A deep dive into Keycloak | DevNation Tech Talk

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

well hello and welcome to another definition live we've had some technical challenges this morning our lead presenter is over in Norway and he's having power fluctuations or you might have some excitement and as always on the chat you can feel free to find me there and ask questions on the chat and we'll try to get those over to our presenters as we can and you can help each other by basically saying refresh your browser that's always the trick to this right if you can't hear can't see it kind of thing so let's go ahead and jump right over to Stan who's going to basically show his key cloak and a deep dive demo that he wants to show us to really get this content started and well hopefully his power stays up long enough to see this demonstration seeing red go yeah I am I'll start by sharing my screen so we can see on my slide so today we're going to take a little deep dive into key talk last time around so for about a month ago we had a presentation on how you can secure your applications and services with keitel if you missed that one and you're interested in Kiko and that's worth watching today we're not going to focus on how you can secure your actually applications and services what we're going to rather be focusing on key so cancer itself and a few features that people provide so recapping for those our knew that enjoying the last session what is Kiko well Kiko is an open-source identity and active management solution it's been designed for modern applications api's and services and I think Kiko differentiates itself a bit from the rest of the I am space by the fact that we have developed key talk to be nice and easy to use application developers as our target audience for keeper I click overview before we start looking at some features Kiko provides organ any connected sam'l to the Pope and those provides standard ways of securing your applications and services Kiko can read users from a number of different sources including you can store uses internal in key codes on database or you can saturate users from a external user store such as open house up Active Directory while any custom user store that you may have we also have also what we call identity brokering which allows you to delegate authentication to external identity providers this provides both support for open early connect and Sandel to the dog and we also have a Kerberos break so now you can have seamless login between your work station and your web application through the identity brokering feature we also have support built in for a number of social network so today I want to do instead of just on have lots of slides and talking about the features that Kiko provides I wanted to actually show most of the stitches so primarily today we're going to be going through a demo the first thing I'm going to do is I'm going to open a keep of admin console through the keycode admin console I can configure most aspects of Kiko and I can set up my clients and I use it and I can configure my realm and generally a realm in Kiko is a space for all your applications when you use it so that you can sign books each from other types of scenarios so the first thing I'm going to do is I'm going to create a new realm for this demo today I'm just going to call that demo I'm also going to give it a nice friendly name for for human and the next thing I need to do is I need to configure SMTP server for for my realm today because I have a few floors where people need to be able to send email so I'll be using the Google's SMTP service today which lets me send a few emails each day what is already not ready for production use because you won't be able to come to many do you need another SMTP server for people for these type of them or them now configured that then I can test our connection by sending a text email to my admin user and I can go to my mailbox just to make sure that I actually got this message and Hazel we got the message fountain teacher so we know that everything is alright the next thing I need to do is I need to register clients I've got an example client I'll be showing in a second and I need to register this in Kiko so the keep of knows that this bigger pond is allowed to attend placate the people obviously just create a new client I tell it where the client says I might give it a name and this will then set up some a lot of sensible defaults for the client in which case it's setting up a public time since this is a JavaScript state it counted ten ticket itself directly with people so relies on these valid redirect URLs to to limit who can use this kind configuration once I've done that then I can go and I can try my example application my example application requires authentication I'm immediately redirected to Keitel to login and at this point I can't actually login because I don't have any users in my realm at this point I could go to the admin console and I could create the user through the admin console but in this case what I want to do is I want to enable use of self registration in people and I can do that by simply going into my round consec and just enable this each I also want set of registered users to verify their email address so I'll enable this feature as well and now if i refresh my login screen I can now see that I have an option to register users so I'm going to quickly register my user and then keep Yogi's asking me to verify my email since I set this up tinder realm itself so I'll go to my inbox and I've got an email from people to verify my email address when I click that I'll be taken to key talk first people will then mark my email addresses that valid and then I will be redirected to the