Bilding an effective identity and access management architecture with Keycloak

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Oh okay let's start then thank you for attending my talk not that many people but yeah I know security afraid people though maybe I'll join you later there are missing great live coding session that I will show you so it's my first time here I means I'm really proud to be here to be here at Vox Dei Minsk and let's go you're really brave because I will talk about security you know it's boring I'm Sebastian blow I worked for whereat and I work for the key clock team and my talks about key clock okay so let's talk about delegating your security why one do you want to delegate your security that's what Kim does he delegate her security to this really angry bodyguard okay and well there are a few reasons why you want to delegate your security first one is you don't want to repeat yourself because imagine when you have to implement security identification most of the time it's at the end of your project someone says oh yeah it's you we must add a login screen we must manage users and you do that quickly and if you do that yourself just let's take one minute to see everything that needs to happen you need to write your own login form you probably want to create a page where the user can manage is profile and then you have the backend you have to find a way how you check the credentials you have to store the users okay that creates other tables in your database you have to store passwords do you know how to securely store passwords in your database and then of course you have your back-end your front end you have to glue that all together you have to manage all the identification flows maybe some optimization and you do that you package that you put your app and production and you start a new project and guess what you have to do it all over again okay so for each project you have to really implement the security layer and maybe project one was in Java and maybe project two is in go though you can not even reuse the code that you vote for your security and a go project that's the first reason the second reason is you're not a security expert even if you think you are you are not that's research was pretty nice I asked 233 developers professionals not students to develop a simple web app with the logging screen and well more than a half of the developers they leave the password in clear text okay even big companies so I don't know if you heard that story last year on Twitter there was a guy in Austria calling the customer service of t-mobile because he had the issue with his phone I don't remember exactly the story but he realized that the customer service had access to his password and that would not be possible that is a really bad practice though he complain a bit and a community manager of t-mobile he made a treat that became pretty famously say what if it doesn't happen happen because our security is amazingly good well guess what 30 minutes after the street that is the website of t-mobile Austria it was act you see that was so funny with the text of the treatment side so you're not a security expert that's why you want to delegate your security and that's exactly what cheek lock is key cloak you download the zip you and zip that you started you configure it and you have a full identity management server that will take care of your users storing your passwords handling our your identification float could be urbanized connect or SEMO or even Kerberos and all you have to do in your application that you secure is to add a small library that just communicate with the cloak we will see that in details okay so usually I use this picture here to explain the main concept of to cloak so key cloak you give to key club a realm to secure a territory realm it's a really difficult word to meet say in French in English sorry so I like to speak about territories so you say here could talk that is the terror territory that you have to secure and on this territories are different cities in the north there's GE land no one's going to go there anymore but then you have angular land that's the place to be everyone wants to go there you have microservices land not sure what is happening there and of course king of the world no GS land and you arrive with your boat and you navigate to angular land so you open your browser and you navigate to your web app what happens there hey border control city you are not authenticated please go to the key cloak island to authenticate yourself and I get a redirect really an HTTP redirect that sends me back to the key cloud server and Here I am on the key cloud server I enter my credentials and if everything is okay like at the customs I got a stamp and with the stamp I can go back on my island and visit all these awesome cities ok this term is just not a random stamped random generated token it's more than that it's the judge as we call it a JWT token it's a token that is self-contained that contains payload we will see that in details in two minutes I think how do you obtain this token because you have to obtain that token to be able to call other services in your architecture let's see basically I show you here the details but key clock will hide that for you Key Club always exposed an end point where you can obtain your token how do you usually obtain it well most of the time is on your web app you login though you use the kilos JavaScript adapter okay there are a few other options I leave them I won't talk about it because we will focus on the JavaScript adapter once you're logged in you will not get one token but you will get free tokens you will get an ID token that is a token really specific to open ID connect this is your