OAuth 2.0 and OpenId Connect
Seu SlideShare está sendo baixado.
×
![mtail
counter keycloak_events by type, realm
/"message":"type=(?P<type>[^,]+),
realmId=(?P<realm>[^,]+),/ {
keycloak_event...](https://image.slidesharecdn.com/osdc2019b-190515203809/75/single-sign-on-with-keycloak-36-2048.jpg?cb=1666660918)
![Public OIDC providers
Belgium: FAS (federal authentication service)
[+ itsme (private)]
France Connect](https://image.slidesharecdn.com/osdc2019b-190515203809/75/single-sign-on-with-keycloak-44-2048.jpg?cb=1666660918)
Confira estes a seguir
Mais Conteúdo rRelacionado
Diapositivos para si (20)
Semelhante a SIngle Sign On with Keycloak (20)
Mais de Julien Pivotto (20)
Mais recentes (20)
SIngle Sign On with Keycloak
- 1. Single Sign On with Keycloak Julien Pivotto (@roidelapluie) OSDC 2019 May 14th, 2019
- 2. @roidelapluie I like Open Source I like monitoring I like automation ... and all of that is my daily job at inuits
- 3. inuits
- 4. Creative Commons Attribution 2.0 https://www.flickr.com/photos/30478819@N08/41858933990
- 5. Passwords for work (reality) 1 password for the "big company mail" 1 password for the "local service" 1 password to log in at customer 3 passwords to legacy service X Y and Z
- 6. Where passwords stay LDAP / AD database Plain text file Database (hashed/salted?) All kind of password managers
- 7. Where passwords go End applications often know the password Basic auth + http between frontend and backend LDAP app: bind with your user
- 8. Why passwords Simple Legacy ?
- 9. Is there anything else? PKI 2FA Federation/SSO
- 10. Meanwhile... Creative Commons Attribution 2.0 https://www.flickr.com/photos/ednawinti/25718417460/
- 11. Modern Security requirements (thanks GDPR) Log all the access Principle of least privilege Revoking access 2FA
- 12. Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/doctorow/15507274056
- 13. IAM (simplified) Identity: who am I Access: what can I do For people, machines, apps...
- 14. OpenID Connect Standard for authentication and authorization Based around signed tokens Adopted by major actors (public & private)
- 15. Access token / Refresh token Access token grants access to ressources Refresh token allows user to renew the access token
- 16. What are claims? Who you are What you can do (groups, roles, ...) No need to register in the your app first!
- 17. How is that "more" secure? Password goes to a single app (idp) Only claims get out of the idp End application does not have your password Token has short expiry Keycloak allows easy audit and centralize advanced auth mechanism
- 18. Well known https://accounts.google.com/.well- known/openid-configuration https://gitlab.com/.well-known/openid- configuration
- 19. A Red Hat Open Source project Identity and Access management OpenID Connect support (but also saml 2.0)
- 20. What is Keycloak really A java app A Wildfly application server (comes as a single package - batteries included!)
- 21. Terminology Realm: set of users, roles, clients, and groups Client: a client application that will use keycloak to authenticate users idp: Identity Provider
- 22. Keycloak Gatekeeper Not all applications support OpenID connect Gatekeeper is a OIDC compatible reverse proxy
- 23. Identity Providers Login with external sources (github, google, gitlab, $COMPANY...) Get claims back from them
- 24. User federation Connect Keycloak with LDAP, freeipa, kerberos...
- 25. Operations Creative Commons Zero https://www.flickr.com/photos/freestocks/25668265836
- 26. Configuration API kcadm.sh terraform provider
- 27. ./bin/kcadm.sh config credentials --server http://localhost:8080/auth --realm master --user admin
- 28. ./bin/kcadm.sh get users -r example
- 29. Data Default to H2 (file database) Pick something else for more availability
- 30. Audit Enable auditing in DB Log to file
- 31. <size-rotating-file-handler name="EVENTLOG" autoflush="true"> <formatter> <named-formatter name="json-formatter"/> </formatter> <file relative-to="jboss.server.log.dir" path="events.log"/> <rotate-size value="10M"/> <max-backup-index value="5"/> <append value="true"/> </size-rotating-file-handler>
- 32. <logger category="org.keycloak.events"> <level name="DEBUG"/> <handlers> <handler name="EVENTLOG"/> </handlers> </logger>
- 33. <formatter name="json-formatter"> <json-formatter/> </formatter>
- 34. <spi name="eventsListener"> <provider name="jboss-logging" enabled="true"> <properties> <property name="success-level" value="info"/> <property name="error-level" value="warn"/> </properties> </provider> </spi>
- 35. Monitoring Prometheus JMX exporter Mtail
- 36. mtail counter keycloak_events by type, realm /"message":"type=(?P<type>[^,]+), realmId=(?P<realm>[^,]+),/ { keycloak_events[$type][$realm]++ }
- 37. Going further Creative Commons Attribution 2.0 https://www.flickr.com/photos/janitors/15795816662/
- 38. Vault + Keycloak Issue short lived credentials for many backends Secured by Keycloak/OpenID Connect
- 39. Extra notes Creative Commons Attribution-ShareAlike 2.0 https://www.flickr.com/photos/grungepunk/13994397991
- 40. Apps are reponsible Validate the token Authorize, based on the claims
- 41. Keycloak is business critical You introduce a unique login point Think automation, DRP, backups, HA
- 42. The "master" realm is all Secure it Don't use master password! Don't reuse it
- 43. Open Source clients Keycloak gatekeeper mod_auth_openidc gitlab vault open distro for elasticsearch grafana (oauth)
- 44. Public OIDC providers Belgium: FAS (federal authentication service) [+ itsme (private)] France Connect
- 45. Open Source alternatives Gitlab Dex - https://github.com/dexidp/dex
- 46. Conclusion Single Sign On makes everyones life easier OpenID Connect is widespread Keycloak is batteries-included (OIDC/SAML)
- 47. Julien Pivotto roidelapluie roidelapluie@inuits.eu Inuits https://inuits.eu info@inuits.eu Contact
