Keycloak: realms, clients, passwords policies, and MFA

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello everybody hola todos chest frisky in this video about key cloak i'm going to show you how to set up and customize password policies enforce mfa and how to test your application i will also show you how to validate json web token because obviously you should not trust every json web token that your application receives in case you don't have key cloak running please check out my previous video which shows how to set up kubernetes on key cloak on kubernetes key cloak is great for sas products cloud-based sas products it fits really nicely into multi-tenant architecture you can create a new realm for every customer or for every tenant this way you can have a full control and full flexibility over customers requirements for example some may be very rigorous in password change frequency special characters different length of password history some can have mfa optional but for some mfa is a must this all can be customized per customer per tenant or as kiko caused this per realm so let's see how to do this before we do this we have to make one small change to the deployment which i showed you in the previous video in this video we will use keyclawk.org app that's a test application which was developed by key cloak developers it is the application that is delivered over https so we need our application to be https as well otherwise chrome will block and secure http requests so um i already updated the instructions in the redmi file so if you are setting this up for the first time everything will work if you already have key cloak ingress installed you have to delete deleted and create a new one so delete it and i already have this certificate created i already have this secret created so i'm just going to apply this new ingress this new ingress if you take a look at it is pretty simple i only added this tls section here it references the secret which i created in this step and it adds hosts fake the host is intentionally different from this one here otherwise chrome would reject this http certificate it will say that it was not validated by any nsca in case of a mismatch there will be an option for you to accept this certificate so that's just a workaround for chrome um to accept this certificate when you go to production the hosts and hosts of course should match and should be your your domain so uh let's see the application i will be using the ui but every action that i will do you can do using a key cloak rest api it is documented and available at keyglobe.org it is a json based one and you have a full information about how such requests should look like i'll also talk about this rest api in in future videos uh i will be showing you how to import export tenants from uh and out of key cloak and i will also touch on json rest api because uh we can use some of the input outpu out import exports or functionality together with the rest api okay i will login into the console using the default credentials which you should change okay so i already have a customer one round created but i will go ahead and create customer tool it will take like yeah a few seconds okay so what we will do uh now um we don't have any users yet so we will actually allow user registration we want the email to be a username this will also guarantee that the usernames will be unique you cannot edit the username uh forgot password why not remember me why not verify email if you are in production that should be of course set to on i will leave the rest as default okay and now uh let's uh talk about uh password policies so let's go into the authentication section uh here you have a bunch of settings they are all very well documented we can leave the flows as is if you want to know a little bit more about the authentication flows check out the documentation the defaults are okay for us so password policies as i said you can have a different password policy for every of your customers that's pretty powerful feature so say um we want of course special characters but for this tenant we want to have two we want um of course at least one uppercase and one lower case um digits uh password length of eight yeah eight can be fine uh not recently used so password history i will set it to ten not a username of course expire password so we will be expiring passwords after after 90 days okay password blacklist regular expressions um hashing algorithm that's a really nice algorithm it actually stretches your key so even if you use a simple password when you use this algorithm it will stretch the key and it will will make it less vulnerable to brute force attacks you can also specify hashing iterations to this algorithm i read somewhere that the lastpass is using 100 000 iterations on their servers so yeah you can set it to a pretty high value but still our passwords will be quite strong given those requirements i will hit save now okay last action that we have to do is to set up mfa here we have configure otp it is enabled meaning that users can do this but we are want to actually enforce this so i will select the default action here last thing that we need to do is to register a new client there's a bunch of clients out of the box but i will create a new one for the key cloak test application so i'm going to copy this url we will call it portal root url is the key cloak application okay we'll leave the the defaults as they are we don't need them i will copy this url i will sign out and this is the customer tool login portal um we don't have any users yet we have the forgot password remember we register these are the features that we selected in in key cloud so we are going to register a password i will make a mistake on purpose so yeah you can see that we set two special characters and we have to provide two special characters okay and we set mfa as a required step so let me quickly quickly take my mobile phone i will add it and and here we are we can do some management of our own account uh but yeah the most important one is that we already have this setup and we can use um key cloak to to test our sample application okay so let me okay and let's hit save now we can sign in into kit log we are redirected to key cloud i will use the account that we just created on time code okay i have a break point here okay and i can continue so i logged in uh in the json token uh draws information about my first name and last name and i in the application printed it i also printed a token in here this is the row token that the application exchanged so i can copy it and verify it i will use json web token dot io website it is a pretty neat tool for debugging or troubleshooting and verifying your json web tokens as i said as we already know json web tokens are open industry standard method for representing claims securely between two parties so let's check how securely this is done so i will paste the row token in here as you can see the tokens are color coded so that the parts uh they have three parts of each token and they are separated by a dot and for convenience in here they are color coded that is just a sample json web token uh which automatically appears on the website i will paste our json web token so we can have some uh information about the token in the header part of it what type what algorithm was used then we have that payload which contains the information that key cloak provided um it has some metadata in here it also has some of the attributes about the user and we can have a different attributes per per client we created a client dedicated to keycloak.org app we had we can have different clients for different systems that can actually contain different attributes the third part of the json web token is information about the uh the signature so how do we verify that this token was actually issued by uh by our key cloak server so we can get the public key from here that's the rsa key we can get the public key it is not a valid pamp format that is why i will use a rest api with some bash commands to actually make it a valid pen so i will just call it this is a public information because public key can be read by anybody this endpoint returns a json so maybe yeah it's a json uh it contains um a public key field which is just a string we have to extract it from this json and fold it into lines of 40 characters and then we have to prefix it with back in public key and end it with and public key this way we get a valid pen representation of our key and we can paste it in here and yeah signature was verified that we now know that this json web token was signed by a private key which is known only to our key clock server if for example i will change it yeah invalid signature i should not trust this json web token because it for sure doesn't come from uh from the owner of the private key which matches this this public one so folks uh that's uh all uh in this episode uh in next videos i will show you how to enable single sign-on how to integrate the key clock with github and some and some more so stay tuned if you like the video please hit the like button and subscribe to my channel thank you very much

Info

Channel: Łukasz Budnik

Views: 2,481

Rating: 5 out of 5

Keywords: keycloak, kubernetes, mfa, password policies, identity management, access management, microservices

Id: XUvaMgTdwy0

Channel Id: undefined

Length: 17min 31sec (1051 seconds)

Published: Tue Dec 22 2020