identity card it's a token that contains well your user name your your last name your email whatever you want it's really flexible formats you can put whatever you want inside you have an access token that is the token that you will use from your web app if you need to call a rest service for n self which is also secured you will need this token okay and this access token has a really short lifespan at least for five minutes after 5 minutes this token is not valid anymore so we also get a third token the Refresh token that K that you can use to obtain a fresh access token okay so basically how does it happen it's bit like the picture I show you but more boring more corporate I open my app I click on the login button I'm a videographic to peak log I enter my credentials here the whole OS to flow happens this is hard for you and it returns the tokens here I mentioned just ID token but because if you have a monolithic what app all you need is the ID token because you won't call any other services ok let's see that in real life so I have here a really simple simple app let me just refresh okay I have here a really simple app I'm not stopped in and when I will click on the login' I will be redirected to my kickboxer okay so here I click on the login and now I'm not on my web app anymore I'm on the key club server and there I can enter my credentials so here's really difficult it's Sebby Sebby I log in and kick log would you back me back to the app now I'm logged in you see here a missing picture we will fix that in a few moments but let's take a look at the tokens that they gave us back so as you can see here we got our refresh token our ID token with a lot of information here my walls my username and the access token that I will use to make West Coast okay and when I won't make rest calls I won't send it in this format but I will send it in base64 format we will come back to this later okay first thing key cloak also comes with a full account page so each user that logs in can also access its own account to update these details so if I go here to account you see here I just have CBS username and I can put my email Oh autofill perfect I save it okay I save it and now I go back to my web app log in and let me check my token and here I should see the details okay let's try to fix that I would sure like to show here my my profile picture so I need to add a custom claim a custom a claim is a property from my token okay so let's go to the the tea clogged web console where you can configure everything so I just go there I go to my administration console admin admin really secure okay and that is my console Here I am on my will my territory ot that I called boxed and that is where I can control everything I can manage my walls my users my clients so what is a client for key cloak any app that you will secure being it a front and a back end app it's called a client for Key Club ok so what we said yeah we want to add a new attribute to our users so let's go to my users here I've CB okay and I have here an attribute field and what I can do for instance is called attribute called avatar and as value I should just put it here and then add it ok now my user has this attribute but it's not enough it won't come in my token by magic I have to specify to the client so the web app to map this user attributes to the token how can I do that I go to the clients so here different client configured my web app is called Quercus front and what I can do is create a Napper your I do create a new mapper and it's mapper of the type user attribute and here I just specify which attribute I want avatar I can give it the name I want on my token here I can decide well I want it on my ID token hmm I don't need it in my access token because rest services don't care about my profile picture ok so ok I just save I forget the name about here we go and I save it and now if i refresh here login it's doesn't work let me just make sure I got my avatar it isn't it didn't appear what happened did it did I save it avatar avatar user attribute avatar Oh string probably this I forgot to mention a type so if i refresh here i login and it didn't work okay the demo gods are playing with me right now i have no idea what is happening let me just quickly see here cloak dot ID token first and I won't check my avatar it is undefined okay so I have a demo effect not sure why it is happening right now too bad should be there just let me check it one more time where it is not there mapper mapper okay I we wondered just just before and it was all working now but normally if the demo gods doesn't play with me like they are doing now and I have no idea why I should have here something called avatar pointing to my image picture and it should be displayed here because then I pass the token and I just grab the URL here for some reason he decided to have some fun with me let me see if I just update it here and I just do let me do logout a login again Sebby Sebby Oh baby okay so let's forget with this part now too bad no any what is happening anyway let's go for a while just back to our login screen okay and let's see how we can trick that because [Music] here if I go to my room settings I have a tad code login and maybe I want new users to be able to register I probably will forget my password so I want to forget password link I want to remember me and I saved that and if i refresh here now you can see I have to remember me forgot password and I can register new users maybe your boss wants that your users can use social accounts to log in sure that is also possible if you go here to identity providers you can just add a provider you are all developers here I guess so let's add github provider here normally you create an application and get up