Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to secure your Microservices with Keycloak ...

How to secure your Microservices with Keycloak @ VoxxedDays Zürich 2019

Keycloak provides Single Sign-On based on widely used protocols such as OpenID Connect 1.0, OAuth 2.0 and SAML2, that are easy to integrate with own applications. Keycloak comes with many batteries included, e.g. user management, user registration, 2-factor authentication, support for external identity providers such as Google, Facebook, Twitter, custom look-and-feel and integration with directory services like LDAP, Kerberos or Active Directory. Additionally, Keycloak offers a comprehensive extension model that makes it easy to adapt it to your own needs.

After a short overview of Keycloak features, we will introduce some core concepts with a guided tour through Keycloaks Admin UI. We then take an in-depth look at an OAuth / OpenID Connect based authentication flow. After those foundations are set we will demonstrate possibilities for integrating Keycloak in selected authentication scenarios. We conclude the talk with a brief demo of an centralized identity management infrastructure, built around Keycloak.

Thomas Darimont

March 19, 2019
Tweet

More Decks by Thomas Darimont

Other Decks in Programming

Transcript

  1. Thomas Darimont • Fellow • Spring Data Team Alumni •

    Open Source Enthusiast • Organizer Java User Group Saarland • Keycloak Contributor for over 3 years
  2. Project • Open Source Identity and Access Management • Red

    Hat Developers, Apache Licensed • Versions 4.8.3.Final, 5.0.0.Final~ every 6 Weeks • Available as Commercial Offering Red Hat SSO • Started in 2013, broad adoption since 2015 • Vital Community: 300+ Contributors 1.700+ Forks • Very robust, good documentation, many examples
  3. Features • Single Sign-on and Single Sign-out • Flexible Authentication

    and Authorization • Standard Protocols OAuth 2.0, OIDC 1.0, SAML 2.0, Docker Auth • Multi-Factor Authentication One-time Password • Social Login Google, Facebook, Twitter,... • Provides centralized User Management • Supports Directory Services • Customizable and Extensible • Easy Setup and Integration
  4. Technology Stack 4.8.3.RELEASE Admin Console • Angular JS (1.6.10) •

    PatternFly • Bootstrap Keycloak Server • Wildfly 14.0.1.x • JAX-RS (Resteasy) • JPA (Hibernate) • Infinispan (JGroups) • Freemarker • Jackson 2.x • JBoss Logging • Apache Directory API • Commons HTTP Client
  5. Server Architecture Keycloak 1 SSO Protocols ODIC SAML Protocol Mapper

    Keycloak 2 Keycloak 2 Infinispan Infinispan Replication Sessions Realms Settings ... Login Account Login Frontend Account Frontend Account Events Log HTTP Endpoint Admin Console Admin Client Admin CLI Realm Admin REST API INFO Clients, Users, AuthN, AuthZ, Policies, ... User Federation Identity Brokering Database User Storage Directory Service LDAP(S) Active Directory Kerberos Identity Provider Google Facebook ... JPA ODIC SAML Social Login
  6. Authentication & Authorization • Authentication (AuthN) • Determines who the

    user is • Internal & Federated User Storage Kerberos, LDAP, Custom • Customizable • Authorization (AuthZ) • Determines what the user is allowed to do • Hierarchical Role-based Access Control (HRBAC) • Authorization Services • Flexible Access Control Management • More Variants like ABAC, UBAC, CBAC supported
  7. Single Sign-on & Single Sign-out • SSO ⇒ Login once

    to access all applications • Standardized Protocols • OpenID Connect 1.0 (OIDC) • Security Assertion Markup Language 2.0 (SAML) • Browser based “Web SSO” • works for Web, Mobile and Desktop Apps • Support for Single Sign-out • Logouts can be propagated to clients • Clients can opt-in
  8. Supported Single Sign-on Protocols • OpenID Connect 1.0 • Protocol

    based on OAuth 2.0 • Uses OAuth 2.0 tokens + IDToken to encode Identity • Tokens are encoded as JSON Web Tokens (JWT) • Requires secure channel HTTPS/TLS • SAML 2.0 Security Assertion Markup Language • Very mature standard & common in enterprise environments • XML based protocol • Uses XML signature and encryption • Docker Registry v2 Authentication
  9. Web SSO with OIDC: Unauthenticated User Keycloak sso.acme.io App 1