application and I will be loaded and now the application knows some details about me and the application knows is because we have access to this ID token and his ID token if the sign token issued by people that gives the application some details about me including my name now I want to add a little bit extra this token I want to add an avatar it's open so the application know a little bit more about me from the spray a nice little image about me when I log in to do that I need to go to my user and I'll add a new attribute for my user I'll call it avatar URL and then I'll need an image I'm just going to use this one which is the teeth of logo at this point kick-off knows about this attribute but the application is not able to see this attribute yet I need to map this attribute in video so talk in the sense of the type and I'll do that by creating a client school a client scope allows you to add a reusable scope that can be used along many kinds to be able to add different pieces to the total so I'll give it a little name price for any name as well at this point to have an empty scope it doesn't do much at all so I need to add a few methods into this school this lets me map various different things from Quito into the actual talking so I'm going to use a user attribute another I'm going to use both avatar and I'm going to use this user attributes and I'm going to add it into the spoken with same name I can choose here if I want to add it with the ID token and the access token and also to use it in to end point so let me decide where I want to issue this token to so the ID token is aimed at the front end application to be able to authenticate the user while the access token is aimed at the front end application to be able to then send to back in applications or services so that they can then verify the user right so now if I now refresh my token I don't have to be login then the then the users they're talking should have contained up I forgot one little that's it I've created the client scope but I have to actually give the day time access to this science book so let's go to the client again and look at the client and here we go there's an available scope that I need to then add to the cloud but this time around if i refresh my page so there you go now the application has as my avatar as well and I can look in the ID token and I can see that this claim is now available inside the ID token a few other things I can do through the admin console I can require that the application needs the users consent to be able to access the users account and that's just a configuration option away I need to just enable the consent so now if I log in I can see that Kiko is now asking me to grant access to this application so I'll go ahead and give that application that also has a proper rules we have support the simple rules and we have support for composite roles composite roles can be nice to use if you want to be able to add a composite role to to a group of users but then be able to manage which particularly roles that belongs to as well in the future in this case I'm just going to add a simple role we call this user and I'm going to go to my user and I'm going to add this role to the user and now if I go to my application again and refresh my token and I will take a look at the actual token I can see that I now have a few roles in here and there's a couple of more than just that role that I wanted to add and the reason for that is that to make it slightly simple for you to setup key talk we have this thing called full scope allows that gives the application all access to all the roles that you have this is not what you really want to use in production in production you want to limit down on each individual client to make sure that they only have access to what they need to have so in case that application is compromised that it can't accept other thing so once I change this scope now if i refresh my token again then we can see that now I only have this particular rule that I want to Kiko also have support of group groups and basically you can just create a simple group and then the group can be used as its own you can map the group name into the token and then your application can make decisions based on the group name you can also decide to add attributes to a group or in this case I can add a user type attribute and I'll call that consumers and that means that any user in the group will also get this attribute as well and then you can map that into the token as well you can also add roles to greet so as I said before we are able to read users from other external stores as well so let's go ahead and try to read some users from an LDAP server I have five running locally all I need to do there is to create a new user federation provider I'll select the LDAP option and then I have to configure it a little bit so firstly I'm going to select the edit mode writable that means that you can make changes to the key book admin console or the teak account management console which allows users to manage their own account and these will be written back to elder or you could make it read only and you can also use this special model on sync which means that any changes will be kept internal in Tikal and not written back to alga and then I'll choose the vendor order because that gives me the best initial setup for the particular I love so that I'm using how am I going to tell keep up with this I'm going to check the key focus on next then it can and then I need to write to tell people where in my directory the users reside and hopefully I'll do this correct and then I need to give it credentials through template as the admin and then I'll check the indication just fine so I'll go up and stay my provider so