and it will give you client ID and a secret let me just put here dummy numbers just to show you how it works okay here we go and if i refresh now I will be able to log in with my github account okay so that is how easy I can trick my login screen of course the look and feel here is based on teams and you can change that you can create your own team to match the look a few of your company let's login again and let me see now though we have this access token back here and it is that what I'm going to use to call a rest service okay so let me just go back to my slides for a while here we go okay so what will happen when I will send a request from my web app to a back-end service I will put this token in a header called authorization my service will grab this token and this token has been signed by kiko it has been signed with a private key and my service has access to the public key and it just needs a public key to verify the signature of my token and that is enough for him to say okay it's a very token this person is authenticated okay so it retrieves the public key in a verified token retrieving the public key just happen when you start your app if you don't trust your service for some reasons you can also ask to peak load to verify your token but be careful if you are under heavy load that means that for each request your service will go back to peak load to verify the token offline verification is enough most of the time so basically how do you make this kind of request so for instance in our Java at the JavaScript app or web app you create just a new ajax.request and if you have access to the key cloud object we will see the code in a few moments you just set a new header authorization with the value bearer space and your token how do we do it in Java so imagine here we are in a servlet method you can grab the key clock security context then you use whatever HTTP client that you want and again really easily you just add an header here and I've the last example Oh in Kotlin because why not in cotton it's fun it's really concise that is a cutting app in with spring boot and we have a special library for spring boot where you can use the quick lock West template customizer if you use this template this rest template you don't have to care at all by putting the token in the header because the template will do that for you and here you do you just do a get and the custom template take care of putting the header okay so let's take a look at this if we go back to our application here I have something called service call and if it click shouldn't not should not work and they variable because yeah I don't have any service right now and let's take a look at the code dead is sorry that is the no GS app that is for just after and let me go to the correct one yeah no sorry where is my correspond here sorry that is a web app just to show you how you can use T club in the web app pretty easy you import the key cloak library and once you have it you just create a new instance of your club object here you do you do the in it and once the people the guy will click on login as well do the whole with the REC flow and you will be able to obtain the tokens I don't go into the details too much but let's just take a look at the service call here you recognize the code that I showed you just before we set the header and we set the token here we call this service but the problem is is that this service doesn't exist right now so let's create the servers and let's see how our application can call this service ok so I checking the time ok let me create a application from scratch ok hello let's create a new it's the font ok or do you want it a bit bigger it's ok so a bit bigger no ok so let's call it the product service ok I go to my for that service and I will not choose usually I show spring boot or no GS this time I will create a Quercus app this anyone was at birth though just before ok just you okay so okay so Korkis is a new really exciting Java stack to build your applications I'm really excited about it not because it's rare that because it's really exciting technology so but we will see that right now so I create a new maven a new Quercus app and for that I can use the maven plug-in of Korkis and here I call the archetype and I have a create so here I say my package is that that CB and then I will call that the product service version 1 yes do you want a rest endpoint of course I want one I will call it or that semi dot product with source and no I don't want to listen it on a low but I want to listen this on products ok and my project is done okay so let me load that project in IntelliJ ok so I open my new project and it's in Vox life that's the one ok here we go let's do a new window because that's my backup if it's and since the demo girls are playing a bit with me ok here we go though that's my product service and you can see here if I open the product it just has created a nine point for me okay before diving into the peacock part let's just let me show you a bit how nice practices so what we go do here is build my app and start it in death mode Krakus death mode that means that my app will be running and while it is running I can keep debug winona in order error that's just deport I can just keep implementing my app and it just will work ok so if I go here to my terminal and I do a curl localhost:8080 slash well that's you can see that it returns a low and if I go here and I do hello bucked I save it and I curl again I'd say hello vhost this time you see it's instantly we loaded it goes even further than that I can just take that and create a new method like on pass let's call it affair and here we call it BOSU and put it in French Bonjour first I save it and here if I curl again / effort I see both of us see though the developer experience is really great for that but what we want is secure create a service secured with key club it's a product service ok so let's just get rid of that rid of that and that's great and get product yet products app and that will return a hard-coded list of products Airways as list and it returns an iPhone and Android Oh Android it okay return just two products awesome okay how I'm going to secure that with t clogged the great thing is that we have the Quercus works with extensions and there are a lot of extensions for rest easy stuff like that there's also an extension for T cloak so all we need to do here is to add a new dependency it's called kik look there it is and since I will manipulate JSON objects I also want didn't be didn't be okay that will be enough let me do the Odin port okay because I added new dependencies live reload won't work so let me stop it for now and we will restart it again what do I need to do I need to provide some configuration format o'clock extension you could use the properties files here but you can also do it the classic way our key clock expected it's a JSON file called jerky clogged up Jaden so let's do that for now ki coke that Jason and here you will see my fast typing skills I type really fast okay so basically here I say in to which will I want to connect where my identity server is running and how my resource is called how my clients called this side okay and I have one last thing to do is to add oh yeah I have to change Jesus without Jesus let's make season and here I have just one annotation to whoa aloud and here I say the user must have the whole user to be able to access this pass okay so what is oh yeah and I have to return sorry I just have to return a list of drinks yeah thank you and to DJ okay let me start the application again should be fast oh and it will fail because I didn't update it the test case and I have a really nice way of fixing the test don't do that this home the best step of today okay here we go again now because it's now it's secure so it's not expecting a 200 that's a 401 ok let's make sure that our endpoint is secured so if I curl again against product not authorized you can see here so that's good news that means that my app is is secured I need one more thing because my web app is not running on the same domain I need some course I'm sure you all have fun with course so what I will do is create a new course filter really quickly it's course filter and again here you can see how fast I can type pretty basic let's not spend time on that and that should be enough and now if I go back to my app here and I'm a bit afraid because the demo gods are really ruined my first demo but let's see how it goes so if I go with cbcb and I go here to my service call I call my service and you'll see here my products we can take a look at the network here if you want it's pretty interesting if you feel cool so here we have the products and here you can see the authorization header where you put my header ok so that is how easily I created from life a new app I have 20 minutes left so what I want to do now is going a step further I have I have here no not here but here I have here a note GS app a rest service also and he has an endpoint called premium product this returns just one extra product ok and as you can see it's protected by a key cloak as well so we have a node we have a no GF module for key clock it's pretty easy all you have to do is to specify it in your key clock back and your package season here to the laser version and then you are ready to go you have some small configuration to do here key club but basically it works with Express and in any route that you define you can pass key clock as a meadow where and here I say ok this route is pathetic protected and the user must have to use the role user ok so let's start this no cheese no GSF ok and p.m. start here we go it started awesome if I open a new window here and I do a curl local host 3000 premium products access denied so it's okay my service my energy service is running and it is protected no one can access it if they don't have a token what I want to show you is our you are going to update our product service that we just built so that this app can also hear what I want to do is call from here the no GS app to get that extra product and add it to my list okay and for that I'm going to use another xtension for quark as' which is called the rest client so let me add a new dependency and it's called client no client it's called a small way rest client okay so with that I can easily create a rest client let me show you how that works basically what you do here you create a new you create a new file it's an interface to define your rest client interface let's call it premium service okay here we go let me make it bigger premium service and here I add some annotation I want know which is teacher will history as a West client and I want to register clients harder this second level is really interesting I will show you that basically it allows me to automatically propagate headers that I received for my first request so I don't have to care of adding myself the headers okay and this one is the twenty be meted a string get get premium okay at return a string and here we go me updates a bit this part so I inject I inject here my restclient which is called premium service women service here we go and here I do just trim premium premium service get premium and here I add my premium ok almost there I need just to specify two properties let me go to the properties here I have to specify and with client again I use a shortcut for that because not that interesting basically here I tell where my service is running