Easily secure your cloud-native microservices with Keycloak | DevNation Tech Talk

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi and welcome to another definition live at cienaga and I'll be your host today and I'm very happy to have my dear friend Sebastian blonde today to present something cloud native and how can you secure your micro services so semi thank you very much for joining us directly from the beautiful city of nice in the South of France Sebby the stage is yours thank you a lot awesome it's a honor to be introduced by you and I'm really happy to give this session it's always special to give a live session like this especially I would like to thank first my daughter because I had a huge laptop issue and she bored her laptop so I had to install everything on that it's working perfectly that would all be fun today we're going to talk about security it's really short 30 minutes I hope to show you a lot not so many slides a lot of live coding I try to cover many use cases and then we will have time for questions so let's switch to my screen share now and here we go sure let me go to my slides okay so let me talk a bit about security and more specifically about how you can secure your micro services in a cloud native environment yeah that is a lot of buzzwords ok we're going to use Chico for that so I haven't time today to give you the whole big picture of what Chico is but tea Club is an identity user management server so basically it's take cares for you of all your user management your identification flows your authorization flows you don't have to care about that anymore because key cloak does that for you you download it you unzip it you start it you put some configuration and then you can secure your web apps your back-end sources and let's focus on that today because in a cloud native environment you could have well let's say a spring boot microservice deployed a service no GS service deployed a Quercus node a Quercus app deployed maybe even go micro service and all these different technologies you want to secure them in an easy way and we stick luck it's possible to do that in a easy way so basically how does Kiko work Key Club is based is using heavily the Open ID Connect protocol so most of the time you access your web application and that is where you will log in to the key club server to obtain a token and with this token you will be able to make requests to different services when you get a token and we won't spend too much time on this part because it's not really the topic but once you log in in your web app chica will give you back free tokens the ID token which is a bit like your identity card but then also an access token and that is the token that you will use to make secure requests to other services this access token has a really short lifespan around five minutes by default and that's why I keep log also gives you a refresh token that you can use to obtain refresh access token okay if you look at a monolithic application it's I go to my server side application for instance on my browser and then I want to authenticate I'm redirected back to click cloak where I enter my credentials and then there's the all o our float happening let's know spend time on that but if everything is okay the tokens are getting back to the web and then with this token you can make some requests to any services so how does that work so you can see here on this picture the user has logged in to his application and now he has access token this token by the way is a jot would say that for JSON web token that means it's a token that contains payload it's a self-contained token and with this token he can call any service and the service will receive the request and you will verify the token and if it's okay you can go on with the request so what is exactly very firing a token when your service receive a token it will verify the signature because when you obtain a token it has been signed by T cloak ki cloak as a private key that he used to sign your token and your service has access to the public key when with the public key he can verify the token there are two ways to do that one way is doing it offline that means that when your service start up the first time it will retrieve the public key and then it can just verify your tokens without asking again key joke but if you are in a less trusted environment you can also ask your service to always ask key club to verify to Tobin but be aware if you do that and that you have a lot of requests there will be a lot of a request to your key club server in most of the cases the offline signature verification should be enough ok that is for one service but what if your service needs to call another service it is what we see here well that's the nice thing with this access token service a once you have verified your token it can use the same token to call service be for instance and service be could be a completely different technology and service be an Eastern can also call a service see and that is exactly what we are going to see now in the demo I will have service a which will be a Quercus application servers B will be the node G s service and a service C will be a PHP as you heard it well a PHP application protected by a sidecar proxy delivered by a keylock called the kiddo gatekeeper how do you make such a request let's see some sample code and then we switch to some live coding okay so the first case the the most common case is once you have logged in into your application your in your web app and you want to call service so here's some JavaScript how do you make a call with JavaScript does plain vanilla JavaScript it's pretty easy you start a new you make a new ajax.request and the only important thing here you see is in the third line you have to set an header called authorization and then the value is always bearer space t cloak token your token your access token okay let's see another example for instance if you