Keycloak Intro

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone my name is ste and Thorgerson I'm the project lead on the Kiko project and I was also one of the cofounders of the project today I'm going to give you a bit of an introduction to various different features and capabilities provided by Kiko but let's start with a really quick introduction about what Kay Cook is so key cog is aiming to be very simple to use ready out of the box and allowing you to attend to get users and securely invoke REST API sim micro services with little to no coding the way that it works is that when an application wants login identification is then delegated to keko keko then provided login screens the Kiko will store all the users key will save all the passwords securely and a huge number of other things once the user has ten takeda dwicky croak the user is now redirected back to the application and the application will now obtain two different tokens so one token that allows the application to it establish the authentication of the user and another token that the application can use to securely invoke rest api's and micro services with full end-to-end user authentication context key cog is also able to pull in users from a number of different sources you can federate users from an LDAP directory from an Active Directory or your own custom user store Kiko can also delegate authentication to other identity brokers be it through open ID connected sam'l or Kerberos as well as a number of different social networks like Google github Facebook Twitter and many more for the purpose of this demo I have a number of different containers up and running I have my Kiko container running I have an LDAP server running I have an example application running and finally I have a little mail testing tool running the first thing I'm going to do as part of this demo is to log into the keycode admin console the key cog admin console is very extensive nice to use console that allows you to manage pretty much everything about key coke the first thing we're going to do is take a look at the realm so realms is like tenants each realm can have a isolated sets of clients and users which are all sandbox from each other within key cook it comes with one default realm called the master realm this realm should be used only to secure key o'clock itself while for your own applications you should create a new realm so let's do that for this demo let's create a demo and I'll also give it a nice friendly readable name as well now that we've created our demo I want to register my application into to the realm so that the application is now allowed to attend ticket with key clock and with this particular realm I'm going to call my client jazz console and I need to since this is a single page application I'm going to have it as a public type which means that the application itself can't securely authenticate with key so we need another way of establishing trust or reducing that this can't be abused and we'll do that by specifying a valid redirect URI this means that Kiko will never redirect anywhere else with the information and tokens needed this is since this is a single page application we also need to allow it to be able to do Ajax requests to Kiko to be able to obtain new tokens and and so on and this is why we're configuring a web origin the next thing we're going to do is to configure email sending because we will want to demo thus this through out the demo today so the first thing I'm going to do is I'm going to set an email address for their current user that I'm using to man my key cook instance and then I'm going to go back to my demo realm and now I'm going to use my little testing tool for for email which is running on demo mail on my daugher local network and I'm going to say that emails comes from Kiko now I should be able to test sending email and here we go and I'll just quickly check that I actually got a test email and we did and let's get rid of this old email there alright so now that we have configured SMTP let's now instead of having the admin go in and create all the users let's let's have the users self register so what I'm going to do I'm going to enable this option in the realm to allow users to themself register with your realm I'm also going to require users to verify that email address because I want them to have a valid email and you'll see this towards the end of the demo why why this is important for me in this case right so now that I have allowed users to self register and I set up the client in the realm I can now open my example application my example application requires login so we'll immediately redirect to key o'clock when I'm I'm opening the application because I'm not already logged into it so I don't have an existing user so let's register user let's use my name for instance and of course this registration form is completely customizable you can add and change what details you're asking from users and you can obviously also change the look and feel off of this form now since I asked users to verify the email dose this is the next time I'm going to have to do so I'll go to my my test mail server and here's my email that asked me to click on this link to verify and once I've clicked on on the link my email address is verified in Kiko and I'm immediately logged into the application right so now let's add a little bit more information about this user to the system what I'm going to do I'm actually going to go in through the admin console and I'm going to add a new attribute for the user I'm going to call it avatar URL and I'm gonna paste in the link for the Kiko global as my avatar now key o'clock is aware of this attribute but I need to also pass it to to the application and the way that I do that is by registering a kind scope which has a mapper which is able to then add additional information into the tokens passed to the kind so I'm going to create myself a new kind scope I'm going to call it avatar URL hang on and I'm going to create a and mapper into this kind scope so I'm going to take a user attribute the