and here I tell which headers should be propagated okay and I just remember that I forgot something really important so it's a great that I put it here you have to put a pass as well and it's called premium products ok and he is complaining but okay we don't care hopefully now I just restart my app so it's that app I have to stop it and start it again because I added a new dependency to my palm and oh did I did the title did you so work product resource for that resource I did a type of somewhere oh oh yeah semicolon Java so stupid I'm an old groovy developer I didn't care about submit Collins okay let's go again okay partisan use my no GS service is running awesome okay let's go back to the front on tap let me log out let me login just to be sure savvy savvy here we go and now I go to my service call and okay Wow let me see we could not sign method for public attraction premium please get premium okay let me just open my back up as you can see I did a lot of tests [Music] I get premium oh yeah that's probably best product for juices okay we're just client okay it's probably because I forgot I forgot to put this here oh yeah I have to do this application text and there was another annotation though that I missed I think yes sir oh no that's the same one I'm just in panic mode when it's when things doesn't go oh yeah and again sorry I completely I went a bit too fast I'm just upset about my avatar stuff which is not the greatest demo I ever made that yes so I don't think so no it doesn't work okay this is okay I shouldn't have to reload friendly and if I go here let me just refresh this way and do login and service call and yes it's working so here you see we added quite a lot of stuff in our app so we started found a web app that obtained the token and you can use this token to first call our Quercus service and this quirky service will call an no gs service which is also secured by key clock 10 minutes great 10 minutes that gave me the opportunity to show you at least two more things what I wanted to show you is a bit of authorization because what I we saw internal was authentication I just identified myself and we had some basic role based access control which is in my app but key clock is also a full authorization server and that means that you can also delegate all your authorization rules to key club so instead of having the to show you code instead of your resource instead of having this you just remove it you just remove it and kicked out well handle that okay so let's see how we can do that for that first thing I need some extra configuration and again it's a bit boring for you to see that not really interesting but it's almost the same except that here I specify a policy enforcer and when the configurations say see that it knows that it has to use the authorization service as well and that will send a request to quickly to retrieve all the permissions okay that is all I need to do on the app side so I remove my annotation and now I need to go to my console and I need to enable authorization so that's my product service here it's right here it's a very only client we don't really have time to dive into that but the thing is we had to need to make it a confidential client first okay confidential client means that the app we all need to share secret let me do that right now because otherwise I will be sure to forget it and that is probably not the same so that just means when my app starts up that exchange the secret with the Kitab server to be authenticated as well okay and what I have here is authorization I can just enable authorization okay and I save it and now I have authorization tab extra and there I can define my authorization resources and what we want to do is have the same behavior as before so we want a wall based resource okay so let's call create a new resource called raw resource here we go whoa resource and we want to apply that on the products URI and I think it's okay that's great I come back to my rule and he ran a I need to create a permission and my resource could have more than one per machine we will see that let's create a roll permission and we recreate a new policy a wall based policy so we call it the wall policy well or wall stuff yeah we don't care here I can choose a role so in my app I had just one wolf on our user and I say it's required okay I saved this I say this I should be good to go so let's try it my product service I think no reload is needed so let's go back here and but you just work as before yeah it's worked as before and that's what you want but remember we remove the role allowed annotation and to prove that let me just do that let me create a new role called super user okay superuser and i go back to my client product service and I go here I go to my policy my wall stuff and here I say okay now I want extract security the user must also have the wall superuser okay and I make this required I save it and here again and I try to call my service it doesn't work because I don't have the wall you see so I was able to manage my walls from the key o'clock side and if I go here to my users to see B and I go to the wall mapping and this time I assign this world who here I just refresh and this time I should be able to get my products back okay five minutes awesome let me just add another policy that I really like it's really funny and great for demo purposes to ization that go to my resource let's create a new permit permission based on time the time policy time permission okay then time perm here we go and here I want to create a policy based on time you can make it really fine grain but imagine we want user only to be able to access my service between 17 and 18 that is right now okay and I give it a name time here we go safe