    app.acme.io Browser Unauthenticated User accesses App 1 1 2 2 App redirects to Keycloak for Login 2a 2a User submits Credentials to Keycloak 3 3 Keycloak creates SSO Session Cookies and redirects User to App 4 4 App exchanges Code to Tokens with Keycloak via separate Channel Code Credentials Code User 2b Keycloak validates User Credentials 2b Tokens 5 App verifies received Tokens and associates it with a session 5 logged in logged in 5a User is now logged-in to App 5a (Access | Refresh | ID) Token
  10. Web SSO with OIDC: Authenticated User Keycloak sso.acme.io App 2

    app2.acme.io Browser 6 7 8 9 Code Code User Tokens 10 logged in logged in 10a Authenticated user accesses App 2 6 7 App 2 redirects user to Keycloak for login 8 Keycloak detects SSO Session, generates code, redirects to App 2 9 App 2 exchanges code for tokens with Keycloak via separate channel 10 App 2 verifies received tokens and associates it with a session ... 10a User is now logged-in to App 2
  11. Keycloak OAuth / OpenID Connect Tokens Claims • UserInfo +

    Metadata • Signed self-contained JWT • Limited Lifespan • May be revoked Verification • Verify Signature with Realm Public Key • Token Introspection Endpoint Token Types • Access-Token • Refresh-Token • Offline-Token • ID-Token (OIDC)
  12. JSON Web Tokens Note Base64 means Encoding Encoding != Encryption

    https://jwt.io <header-base64>.<payload-base64>.<signature-base64>
  13. Calling Backend Services with Access-Token Keycloak sso.acme.io App app.acme.io Backend

    api.acme.io Bearer-only Browser Authenticated User accesses App 1 1 2 2 App uses Access-Token in HTTP Header to access backend 3 Backend looks-up Realm Public Key in cache with in Kid from JWT 3 3b Keycloak returns Realm Public Key 4 4 3a Backend verifies signature of Access-Token with Realm Public Key 5 5 Backend Service grants access and returns user data If not found, fetch Public Key with Kid from Keycloak Access Token 3a 3b Kid Public Key Authorization: Bearer eyJhbG... logged in
  14. Keycloak Integration Options • OpenID Connect Adapters • Spring Security,

    Spring Boot, ServletFilter, Tomcat, Jetty, Undertow, Wildfly, JBoss EAP,… • NodeJS, JavaScript, Angular, AngularJS, Aurelia, CLI & Desktop Apps… • SAML Adapters • ServletFilter, Tomcat, Jetty, Wildfly • Keycloak Gatekeeper • “Proxy”, written in Go, injects auth info into HTTP headers • Apache Modules • mod_auth_oidc for OpenID Connect - maintained by Ping Identity • mod_auth_mellon for SAML - maintained by Red Hat • Others see OIDC and SAML
  15. Demo Environment Backend Spring Boot Bearer-only WS-Chat Spring Boot Confidential

    Frontend Spring Boot Confidential Desktop App JavaFX Public Client Web based Single Sign-On Frontend Spring Boot SAML Authorization: Bearer $ACCESS_TOKEN
  16. Keycloak Extension Points • Extensions via Service Provider Interfaces •

    Custom Authentication Mechanisms • Custom “Required Actions” • Custom User Storage (JDBC, REST, etc.) • Event Listener (Provisioning, JMS) • Credential Hashing Mechanisms • Custom REST Endpoints • Custom Themes • … many more
  17. Postgres Keycloak Keycloak Demo Environment Postgres Active MQ Keycloak sso.tdlabs.local

    Reverse Proxy Load Balancer / WAF SSL Termination HTTP JDBC Message Broker Provisioning Messages Graylog GELF/JSON Log Monitoring Alerts Dashboards Dataflow Backend Spring Boot PlainJS App JavaScript JMS Frontend Spring Boot Desktop App JavaFX HTTPS Distributed Cache JGroups / Infinispan SAML App Spring Boot
  18. Summary • Easy to get started • unzip & run,