are in a in a java application this is more or less if you are in a servlet method for instance you are in your servlet committed and you need to call another service for instance that's pretty easy with key clock adapters you can obtain a key cloak security context and from this context you can obtain a token and then you just use any HTTP client that you want or a rest client doesn't matter as long as you can put a header ok and the last example which makes two technologies here here it's a snippet from a spring boot application written in cutlet and here you can see and with Springwood we provide some nice features here something that is called the progress template customizer it's just like a regular string rest template but take cares for you of putting the token the access token in the header for you though you don't have to take care of anything here you customize your rest template and here if you do it get to another service it will just put the header for you okay Oh enough talking let's move to some code and some demo I have a really simple web ad here really simple it's just some HTML and some vanilla JavaScript and all I have done here is adding as you can see here the key club javascript library and on top of my page in the navigation bar I will have here a button called login and I just call the login method okay and that is the application running here really simple app and when I will click on logging I will be redirected to my key log server to enter my credentials so let me click here and login and here I'm on my key cloak server I'm not on my web app anymore here I can log in with a user I've previously created Sebby and I give it that's for its Eddie and I just log in and now I'm back I'm redirected back to my application ok and if I go to token here I can see that I have my free tokens as I spoke up before about I got my ID token and I get my access token you can see you change Ethan format and I got my Refresh token when I will make a request I will use my access token but I won't use it in this format that is not a really convenient to pass as an header as you understand so what I will do I will convert - a base64 format like this one and this is what I will put this value in any request I do okay now that is on how to obtain a token let's try now to make a service so here have a button and if we go back to my code here and we go to app GS here we have the simple call and this is just like the the code snippet I showed you before and I'm trying to call here localhost 8080 one products that service doesn't exist yet we are going to write it from scratch and you see here I just passed the token so if I go back to my app and I try to make the service call nothing happens we can even see that um the inspector here if I do my service call again in the network and I you will service it fails because the service is not present so let's create from scratch our first service okay and for that we will create a Quercus app for those that don't know Quercus carcass is the latest coolest Java stack to create application java application for the cloud really low memory footprint very fast and amazing developer experience and that's why i can do it live from here so let's go to a terminal here and let's create a new Quercus app ok so here i create a carcass after using a maven archetype so maven Quercus plugin and I call the create go and here I say create a new app and here I will have some questions so let me see how let me set the package so it will be for Sammy I will call it the products ok oh the product service or a product service version one is ok yes I the rest resource and it will be called or said we got product product resource okay and the pass will be products okay and now I have created an app an empty app that just contain one rest resource and I can just open this in my IntelliJ okay so let's go to IntelliJ and let's open the application that I just created so here I go to next nation and I see here my product service okay let's open that in a new window okay here we go and it will just load my project here it should take okay here we go and if I go to my main source java I take a look here oh I'm clicking too fast or X heavy product resource let me make this a bit simple progress app I could run that it's good work but what we want here is to add some key clock and make a secure rest endpoint so the first thing that I will do is add some extensions extensions in Quercus are like plugins - add new features to your app and I need two functions here for my app the first one I need something called rest easy reason B isn't B because I will manipulate some Jesus I enable Odin port okay and the second one that I need of course is t-cog oh let me add here carcass trash he look okay and that is all I need and now I want to create a secured resource here on the path products and let's make a mess of called get products here we go and it will just return for me less of products so let's do it let's turn something called Airways as list and here I pass my products and let's pass another product like other product okay here we go and here I need to change this to return a list a list of string and I'm almost done I need to specify itself you can list okay here we go and now I want to secure that method and that is pretty easy I will just say roll a load and here I say that only authenticated users that has the roll user and my user savvy that we for which we obtain a token have the roll user that so that will work can access this method okay and well I'm already almost done I just need to add some properties in a property file here from Krakus and because it's a bit boring I have a template for that but let me go through it pretty simple here I say where am i key club service running the name of my service and on which will okay that is all I've done remember and completely from scratch okay let me just you should not do that at home delete test because I