user attribute is called avatar URL as we created before and I'm gonna put it in with the same name in in the token it's always going to be a string and let's say I want it into the ID token but I don't want it into the access to the ID token is a token that the application uses to establish the authentication of the user while the access token is the token that is used to invoke microservices and let's say that micro services do not need to know the avatar only the front-end application needs to know it so we'll do it this way now I also need to control that this JS console application that I created before is actually allowed to use this current scope so I'm going to add that as a default client scope you can also make them optional which allows applications to incrementally ask for consent and we'll see clients asking for consent a little bit later now I refreshed my tokens and now I've got a it's our so how did the application be able to do that now it did it by looking at the ID token and the claims which is called with inside this token we can see here now we have things like we have the name of the user a given name family name preferred username we have the email address we know that the emails verified and we also have this avatar URL link as well so this allows the application to know information about the user it also has the access token which it can pass to micro services so that micro services can know information about the user and whether or not the request should be permitted all of these tokens are obviously signed or encrypted when they are signed this allows applications and services to to trust because they can verify it based on on the keys provided by the kapok server and we can see here that there is no avatar URL in the particular access token while there was one in the ID token now let's up until now we kind of made the assumption that this Jade console application was an internal trusted application now let's say it's a third-party application in which case we probably want users to consent to any anything that they give this application permission to do so let's enable consent and if I now log back into this application peacock will now ask me if I grant access to these various different things to my application I see how I'm not really happy with it displaying avatar URL in this way so let's go back and quickly fix that I'll find my orbital URL and I'll give it a consent screen text so I'll call it user picture let's refresh the page and there we go now it's asking for user picture user profile user roles email address and so on okay I'm going to allow this particular application access to these things and here we go right so I'm going to disable consent again because I don't want to have to keep consenting throughout the demo and now I'm going to go ahead and talk a little bit about rules and Kiko cars concept of also rules allow obviously to resign rules to two users and which can then use be used by your applications for role based access control what I'm going to do is I'm going to create a basically we'll just call create a rule called user and I'm also going to create a rule called admin so let's just imagine that a user is a regular user of applications while an admin is a administrator access what I'm going to do now is I'm going to add these roles to the user so let's say that this particular user is both an admin and a regular user and now I'm going to go to my client and I can actually control what roles and permissions a particular application is allowed to receive as well as what is added to two users so the roles that will now be available in the token given to the application will be the union between the rules that the user has and the roles that the application is allowed to use so I'm going to say that this particular application is only allowed to access the user so any microt services that require the admin role this application is not allowed to invoke those micro services regardless if whether or not a user with those rules logs in and not now let's refresh our tokens again and let's have a look at our access token we can see here that the realm access has the rules user but it doesn't have the raw admin even though that particular user had it now if I give the application access to the admin role as well I can now refresh my token and I can see that now I have the admin under user role if I now go back to my user and I removed the admin role from my user then i refresh my token and I can see that now we're back to just a Hugh's so it's the union between the two the next thing I wanted to show you is that key coke also have concept of groups groups a user can belong to multiple groups and each group can have children oops it can have attributes assigned to it and they can also have roles assigned to it so I'm going to create my group I'm going to call just my group and then I'm going to add a attribute let's call it user type and let's call this user type is a regular user with a lack of anything better let's also say that any user that's part of this group will get the user role and then let's go to our user and I'm going to take away the user role and now instead I'm going to join this group now groups are not added by default to the token nor is this new user type attribute that we created so I'm going to create a another kind scope I'm going to call it just my scope and I'm going to add a mapper so I'm going to say I want group membership I'll just call this group so that I can have a nice friendly way of remembering this and I'm going to put that into the token claim group now I also want to add a another user attribute into my token and I want to do the user type and again I'm going to be using a string I'll just add it to the ID token and the access token this time and then I'm going to quickly go to my client and I'm going to give that also access to this client scope now if i refresh my talking this time around I can see my access token I now still have the user role even though that user doesn't have a direct membership on that role I can also