now I have a new provider added Tsukiko and I can now choose to synchronize all users from that LDAP server and I can see here I had two new imported users from alga now if I'm not quickly go to my users I can have these I have three users in my realm I have the user that self registered and I have the two users that will import it from Elba and we can see if we go into the details for the user we can see that it's linked this particular elder platter okay so the next thing we're going to try is that we're going to try the intensity brokering feature I can choose to use any sam'l or key for Open ID connects identity prodigy or corporate identity provider or I can use a social identity palette so in this case I'm going to use github and then I'm going to go to github let's see /you and here I can create a new application and I need to basically I need to register key token targets or four key crystals to be allowed to love you and I need to tell github just like a habit el-tee folks the redirect your eyes of my application I have to tell tittle the redirect your eyes off Quito and once I do that I get this client ID and this client secret that Keach of note needs to know so that it can attend to Kate with little I will also since I enable this verify email option in my realm I'm going to trust that get er of actually verified emails I know that when you register with YouTube Gator makes you verify your email address so I'm just going to trust that and then I also want to follow in this avatar form from it over as well so I can add a marker on to my github provider that allows me to pull out bits and pieces from the talking issued by little and put that into the user in people and they the same attribute the Avatar underscore URL actually so now if I go to my application again and I log out now I have this option to log in via github and I need to grant access to keep talking get though and then I forgot to disable the granting of access to the Jade console at the ground again and here we go I'm now logged into the Jazz console and you can see my avatar from from get soap and also my name from github and if I go back to my realm I can now see that I have this user here which is my github user I can look at my identity provider link and I can see that I'm linked to a particular github user so now if we look again we can take a little look at this login screen and see that it's got the key to the theme but perhaps we want this to match our corporate theme or our application theme I can do this by by creating a custom theme and deploy it to Kiko and then through the admin console I can now choose my custom theme as a theme for this realm so if i refresh the login page I can see the nice beautiful new theme that I have here I'm going to switch that back because I find that theme a little bit distracting there you go now let's log it back into the application and then we're going to take a look at this ID token in its encoded form so it's a pretty long gibberish type of string its encoding basically for URL encodings allow it to be very web friendly it's got three parts the first part is the header of the token the middle part is all your claims and the last part is your signature and I also deployed on one side my croissants Timo deploy this customer to keep okay let me verify token so if I paste in this basically four encoded token I can now get some details about this it's actually verifying the token for me making sure it sign with the active key and it's giving me the header that adjacent format and the payload as well as adjacent all what we what we are interested in this point is this particular claim here it says that this token is signed with the RS 256 which is an RSA faith premature what I want to know is that we can actually change the way that the tokens are sign and it won't even affect our current login session so I could change the signing algorithm program for kind of personal transport I found a new outer environment shoes so I'm going to do is just this application some PST physics this is a typical curve a signature these have very much the same security princess properties as are they but they are less CPU expensive so if I now go to my application again I can refresh my tokens so that I get new token dishes I don't have to real aughh in and now I get this new token this new ID token and if I go back in here and then look at the algorithm I can see that now I've seamlessly change tokens to use a different signing algorithm in a similar way to being able to change the assigning algorithms I can also rotate my keys that I use for signing so in this case I'm going to pray some new key I'm going to be using for defining key pair I'm going to set a high priority to make sure that these are picked up before the currently access keep it so if I now go back to my application I fresh and getting new tokens again I can then look at the key IP here which is facing showing you what particular key pairs being used here and we can see that that start with L set N and if I then submit my new token I can see that that is now using it dis and keep it and reason why this works is that the application has a refresh token and I can use a refresh token and t-talk verify it against the old keys that are still being used for verifying signatures but not being used to create new signatures and then keep up will now issue all new keys that are now each signed with his new keep it so we can take a little look at sessions and equal Kiko has a concept of having a session and as this old session so all your keys all your tokens are issued a link to this particular session it makes it very easy for you to invalidate all tokens that were issued for a particular session so I can see here