safe okay and that means that if i refresh here and i log in again i should be able yeah okay that works great and just to prove it it's working if i go back to my time i make it from 18 to 19 so we are not in this slot Oh safe okay I go back to my app service cool it doesn't work you see though you can centralize your whole or to it turret I'll forget to look in oh thank you that's why I got service and available let it worse it doesn't show okay so I get four minutes left is that correct okay what's okay I don't have I was planning to show you how to secure a PHP app that was really a challenge for me but because if you don't have a key cloak adapter library we have something that is called the key cloak gatekeeper which is a proxy sidecar app that you can put in front of any application though imagine an old COBOL or PHP app you still can put the gatekeeper in front of that oh yeah I know what I can show you you know two-factor authentication where you have to log in and then enter code with Google Authenticator or something like that would be cool to have that in our app okay OTP form let's make it required let's see how that works okay let me log out let me login CB CB hey now I need to scan my QR code so I think I have a clue yeah I've Google Authenticator here I want to scan a new bar okay here we go and now I Vox box three four 903 submit okay I've now two-factor authentication and that set up is just the first time of course so if I log in again I just need to enter the code okay and I just showed you that at the end otherwise I have to do that all the time so that is how easy it is to add two factor authentication there's way more yesterday I gave a 8 hours T clock workshop here in the other room all the content will be available with the examples and so if you want to dive I cover more or less what I did here but in 8 hours so actually a lot of more stuff but I have really detailed instructions and people can just follow it you can just reach out to me on Twitter or I'm here until tomorrow if you have questions and I would like to thank you and enjoy the rest of the conference thank you any questions no yeah oh thank you for her talk I am I wonder how the annotation allowed rolls work and is equal to and does it call some other check every time I see Scott on the K clock another was allowed no it uses the token on the token here when I pass the token in the access token I got the walls here so when the requests come in with the wrister token the the annotation just look at the token it doesn't need to ask oh you mean for the second part what I show the authorization yeah yeah now the authorization is the - app loads up let's retrieve all the authorization permissions and there's a authorization library that can check based on the client and permission it has if it checks and so then you can specify some refresh cache because your to ization can change so you can say every two minutes go back to Kiko to get refresh permissions but most most of the time is the first time I get the permission and then you can do that offline okay thank you as far as I can see there is a custom login page yeah a custom login page yeah well that's the default one yeah but you can customize it yeah this one yeah yeah and what about the registration flow and they use the management something like that for example I want to change my password but with my custom UI or the same with their registration okay so as I said you can change the team if you want that you can also change the behavior of that so you mean you want to because even though we should stretch with situation form you can customize that as well and you can just package it in your key log server and you will have your customized or the other way to do everything that I show you on the console or the real situation is also exposed as rest so you could have an other app that creates users for you add roles for you we set the password for you so basically all the all forms are directed into the key clock yes that's how the open I to connect if there is a possibility to forward over I am my back-end application so for example I am resetting my password and I send it all the data from my back end to the key clock not from the client yeah you want to add your own longer for instance your app you can do that it's called direct grant you just send your username and password to peak log and it gives you back the token without doing the redirect but it's pretty bad practice you should not do it like I should thank you well first thank you it was very interesting and informative and my question is if that hard to run key clock in the chain out it's very in there so that it is actually highly available I sorry I missed the question is it hard is it hard to run key cloak in a came out well do we just duplicate instances or something so work that needs to be done here for the clustering yeah oh yeah no key cloak is based on wall fly the application server and well fly has a really solid clustering system and we just rely on the clustering of white flight so we support cross data center as well and we use an affinity span to for the distributed cache so yeah there's two weeks ago was a nice blog post from the community a guy that explained how we did the clustering for Key Club so you can find more details there but yeah we support clustering pretty out of the box and basically you can even put some auto scaling policies and it can actually shrink and upscale automatically yes bracelet okay thank you okay thank you again
Info
Channel: Devoxx
Views: 19,678
Rating: 4.9896641 out of 5
Keywords:
Id: RupQWmYhrLA
Channel Id: undefined
Length: 52min 10sec (3130 seconds)
Published: Thu May 30 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.