changed the resource and by default my test will not tested okay and now I can run my app so let's go back to my console and to my terminal and let me see I'm just sorry and I'm stuck I'm not used to use a Mac so let me see here okay let me close this one and I just want to move to oh here we go sorry and Hugh all I need to do is maven package package Quercus McCullen death and that will package my act and run it and it's failing oh I forgot to go in Mike I was not in my project so here I am in my project it will package that as a jar and it will run it and then my service should be able to access it okay so it's taking some time on my computer is faster that's just a small MacBook Air for my daughter which it's not the fastest but believe me with Krakus your app should start in less than a second ok here we go it's running so it started in 3 seconds yeah that is a bit slow we can just make sure here if we go to my service localhost 8080 one slash products I should have an error not AG right okay now that means that my service is secured but now my app here I still have my token I should be able to call my service and this time it should return some results and here I do my service call and of course it's not working because I have a demo effect like I not sure why oh yes no no no you know what it was part of the demo it doesn't work because I have course issues I need to add a course filter to my app and that is a great opportunity to show you that I can fix that in my practice app without even stopping the app so let me go back to my caucus app which is here and just while my app is running I can just create a new class let me create a course okay class okay and here again I'm using a template because it is your pretty simple course also for those that knows course and here I just save it and now if I go back to my search go here that I call it I should now be able to make a call let me see you see my products it's at it is working so and if we take a look at the call here in the preview in the header you can see that I pass here the authorization header okay so that was the first step now I want my Quercus app to be able to call another service and it will be an OG s service a really simple service that just returned an additional product okay let's let's first fix that in the Krakus app so that we can make a call to another service let's go back to my code here we go and what we will do first thing is we need to add a rest client and this rest client it's called here we go and paste it sorry we'll see oh oh it's gone I do come for its command I'm on a Mac of course so it's chorus a small ray rest client okay and with that I will be able to hear I make typos and here we go small way worst client with that I can create a simple rest client to call other services for that I need to create an interface so let's create a class called premium premium service ok premium service ok we go it's an interface there we go let me make it bigger I just need to annotate this as a rest clients and also I need to register the clients headers I will explain you that later that is to propagate my token and I need to provide a path and the path will be something like C it will be something like premium slash products ok and here I need to pour this okay and it will be just a simple returning a string something called get premium and it will be Oh and as well just oh sorry no it's a it's a interface I don't need to implement it sorry and that is all I need to do get premium get string ok here we go and now in my product resource here I can just inject inject my rest client so related as a rest client and it's my premium service premium service and here I can just do string premium and I do my premium service its premium ok : and let me add the premium product here to my list and there we go and last thing I need to do is to add some properties again let me again use um template here here I just specified where my rest client should consume the service that is on local host mm that is where my no GS service will be running and the other really nice thing here with Quercus is that you has something called propagate headers and here I say when you receive a request with the header authorization just propagate this header in your rest lines so I don't have to take care of any access token to be passing it will be done for me ok and that is all I need to do okay so let me just go back here to my app because I added a dependency I just need to run it again and while it's running let's move just for a while to my no GS service that we are going to consume so with no GS you have a key cloud module called Chico connect so you just add it to your package Odin and you declared it here and then it's act as a middleware for GS Express it's pretty easy to set up let me skip that because we are already bit late but what is nice here when I define my a express route here so on printing products I just need to pass it as middleware so here I say Kiko protects the user should have the wall user and here I send another product act premium phone okay so let me start this app so let's start in debug mode should be fine I think so so here my my no GIS app is running let's make sure it's running so if I go here to 3,000 flash premium flash products oh it's good thing okay it's it's complaining because it doesn't have any token which is perfectly fine and it gets here an access denied so my my note G of service is now protected and and if I go back here to my app now if I do my service call I should have a third product coming from my no GS service and let's hope the demo gods are on my side and if I call here my products well I'm not lucky because it's complaining because what is happening oh you see I maybe missed something don't stress public could not find a method for abstracts get premium okay let me just go back to my code I maybe had done something wrong here let me check premium service get premium premium