Keycloak

What is Keycloak

  • Authentication and authorization provider for:
    • Browser applications
    • REST applications
    • Javascript applications
    • Mobile applications

  • SSO Provider

  • Single-Sign-Out Provider

Identity management

  • Realms, Applications, Roles, Users
  • Support for RDBMS or Mongo as storage for Identity data

Federation SPI

  • Used to plug your own mechanism for storing users
  • Possibility to sync users from your federation storage to Keycloak DB
  • LDAP integration is done through Federation SPI

Optional features

  • User registration
  • Reset passwords (both admin and user can do it)
  • Forgot my password
  • Password policies
  • TOTP support - allows 2-steps authentication

Account management

  • User can:
    • edit his claims (email, firstName, lastName, ...)
    • change his password
    • add/remove/update his TOTP settings
    • see and logout his current sessions

Admin console

  • Create/update/remove realms, applications, users, roles
  • Configuration
  • Logout of user, application or whole realm
  • Revocation policies
  • Many other things...

Admin console

  • AngularJS based application secured by Keycloak itself
  • Invokes admin REST endpoints to manage things

Themes support

  • Possibility to customize:
    • login screen
    • account management
    • admin console
    • emails

Social integration

  • Login with:
    • Facebook
    • Google
    • Twitter
    • Github

Protocols

  • OAuth2, OpenID Connect
  • SAML
  • JWT/JWS for tokens

Keycloak model

Realm

  • container for applications, roles and users
  • Users are shared within single realm, but not across realms
  • SSO/SS-out is provided to applications within single realm
  • Social, user registrations, themes, timeouts etc. configurable per realm

Application

  • abstraction for storing metadata about your application on keycloak side
  • Redirect URIs - List of allowed URIs where Keycloak could redirect from it's login screen
  • Web origins - List of allowed origins for CORS support
  • Application types
    • Confidential
    • Public
    • Bearer-only

OAuth client

  • Special kind of application with less permissions
  • Not intended to be used for authentication. Just to retrieve tokens to obtain some data from 3rd party application
  • Users need to grant permissions (confirm roles for their accessToken similarly like FB, Google are doing)

Roles

  • Either realm roles (global) or application roles (per-app)
  • Composite roles (containers for other roles)

Users

  • Claims
  • Credentials
  • Role mappings
  • Social links
  • Federation link

User session

  • Represents single browser session
  • Links to all apps where is user logged
  • Updated during each login/logout/token refresh
  • Usually saved in memory or in infinispan (in cluster env)

Tokens

  • 3 tokens sent by Keycloak after successful authentication
  • Each token is Base64 encoded string with JSON data inside
  • Signed with realm private key

ID token

  • JWT token with info about user

Access token

  • JWT token with info about user roles, app where he authenticated
  • JSON data encoded with Base64
  • Signed with realm private key
  • Short-lived (1-5 minutes)
  • Can be used as bearer token to authenticate from browser application to REST application
  • REST application can verify signature with realm public key. No need to talk to Keycloak

Refresh token

  • Used to 'refresh' previously issued access token
  • Once access token expires, application will send "refresh" request to KC server and retrieve new set of tokens

How to secure my app with Keycloak

  • Configure application in keycloak
  • Add keycloak.json configuration file to your app.
  • Use KEYCLOAK as auth-method (for servlet applications)

Demo