see that we have the group my group and I cannot find my user type so let's quickly try to figure out what's going on there maybe I did a little mistake so I forgot to save the form probably so call it regular user again add that save it as use double check here and now let's go on refresh our talking quickly and there we go now we have the user type as well right so the next thing we take a look at is importing users and syncing users from ulta so what I'm going to do is I'm registered a new LDAP provider with key coke which is another source way key coke will federate users from I'm gonna make it right Abel which means that Kiko can both read and write so if a user wants to change the first name and last name true the key coke account console they can do so and it will be written back into alder I'm going to paste in the euro and my user DN so if you have used held up in the past this will be mostly understandable to you if you haven't this will be a little bit slightly Greek unless you of course Greek then it will be Spanish or Chinese or something but basically you won't understand it unless you used to hold up now I'm also going to want to say trust email which basically means that any users from this addled app directory I'll just trust that the email is correct and now I can save this so I'm going to synchronize all the users from this LDAP directory into my Kiko directory by clicking on this button and we can see I have now two imported users so I'm going to go and look at my users and I can see now I have this user that self registered before as well as these two new users from held up and I can also see that you know they email is verified for these users now let's try to allow users to log into our realm from get oh I'm picking it up because github is actually the one where it's easiest to register on the github site what we need to do on the Kiko side it doesn't matter it's as easy as just adding a provider and passing in a client ID in a secret for for github for Google for Facebook for all of these it's a single quick configuration thing to add these things so let's go to github and create ourselves in new applications I'm just going to call a key log demo for the callback URL I get that from the key club so itself and for the home page let's just call it the home page of the key cook server for lack of a better thing and then register application now if I go back to my application and I log out actually lets me let me do one more thing before we do that I actually want to register it in key cook so client ID I need that and a client secret this is how Keith will communicate securely with github I also want to trust emails from github I'm assuming that github is verifying email addresses and now I also want to pull in the Avatar from from github as well if their users have one configured so this is an attribute importer it's put in as avatar URL in the token from github and will put it in as you use attribute avatar URL which we used before and now we can go and we can refresh the page and now we can login with github there we go so now I'm logged in as a user that is logged in true github and this is my github well I example github uses profile picture now I briefly told you before that key coke allows you to configure and customize the login screens and registration forms so how do we do this well that's done by creating a custom theme a custom team can contain style sheets that can contain images it can contain custom HTML templates so you can do quite a lot of configuration and changes so let's just take a look at one example here that I have so if I now change the login theme and i refresh my login page I get this really lovely cool new theme so maybe let's change back because it was a little bit horrible right so that's pretty much how easy it is to adapt the key clock end user facing up like webpages to to match your corporate branding and and so on now I'm gonna show a little bit about how key coke science tokens and how we allow you to rotate your public and private keys for for your arms I'm going to do this by using a little token validator tool that I have so what I'm going to do I'm going to take the actual base64 encoded version of the token this is how the actual token is sent to to the application this is basically three Jason snippets which are independently basically four encoded with a dot in between so this first part is a header the middle part is the token claims on the last part of the signature so now if I copy this paste it into my little tool that can now analyze this token it will show me here there's a header which contains these information and there's the payload and finally it's shaky checking that the signature is valid it does this by fetching the public key from key o'clock and making sure that the signature is correct in this case we can see that the algorithm used for signing the token is RS 256 now let's imagine that we want to change this to using ecliptic curves instead which is have a similar security property to ours 256 boys less CPU intensive I can do this by going and changing my default signing algorithm in key coke now that I've done this I don't have to login and logout again in the application all I have to do is refresh the tokens and now the new tokens that I receive will be signed using a different algorithm so now you can see that this new token is signed with es 256 this allows me to seamlessly change the algorithms used for for the realm and also as well for individual applications more importantly here this mechanism of allowing you to seamlessly update your tokens allow you to also rotate your keys so it's a good practice to on a monthly basis or by monthly basis at least to rotate and create new keys for your rubs you can do this automatically or you can do it manually in this case let's do it manually I'm going to create a new key let's call it my key - I give it a higher priority than the one that had that before so that this now becomes my new active key and I am going to save that so now I can see that I now have two keys with different