that my user DNS D is logged in for this particular application if I go to my user and look at the sessions for the user I can actually also log out the user session through the admin console the user himself can also go to sessions in the account management console I can log out from there I'm going to go ahead and I'm going to log me out from the admin console if I go back to my application and I now try to refresh my key I'll be redirected to the login screen instead of getting UT not because the session is no longer the practice so let's also take a little look at the event system the key could help so pretty much most events that occur in the system generates an event that we can save them a system in audit or we can implement a custom event listener that can listen for these events and handle them however you want and as all other custom things you can have the ploidy think the keeper for the easy so we can also choose to save events in a keep up database which lets us then see a history of the vent in the admin console but if I now for instance I go off and I create a new client then I can go and look at the events that were generated I can see here and someone created a client and I can see the ID of the time I can get some detail about who it was how they indicated and I can also get the adjacent representation for how that client is great and same if someone tries to login and provides an invalid username or password then I get a login error then happening as well you can filter and you can decide what events that you want to listen to okay so that last thing I wanted to show is how customizable people is what we're going to do now is we're going to create a whole custom authentication flow and in this customer identification for we're also going to use a custom authenticated and this particular indicator is something that lets you verify or login with just providing your email and you'll get a special link in your email to verify that you use it you are who you say you are so what I'm going to do is I'm going to make a copy of the current flow that used for browser-based login I'm going to get rid of this username and password form and then I'm going to add a new replacement for it which I cleverly call the magic link and then I'm going to mark this as required and now if I go back to my application oh I forgot one thing I need to actually also this new float I created I need to select that this is the flow that's going to be useful browser login so let's give our go and here we go so now instead of being asked for the username password I'm now only being asked for my email and I can now provide this and I login and I'll be asked to go to my email I'll do this and in this email there is a special link that contains a token that allows people to verify that I to be authenticated and then I'll be redirected to the application and I'll be logged in and this is fully custom code that I've deployed separately to people without making any changes batiko both having to change the key talk source code itself similarly I can also make some configuration changes to to existing built-in attend ticketed so for instance we have the OTT form here which is a moment is optional that means that it's only required if the user has configured it well let's make it required and if I now try to log in again so I'll have to do it through the email then we can see that my customer 10 Takeda initiated first and I logged in via email and now the OTT Authenticator is kicking in and it's asking me to set up TP and that's because I haven't registered with the Jews the year once I've registered OTP then the next time around I'll be asked to provide a one kind Koken so that's it for the slides for today a few features that might be worth highlighting that we didn't have time to to download today is I'm leveraging a project called in Finnish band that provides us with high quality clustering capabilities and a caching layer as well and we also have support for clustering across multiple data centers we have the account management console which allows users to manage their own account they can link to additional social networks they can set that password they can change their profile and they can also manage their own sessions and they can view events associated with their own account we have something called the authorization services which hopefully sometime in the future will have a designation live session dedicating purely on this the authorization services allows you to define policies and permissions centrally in Quito so that you don't have to do that in your applications themselves Kiko cologne is highly customizable through a number of SPI we have about a hundred SPI that you can develop custom pilatus for we have support for x.509 authentication both were uses ample client we have everything that you can do through the admin console you can do through an admin REST API as well and there's also an accompanying admin CLI tool we have a current registration service allows you to create clients through something like ansible or another provisioning tool all applications can even register themselves of multi-vehicle there's also an accompanying CLI for this and then we of course have built in brute force password protection we have built-in password policy and there's tons and tons of more features that you can destroy any code so that's the end of my today's session if you want to learn more about Kiko then has a link to our website there's a link to our source code on key coke as well if you want to actually try out the demo that I've shown today there's a link there to the demo and a little notice that I've got a few features that require key talk 4.5 which will be released next week if