service with client get premium I don't see anything I just take a look on my backup which is on my other computer because I really want to show you that premium service oh yes I did the wrong annotation here is registered rest client and at West line sorry ok here we go that should be the better and again I don't think I have to reload and if I go back here it's still complaining so maybe I need to reload and let me just break it and run it again to be fast here we go which make sure I haven't missed anything 3mm products ok let me see my properties aren't worried that's looks ok or Sebby looks fine she should be ok ok and let me do your service call and it's not working and I don't know why that is not funny because it worked working just before could not find a method for abstract get premium it's so oh sorry sorry I know I know I need to clean here clean because it was still packaging without recompiling yeah I wanted to be too fast I'm sorry for that and let's make a last attempt and otherwise we won't move well we are close to the end already but ok so here we go and just let me sure let me login logout again Sebby Sebby yeah login and here I go to my service call and I call my service and it is not working I'm so so sorry I underst I probably missed something Vivek yes police you know I'm a hall a string I'll get pregnant that should be good I don't know what oh yeah sorry sorry I I'm really really too fast let's just finish that because I will it really want to show you that get I forgot some annotations and I need to produce this there we go application text okay and that should work maybe without a reload and saying that several times already but this time let's because our finger sets to work okay here we go we see I'm happy it's working so here we get my two products for my workers app and this one comes from my no GS app okay took some time because I was not typing good but that's it let me see I do we have heart stop or can I show a last thing I don't know if someone from the staff can told me that because there's a really last sorry okay can I go on for two men two more minutes yeah okay I let me just check here from staff can I go on for a while yeah only one go ahead okay let me just show you the last part so because I want to go a step further and I want to also change my no TS app so it can make a call to a third app and I told you it can call HP service and for that I'm using something called HP propagate and request HP propagate will just make sure to propagate my headers as well okay a bit like what we did for the other app so let me just do this really quickly propagate and here and distance she ate it with this and here we go I need to provide just a headers to pro gate okay and here I pass just small stuff like well what we want to propagate is my authorization header okay a creation header that should be okay and then if I go here back to my method I was smart enough to command that out here and here I caught my I call here my my PHP service which is behind a proxy and that should be okay so let me restart my app let me start let me start the proxy that is behind my PHP service we don't have time to see exactly how it works but and now if I go back here let me make sure my HP service is they are secured yeah that's great I got a 401 that means it's secured and now if I go service call I should have yeah here you say so let me zoom in my products other product in other products and mine OGS service is calling the PHP service and yeah I forgot to change the string but this last string here is coming from my PHP protective services and that is really what I wanted to show you I don't have time to show you the authorization part that will be a next destination session I guess but at least we saw three cloud native technologies Quercus no GS and a go proxy to protect any app how you can put that in place to secure a whole set of micro services with key clock and let me go back and I'm now going to stop the screen share and go back to video oh it's the stuff so yeah that was really quick let's I hope you enjoy it I will there are some resources of the demo which are already available I will share that I have a complete worship around that and that is take more time than this 30 minutes but I will share it with you and let's try to answer some questions that's on you going to help me for that hey I see but it's lesson let me just drink some more as some tea we have a lot of questions I see so that is some comments have we selected some questions over it it's an F you selected some questions Oh apparently it's on is from you but I'm looking are the code shared on this session he answered yes I will share it the example yeah all the example that I showed you will will be shared what can I see you can take little Grenon OpenShift yes of course here for demo purposes I didn't run it on t-cog that I didn't run it on OpenShift sorry but yeah we are working really well on OpenShift and with the next open there's a reason I stuff coming around Qi cloak and operators which will make so easy to deploy to a great your Qi cloak server so yes mmm will there be a recording yes this frisky late yeah hello haha I'm back I had to return back okay unfortunately we ran out of time and we had a lot of session first of all thank you very much for the nice demo we know that live coding is very hard and what we can do is that we're going to take all of the questions and send to you maybe we can share it later on the YouTube video link so the audience can get chemcam answers and again I would like to thank everybody that was watching thank you savvy for this simply awesome presentation and see you on the next definition life

Info

Channel: Red Hat Developer

Views: 5,917

Rating: 4.9191918 out of 5

Keywords: red hat, red hat developers, devnation live, keycloak, keycloak ID

Id: JvPBWPDQ940

Channel Id: undefined

Length: 37min 26sec (2246 seconds)

Published: Thu Jun 06 2019