priorities for es 256 I can now go back into my application and I can refresh the token and let's copy the new value so if you carefully look here at the header there is a field called ki T this is the key identifier so let's see this someone starts at r3 s at the moment let's paste in a new refresh token and will now see that this is now signed with another one the same happens to any cookies to keep certain any so the the signatures of all these things are seamlessly rotated as long as those keys remain available so Kiko will also allow me to have both passive and active keys so imagine that I now say that this key I created before I don't want to have it active anymore this now becomes a passive key that allows it it can be used to validate signatures but it can't be used to create new signatures so if I look at my active one I will have gone back to my original key for my active key and I will have gone to use this new keys now my passive key right so let's now take a little look at how Kiko allows you to my session so Kiko supports single sign-on as well as single logout but it also allows you to remotely log out applications users can themselves log out applications remotely and administrators can also log out sessions remotely so in this case you know we're going to go back to our application we're gonna see yeah we're still logged in we can do stuff and what I'm going to do now gonna go and find my user and let's see what user will be logged in weird that was the Stian yes that's right one so let's take a look at the sessions I'm gonna say well I'll log out this session so now if I try to do something I'm logged out I can also go and log look at all the sessions in the system I can look out all the sessions and so on and of course as a user I can go to my account console and I can look at where I'm logged in and I can log out sessions from here as well another thing we can also do in Kiko is that we have support for events when a user log is in or when a failure occurs or what application obtains a new token a number of other things there was an event generated in the system you can create your custom event listener that does whatever it wants with these events but you can also save these events to keek of database and you can have them expired and removed after a certain amount of times to prevent your database from being closed up with events now right now since I just enabled saving events it won't be available in the system here but if I now try to log in with a bad password a couple of times and refresh this now we can see that I've had two invalid login attempts I can see the username that tries to log in and a lots of other information about this event I can also as a user I can look at my own event so if I try now is the admin then I can go to the account console and I can look hang on now the wrong realm let's go to the account console for the correct realm there we go now I've got the account console for the Stian user I'll have a look at the log I can see the ID logged in let's try to log out to a failed login attempt and there you go so now I've got the various different events that happen to to my account yeah so ok the last thing we're going to take a look at is we're going to play a little bit round on how we authenticating users in Kiko we do this by creating a new custom authentication flow so I'm going to take the the authentication folders currently being used I'm going to create a copy of that so I don't want to use the username password for anymore so I'm going to get rid of that and I don't want to use OTP anymore so I'm going to get rid of that we could have also left that in and we could allow those to be optional alternatives with the users to configure but in this case I want to just get rid of it and I'm going to use this little custom Authenticator that I have deployed for this demo which allows you to log in by a special link sent an email I'm also going to say I want this to be required and I also want a user to use a web Orton security and I'm going to say this is required as well so I'm going to now register it required action that allows a user to self register web portal device and then the final piece of the puzzle is that I'm going to change across to this new custom authentication flow so now if I log out I can see that my login screen has completely changed it doesn't ask me for username and password anymore it only asked me for for an email so let's pass in my email it says view email so let's look at my email I got an email called login link and it has a special little link which allows me to automatically log in and as I said I wanted to use it to use a security key as well so let's register a security key and there you go I'm now logged in through email and web and I can of course if I wanted to I could go and say I don't want to use my button anymore if I now log out and log back in again then I'll get a new login link and this time I was an ASP away but right so that was what we wanted to cover today obviously there's lots and lots of more features and capabilities and things to find out about key code so go and check it out on our website it's keep locked org you'll find links to our user mailing list there how you report any issues if you have found some bugs and how you can contribute to the project if you want to the demoed that I've shown today is available on github all the different images are there there's a step-by-step readme that allows you to go walk through everything that I showed today this is this link and finally the key clock sauce is available on github is course it's open source and also to try out our new getting started guides that allow you to get started with key clock on various different areas or platforms and we will be building out on these getting started guides going forward that was it so please go and check out the project and thanks

Info

Channel: Stian Thorgersen

Views: 64,814

Rating: 4.9609547 out of 5

Keywords:

Id: duawSV69LDI

Channel Id: undefined

Length: 32min 11sec (1931 seconds)

Published: Thu Apr 02 2020