you want to give it a go before hand you can't but you have to then Bill Keitel from source yourself which is pretty simple if you're familiar with maven and you have jar lenses if you need some help or if you have some general questions get in touch with us on our community mailing list we're not very active in Stack Overflow but if you ask us on the mailing list we're more than happy now also you can get in touch with us on Twitter okay that is it thank you Sofer do we have any questions oh you have a lot of questions as you always do we're not going to get through all of these but you just answered one of them one question was is this 4.4 and you just said it's 4.5 so that's an certain points so people who want to replicate their this demonstration need to wait for 4.5 the other big question was when can I get the recording and I provide the link to the playlist just monitor that playlist you'll see all the donations showing up there as I get all updates playlist as I get the recording as well and then there's a bunch of other questions that are getting pretty detailed here's what a great one question about read-only LDAP and we don't need LDAP connection as it planned to make password change possible even with read-only LDAP in some cases it would make sense to be able to use the key clip workflow to change reset the passwords even if the user data is managed outside a key cloak I think that's a great question what do you think about that one yeah I think you can somehow achieve it today you can choose what individual attributes are actually written back to elder but I'm not sure if that I'm not sure if you can achieve exactly what the person asking is asking but l-dub is not my expertise area so that question send it to the user mailing list and ok and we'll get be able to answer properly all right very good and I think I did provide the links to your deep dive demo as well as key code org there was a question around well how do I run this on openshift I found your blog from May 31st on how to run key click on open ship which includes did the template and the docker hub image that was a bunch of questions that we already answered at least we have the chat blue got that and here's another great question just like today's demo the last time around I run everything on open ships so the whole demo day is running on open ship and that's available on get to the spot ok fantastic and then some question about performance numbers what kind of benchmarks of you guys per you know done to show the different scales and and what kind of scalability attributes there are we are still working on that we basically don't have big enough labs but we have knowledge about people that are using a gecko quit tens of millions of users with hundreds of thousands of open sessions so it definitely scales okay are there plans to support Cass CAS with identity brokering no we have decided that we're going to focus on open and connecting sam'l however there are tasks extensions in the community there is over ws that extension in community so if anyone is interesting to do a CAF identity provider support and maintain that in community awesome okay how about SSO with Windows a DFS and IDP adsf I think can be done true LDAP sam'l or Open ID panic if I'm not mistaken there so yes okay and as you said a lot of these questions probably require more thrill down on in which case the email list is going to be better to go back and forth for these kinds of things but there's a couple quick questions here about multi-tenancy that I think could be pretty interesting so in addition to the realm masters a possible have a realm that can see and manage other realms so my intention is to have supervisors for some realms think of that as submasters yeah no that's not possible directly however what you can do is you can use the identity brokering capabilities to allow users from different realms to authenticate in a realm to then manage it okay and then and we're not going to get through all of these questions I apologize for you guys who've been hanging out here with us but we do have to kind of get off this call we have a kind of authority limp minute limit do bring them up on the email list but we're also going to get these questions out of the platform get them over to our team so we can try to respond to them via email ourselves as well okay because you guys do have tons of great questions and actually your demo was awesome by the way I really enjoyed it myself you know hangman cookie clove around a little bit I love the way you presented that there was just great stuff overall I'm pleased I didn't lose power today okay I know that was a neat funny enough for the people here on the call he lost power right before this thing started and we all we had was the phone that's why we're talking to you via the phone instead of the webcam because the pot we know the woodwork okay well I think that's good enough for today again we're going to try to get these questions and stuff back offline if you will look for an email from us monitor that playlist we mentioned earlier so you guys can see the recording and do join that key click email list we mention just because that's the way to kind of really interact with the team get your thoughts heard get your questions answered and debate how architectural you an integer integrate key cloak into your otherwise enterprise systems that you have thank you guys so much thank you

Info

Channel: Red Hat Developer

Views: 30,872

Rating: undefined out of 5

Keywords: devnation live, redhat, keycloak, Open Source, How to use Keycloak, Keycloak features, Keycloak demo, Keycloak tutorial

Id: ZxpY_zZ52kU

Channel Id: undefined

Length: 34min 24sec (2064 seconds)

Published: Thu Sep 20 2018