SlideShare a Scribd company logo

Building secure applications with keycloak

Download as PPTX, PDF
A
Abhishek Koserwal

The document outlines the use of Keycloak, an open-source identity and access management solution that provides authentication and authorization through OAuth 2.0 and OpenID Connect. It highlights key concepts such as user identity, roles, and groups, as well as the importance of security measures like token validation and the proper setup of Keycloak in a stateless architecture. Additionally, it discusses potential scalability issues and compares Keycloak's capabilities with other solutions.

Technology
1 of 20
Downloaded 319 times
1
2
Most read
3
4
5
6
Most read
7
8
9
10
11
12
13
14
15
Most read
16
17
18
19
20
Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
Application Demo
JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
Q & A Thank You!

More Related Content

What's hot (20)

PDF
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
PPTX
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
PPTX
OAuth2 + API Security
Amila Paranawithana
 
PDF
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
PDF
Kubernetes security
Thomas Fricke
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PPTX
Identity management and single sign on - how much flexibility
Ryan Dawson
 
PPTX
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PPSX
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
PDF
Argocd up and running
Raphaël PINSON
 
PDF
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
PPTX
Azure Container Apps
Ken Sykora
 
PPSX
CI-CD Jenkins, GitHub Actions, Tekton
Araf Karsh Hamid
 
PDF
[OPD 2019] Attacking JWT tokens
OWASP
 
PPTX
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Draft: building secure applications with keycloak (oidc/jwt)
Abhishek Koserwal
 
OAuth2 + API Security
Amila Paranawithana
 
Guide of authentication and authorization for cloud native applications with ...
Hitachi, Ltd. OSS Solution Center.
 
Kubernetes security
Thomas Fricke
 
Introduction to OpenID Connect
Nat Sakimura
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Identity management and single sign on - how much flexibility
Ryan Dawson
 
Zero trust Architecture
AddWeb Solution Pvt. Ltd.
 
OAuth2 - Introduction
Knoldus Inc.
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
OAuth 2.0
Uwe Friedrichsen
 
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
Argocd up and running
Raphaël PINSON
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
DevOps.com
 
Azure Container Apps
Ken Sykora
 
CI-CD Jenkins, GitHub Actions, Tekton
Araf Karsh Hamid
 
[OPD 2019] Attacking JWT tokens
OWASP
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 

Similar to Building secure applications with keycloak (20)

PDF
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
PDF
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PDF
Security Architecture Consulting - Hiren Shah
NSConclave
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PDF
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
PDF
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
PPTX
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
PDF
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
MichaelOLeary82
 
PPTX
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB
 
PDF
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PPTX
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
PDF
AWS IoT Deep Dive
Kristana Kane
 
PDF
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
PDF
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Nirmalthapa24
 
PPTX
How to Install and Configure your own Identity Manager GE
Federico Fernández Moreno
 
PDF
How to Install & Configure Your Own Identity Manager GE
FIWARE
 
PDF
Nk API - examples
nasza-klasa
 
PDF
Serverless Meetup - Authentication for Serverless Applications [Jul 2020]
Dhaval Nagar
 
PDF
OpenID for SSI
Torsten Lodderstedt
 
Securing Microservices using Play and Akka HTTP
Rafal Gancarz
 
AllTheTalks.Online 2020: "Basics of OAuth 2.0 and OpenID Connect"
Andreas Falk
 
2016 pycontw web api authentication
Micron Technology
 
Security Architecture Consulting - Hiren Shah
NSConclave
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...
iMasters
 
GDG Cloud Taipei: Meetup #52 - Istio Security: API Authorization
KAI CHU CHUNG
 
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...
MichaelOLeary82
 
MongoDB.local Atlanta: Introduction to Serverless MongoDB
MongoDB
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
Complex architectures for authentication and authorization on AWS
Boyan Dimitrov
 
AWS IoT Deep Dive
Kristana Kane
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
Breaching The Perimeter - Our Most Impactful Bug Bounty Findings.pdf
Nirmalthapa24
 
How to Install and Configure your own Identity Manager GE
Federico Fernández Moreno
 
How to Install & Configure Your Own Identity Manager GE
FIWARE
 
Nk API - examples
nasza-klasa
 
Serverless Meetup - Authentication for Serverless Applications [Jul 2020]
Dhaval Nagar
 
OpenID for SSI
Torsten Lodderstedt
 
Ad

Recently uploaded (20)

PDF
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PPTX
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
PPTX
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PPT
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
DOCX
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
PDF
NASA A Researcher’s Guide to International Space Station : Physical Sciences ...
Dr. PANKAJ DHUSSA
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PDF
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
PDF
Future-Proof or Fall Behind? 10 Tech Trends You Can’t Afford to Ignore in 2025
DIGITALCONFEX
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
The 2025 InfraRed Report - Redpoint Ventures
Razin Mustafiz
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
CIFDAQ Market Wrap for the week of 4th July 2025
CIFDAQ
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
Cryptography Quiz: test your knowledge of this important security concept.
Rajni Bhardwaj Grover
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
NASA A Researcher’s Guide to International Space Station : Physical Sciences ...
Dr. PANKAJ DHUSSA
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
Transforming Utility Networks: Large-scale Data Migrations with FME
Safe Software
 
Future-Proof or Fall Behind? 10 Tech Trends You Can’t Afford to Ignore in 2025
DIGITALCONFEX
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
Ad

