Signed self-contained JSON Web Token Contains User information + Metadata Issued by Keycloak Tokens verified by Client ○
Offline Signature verified with Public Key
○ Online via /token_introspection_endpoint ● Multiple Token Types ○ ○ ○
AccessToken short-lived (Minutes), used for accessing a Resource RefreshToken long-lived (Days), used for requesting new Tokens IDToken contains information about User (OpenID Connect)
18
JSON Web Token
..
https://jwt.io
19
Keycloak JWT Example
20
Keycloak Client Integration
21
Keycloak Integration Options
Keycloak Integrations ●
OpenID Connect Adapters Spring Security, Spring Boot, ServletFilter, Tomcat, Jetty, Undertow, Wildfly, JBoss EAP, JAAS, … NodeJS, JavaScript, Angular, AngularJS, Aurelia, ...
●
SAML Adapters ServletFilter, Tomcat, Jetty, Wildfly
●
Keycloak Proxy Reverse Proxy - injects auth info into HTTP headers
Generic Integrations ●
Apache Modules ○ ○
●
mod_auth_oidc for OpenID Connect mod_auth_mellon for SAML
other Languages and Frameworks ○ ○
Certified OpenID Connect Implementations SAML Interoperable Implementations, Tools, Libraries and Services 22
Keycloak Demo Securing Apps
23
Steps for Securing Java Applications with Keycloak
Keycloak ● Create Client ● Configure Client Protocol, Access, OAuth, URLs, Roles, Scopes, Mappers ● Export Client Configuration keycloak.json ● Create User Grant Roles
Application ● ● ● ● ●
Add Keycloak Adapter dependency Configure Keycloak Adapter Add keycloak.json Adapter Options for additional configuration Define Protected Endpoints Run App! 24
Keycloak Demo Securing Apps
Java EE 7 Petclinic ● ● ●
Java EE 7 Web Application based on JSF, JAX-RS, JPA, Wildfly 10.0 Integration via keycloak-servlet-filter-adapter https://github.com/thomasdarimont/javaee7-petclinic
25
Keycloak Demo Securing Apps Before
26
Keycloak Demo Securing Apps After
http://apps.tdlabs.local:8080/
27
Keycloak Extensions Points
28
Keycloak Extension Points
●
via Service Provider Interfaces
●
Custom Authentication Mechanisms
●
Custom “Required Actions”
●
Custom User Storage (JDBC, REST, etc.)
●
Event Listener (Provisioning, JMS)
●
Credentials Hashing Mechanisms
●
Custom REST Endpoints (Health Checks!)
●
Custom Persistent Entities
●
Custom Themes
●
… many more
29
Keycloak Extensions: BeerCloak
https://github.com/dteleguin/beercloak
30
Custom Dashboard Extension
Please vote :) https://issues.jboss.org/browse/KEYCLOAK-1840 31
Keycloak Extensions Example
32
Some Missing Features
Keycloak already provides a lot out of the box, but… ● Analyzing events in Admin Console is tedious and very limited ● Events don’t contain enough information ● No hooks to notify other applications about changes
Needed to extend Keycloak with... ● Custom EventListener that enriches and forwards events via JMS ● Integrated GELF Logging Appender to ship logs to Graylog Log Server ● See https://github.com/jugsaar/visit-yajug-20161023-keycloak
33
Keycloak Extensions Example Docker Environment
Token Demo JavaScript
Petclinic Java EE
Greeting Service Spring Boot
sso.tdlabs.local
Dataflow
WAF SSL Termination Load Balancer
HTTP
JMS
UDP / GELF
Graylog
Keycloak
Active MQ
JDBC
Log Monitoring Alerts Dashboards
Postgres
Provisioning Messages 34
Keycloak Extensions Demo
35
Keycloak Tipps
● Keep your JSON Web Tokens small ○ HTTP Header limits! ○ Only put in the token what you really need (Full Scope Allowed = off) ● Realm-scoped Admin Console ○ ○ ●
Keycloak Admin CLI ○ Blog Post ○
●
$KEYCLOAK_HOME/bin/kcadm.sh create users -r javaland -s username=bubu
Secure your Keycloak endpoints! ○ ○
●
http://kc-host:8080/auth/admin/my-realm/console Admin users needs permissions for realm-management in my-realm
Keycloak exposes some “hidden” Endpoints by default on server AND client! Lock down /admin
Inspect other Keycloak instances to learn what to hide ○ ○
Google Search for Keycloak Endpoints Shodan search for Keycloak
36
Summary ● Easy to get started ○ unzip & run ● Provides many features out of the Box ○
SSO, Social Login, Federation, User Management,...
● Builds on proven and robust standards ○ OAuth 2.0, OpenID Connect 1.0, SAML 2.0 ● Very extensible and easy to integrate ○ Many extension points & customization options ● a Pivotal part of an Identity Management infrastructure
THANKS!
?
38
Links
Keycloak Website Keycloak Docs Keycloak REST API Keycloak Blog Keycloak User Mailing List Keycloak Developer Mailing List JSON Web Tokens Awesome Keycloak Keycloak Dockerized Examples
39