    Keycloak Docker Images • Provides many features out of the box • SSO, Social Login, Federation, User Management,... • Builds on proven and robust standards • OAuth 2.0, OpenID Connect 1.0, SAML 2.0 • Very extensible and easy to integrate • Many extension points & customization options • A pivotal part of modern Identity Management
  19. Links • Keycloak Website • Keycloak Docs • Keycloak Blog

    • Keycloak User Mailing List • Keycloak Developer Mailing List • OpenID Connect • SAML • JSON Web Tokens • Awesome Keycloak • Keycloak Dockerized Examples • Keycloak Quickstarts Example Projects
  20. Accessing the API Backend with CURL KC_RESPONSE=$(curl -X POST \

    http://sso.tdlabs.local:8899/u/auth/realms/acme/protocol/openid-connect/token \ -d 'grant_type=password' \ -d 'username=tester&password=test' \ -d 'client_id=app-frontend-springboot&client_secret=4822a740-20b9-4ff7-bbed-e664f4a70eb6' \ ) Request new Tokens via Password Credentials Grant (Direct Access Grants in Keycloak) 1 2 Extract AccessToken 3 Use AccessToken in Authorization Header KC_ACCESS_TOKEN=$(echo $KC_RESPONSE | jq -r .access_token) # eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJGY3RMVHJqeWRxYkpISGZ0d29U ... curl \ -H "Authorization: Bearer $KC_ACCESS_TOKEN" \ http://apps.tdlabs.local:20000/todos/search/my-todos
  21. Desktop Applications • Two ways to integrate Desktop Applications •

    Direct Access Grants - no SSO • KeycloakInstalled Adapter - SSO • Direct Access Grants • Client sends HTTP POST request to Keycloaks /token Endpoint • client_id, username, password, grant_type=password • Keycloak returns Tokens (Access-, ID-, Refresh-Token) • Client needs to parse & validate tokens • Client sees password → Password Anti-Pattern • KeycloakInstalled Adapter • Enables OAuth2 authorization code flow for Desktop / CLI apps • Code to Token exchange via short lived ServerSocket@localhost • Uses Keycloak Login via Browser • Can reuse existing SSO session
  22. Using the KeycloakInstalled Adapter 40 <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-installed-adapter</artifactId> <version>${keycloak.version}</version> </dependency>

    KeycloakInstalled keycloak = new KeycloakInstalled(); keycloak.loginDesktop(); String token = keycloak.getTokenString(10, TimeUnit.SECONDS); httpClient.header("Authorization", "Bearer " + token); keycloak.getIdToken().getPreferredUsername() keycloak.logout() Add Maven Dependency 1 Export keycloak.json for Client 2 { "realm": "acme", "auth-server-url": "http://sso.tdlabs.local:8899/u/auth", "ssl-required": "external", "resource": "app-frontend-javafx", "public-client": true, "use-resource-role-mappings": true } Create KeycloakInstalled 3 Trigger Browser login 4 Read current username 5 Read & use AccessToken string 6 Trigger Browser Logout 7
  23. Tips for working with Keycloak • Learn to configure Wildfly

    → Booktip: Wildfly Cookbook • Keep your Tokens small → HTTP Header limits! • Only put in the tokens what you really need → Full Scope Allowed = off • Keycloak provides a Realm-scoped Admin Console • http://kc-host:8080/auth/admin/my-realm/console • Admin users need permissions for realm-management in my-realm • Secure your Keycloak Installation! • Keycloak exposes some undocumented Endpoints by default on server AND client! • Inspect other Keycloak instances to learn what to hide • Google Search for Keycloak Endpoints • Shodan search for Keycloak
  24. Keycloak OAuth / OpenID Connect Tokens • Tokens contain User

    information + Metadata • Signed self-contained JSON Web Token • Issued by Keycloak, signed with Realm Private Key • Limited lifespan; can be revoked • Tokens can be verified by Clients • … by verifying the signature with Realm Public Key • Essential Token Types • Access-Token short-lived (Minutes) → used for accessing Resources • Refresh-Token long-lived (Days) → used for requesting new Tokens • Offline-Token special Refresh-Token that “never” expires • IDToken contains information about User (OpenID Connect)