Building secure applications with keycloak

  • 1. Building secure applications with keycloak (OIDC/JWT) Abhishek Koserwal Red Hat
  • 2. ● Identification: a set of attributes related to an entity ■ (eg: user -> attribute [ name, email, mobile ] ) ● Authentication: is the process of verifying an identity ■ (who they say they are) ● Authorization: is the process of verifying what someone is allowed to do ■ (permissions) ● Accounting: logs, user actions, traceability of actions IAAA Security Factor
  • 3. Oauth 2 & OpenID Connect Oauth 2 != Authentication, only Authorization OpenID Connect = Identity + Authentication + Authorization 50+ Security Specifications...
  • 4. What is Keycloak? Open Source Identity Solution for Applications, Services and APIs
  • 5. Why to use keycloak? ● Reliable Solution ● ! Reinventing the wheel ? (shared libraries, keys/certs, configuration, standards) ● Open Source (3C’s) ■ Cost ■ Customizable / Contributions ■ Community ● Hybrid Cloud Model
  • 6. Core Concepts Keycloak Users Identity Provider User Federation LDAP Kerberos SAML OpenID Connect Github, Twitter, Google, Facebook..etc Roles Groups Events Roles UI (Themes) Clients Realm: master Security Defenses
  • 7. App: Integration Keycloak Frontend App Client ID: hello-world-app Realm: external- apps Backend App Keycloak Adapter OpenID Connect / SAML Resource Endpoint <HTTPS>Client Side: JS Server Side: Java, Python, Node.js, Ruby, C#.. etc Mobile App SDK: Android, IOS
  • 8. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 T1 T2
  • 9. How we used.. Keycloak adapter keycloak Backend Services/ BFF Keycloak adapter Backend Services/ BFF Load Balancer FrontendClient Sticky Sessions <SAML> Session ID: S-1 Session ID: S-1 Session Replication T1 T2
  • 10. Problems ● Scalability with server side sessions ● Sticky Sessions are Evil ● Shifting monolith to Openshift/Containers (stateful -> stateless)
  • 11. Service-to-Service : Authentication & Authorization Service B Service A { userId: “jack” } How to verify and validate? { userId: ?? }
  • 12. The Confused Deputy Problem Service B Service A { userId: “jack” permission:”user” } Service C { userId: “jack” permission:”user” } { userId: “jack” permission:”admin” }
  • 13. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Pod-1 Pod-2 Realm: /JWKS (Json Web Key Set) { Key: “AAkV6d-anw0vwPMJfCb8223” } Frontend Keycloak adapter Backend Services/ BFF Token Validation
  • 14. Stateless Architecture Keycloak Load Balancer / Routes Backend Services/ BFF Token Validation Node Frontend Keycloak adapter Backend Services/ BFF Token Validation JWT: <Header>.<Payload>.<Signature> <Header>: Check alg: "HS256"/ RSA256" <Payload>: Claims {"aud": "hello-world-app"} <Signature>: Verify Signature Response
  • 15. Setup: keycloak docker pull jboss/keycloak docker run -d -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> -p 8081:8080 jboss/keycloak Require docker daemon running Standalone server distribution (https://www.keycloak.org/downloads.htm) Standard way to run: Jboss / Wildfly
  • 17. JWT: Json Web Tokens ● JWT over HTTPS and never HTTP ● Access tokens: are tokens that give those who have them access to protected resources (Short lived) ● Refresh tokens: allow clients to request new access tokens. ● Cookie vs local storage ○ local storage prone to cross-site scripting (XSS) ○ Cookie only with HttpOnly flag (size < 4 kb), prone to Cross-Site Request Forgery (CSRF)
  • 18. Keycloak vs Others ● Designed as a single product ● Easy to setup & configure ● Supports Docker registry Auth ● OpenJDK support ● spring-boot support : http://start.spring.io/
  • 19. Securing keycloak ● Make sure to secure keycloak end-points ● IP Restriction/Port restriction for the endpoint/auth/admin console ● Configure security defenses like: Password guess: brute force attacks ● If an access token or refresh token is compromised, revocation policy to all applications ● Client config: hostname is based on the request headers.
  • 20. Q & A Thank You!

Editor's Notes

  • #4: https://www.x2u.club/work-delegation-memes.html
  • #5: https://www.keycloak.org/
  • #7: https://www.keycloak.org/docs/latest/server_admin/index.html#core-concepts-and-terms
  • #8: https://www.keycloak.org/docs/3.1/securing_apps/topics/overview/what-are-client-adapters.html
  • #9: https://www.keycloak.org/docs/3.1/server_admin/topics/sso-protocols/saml.html
  • #11: http://www.chaosincomputing.com/2012/05/sticky-sessions-are-evil/
  • #12: https://dzone.com/articles/api-security-ways-to-authenticate-and-authorize
  • #13: https://blogs.mulesoft.com/dev/connectivity-dev/google-oauth-security-confused-deputy/ https://samnewman.io/books/building_microservices/
  • #14: https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html
  • #15: https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/oidc.html https://jwt.io/ https://auth0.com/blog/a-look-at-the-latest-draft-for-jwt-bcp/ https://github.com/akoserwal/keycloak-jwt https://www.npmjs.com/package/keycloak-angular https://github.com/akoserwal/keycloak-jwt https://github.com/akoserwal/statelessappdemo
  • #16: https://www.keycloak.org/downloads.html
  • #18: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage https://www.owasp.org/index.php/HttpOnly https://www.keycloak.org/docs/2.5/server_admin/topics/threat/csrf.html http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
  • #19: https://gist.github.com/bmaupin/6878fae9abcb63ef43f8ac9b9de8fafd https://www.keycloak.org/docs/3.3/server_admin/topics/sso-protocols/docker.html
  • #20: https://www.keycloak.org/docs/latest/server_admin/index.html#threat-model-mitigation