book

Keycloak - Identity and Access Management for Modern Applications

by Stian Thorgersen, Pedro Igor Silva

June 2021

Beginner to intermediate

362 pages

7h 52m

English

Packt Publishing

Read now

Unlock full access

ContributorsAbout the authorsAbout the reviewers
Who this book is forWhat this book coversTo get the most out of this bookDownload the example code filesCode in ActionDownload the color imagesConventions usedGet in touchReviews
Technical requirements Introducing KeycloakInstalling and running KeycloakRunning Keycloak on DockerInstalling and running Keycloak with OpenJDKDiscovering the Keycloak admin and account consolesGetting started with the Keycloak admin consoleGetting started with the Keycloak account consoleSummaryQuestions
Technical requirementsUnderstanding the sample applicationRunning the applicationUnderstanding how to log in to the applicationSecurely invoking the backend REST APISummaryQuestions
Authorizing application access with OAuth 2.0Authenticating users with OpenID ConnectLeveraging JWT for tokensUnderstanding why SAML 2.0 is still relevantSummaryQuestions
Technical requirementsRunning the OpenID Connect playgroundUnderstanding the Discovery endpointAuthenticating a userUnderstanding the ID tokenUpdating the user profileAdding a custom propertyAdding roles to the ID tokenInvoking the UserInfo endpointDealing with users logging outInitiating the logoutLeveraging ID and access token expirationLeveraging OIDC Session ManagementLeveraging OIDC Back-Channel LogoutA note on OIDC Front-Channel LogoutHow should you deal with logout?SummaryQuestionsFurther reading
Technical requirementsRunning the OAuth 2.0 playgroundObtaining an access tokenRequiring user consentLimiting the access granted to access tokensUsing the audience to limit token accessUsing roles to limit token accessUsing the scope to limit token accessValidating access tokensSummaryQuestionsFurther reading
Technical requirementsUnderstanding internal and external applicationsSecuring web applicationsSecuring server-side web applicationsSecuring a SPA with a dedicated REST APISecuring a SPA with an intermediary REST APISecuring a SPA with an external REST APISecuring native and mobile applicationsSecuring REST APIs and servicesSummaryQuestionsFurther reading

Technical requirements Choosing an integration architectureChoosing an integration optionIntegrating with Golang applicationsConfiguring a Golang clientIntegrating with Java applicationsUsing QuarkusUsing Spring BootUsing Keycloak adaptersIntegrating with JavaScript applicationsIntegrating with Node.js applicationsCreating a Node.js resource serverIntegrating with Python applicationsCreating a Python clientCreating a Python resource serverUsing a reverse proxyTry not to implement your own integrationSummaryQuestionsFurther reading
Understanding authorizationUsing RBACUsing GBACMapping group membership into tokensUsing OAuth2 scopesUsing ABACUsing Keycloak as a centralized authorization serverSummaryQuestionsFurther reading
Technical requirementsSetting the hostname for KeycloakSetting the frontend URLSetting the backend URLSetting the admin URLEnabling TLSConfiguring a databaseEnabling clusteringConfiguring a reverse proxyDistributing the load across nodesForwarding client informationKeeping session affinityTesting your environmentTesting load balancing and failoverTesting the frontend and backchannel URLsSummaryQuestionsFurther reading
Technical requirementsManaging local usersCreating a local userManaging user credentialsObtaining and validating user informationEnabling self-registrationManaging user attributesIntegrating with LDAP and Active DirectoryUnderstanding LDAP mappersSynchronizing groupsSynchronizing rolesIntegrating with third-party identity providersCreating a OpenID Connect identity providerIntegrating with social identity providersAllowing users to manage their dataSummaryQuestionsFurther reading
Technical requirementsUnderstanding authentication flowsConfiguring an authentication flowUsing passwordsChanging password policiesResetting user passwordsUsing OTPsChanging OTP policiesAllowing users to choose whether they want to use OTPForcing users to authenticate using OTPUsing Web Authentication (WebAuthn)Enabling WebAuthn for an authentication flowRegistering a security device and authenticatingUsing strong authenticationSummaryQuestionsFurther reading
Technical requirementsManaging sessionsManaging session lifetimesManaging active sessionsExpiring user sessions prematurelyUnderstanding cookies and their relation to sessionsManaging tokensManaging ID tokens' and access tokens' lifetimesManaging refresh tokens' lifetimesEnabling refreshing token rotationRevoking tokensSummaryQuestionsFurther reading
Technical requirementsUnderstanding Service Provider InterfacesPackaging a custom providerInstalling a custom providerUnderstanding the KeycloakSessionFactory and KeycloakSession componentsUnderstanding the life cycle of a providerConfiguring providersChanging the look and feelUnderstanding themesCreating and deploying a new themeExtending templatesExtending theme-related SPIsCustomizing authentication flowsLooking at other customization pointsSummaryQuestionsFurther reading
Securing KeycloakEncrypting communication to KeycloakConfiguring the Keycloak hostnameRotating the signing keys used by KeycloakRegularly updating KeycloakLoading secrets into Keycloak from an external vaultProtecting Keycloak with a firewall and an intrusion prevention systemSecuring the databaseProtecting the database with a firewallEnabling authentication and access control for the databaseEncrypting the databaseSecuring cluster communicationEnabling cluster authenticationEncrypting cluster communicationSecuring user accountsSecuring applicationsWeb application securityOAuth 2.0 and OpenID Connect best practiceKeycloak client configurationsSummaryQuestionsFurther reading
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7Chapter 8Chapter 9Chapter 10Chapter 11Chapter 12Chapter 13Chapter 14
Other Books You May EnjoyPackt is searching for authors like youLeave a review - let other readers know what you think

Content preview from Keycloak - Identity and Access Management for Modern Applications

Chapter 8: Authorization Strategies

In the previous chapter, you learned about the options for integrating with Keycloak using different programming languages, frameworks, and libraries. You learned how to obtain tokens from Keycloak and use these tokens to authenticate users.

This chapter will focus on the different authorization strategies you can choose from and how to leverage them to enable authorization to your applications using different access control mechanisms such as role-based access control (RBAC), group-based access control (GBAC), OAuth2 scopes, and attribute-based access control (ABAC), as well as learning how to leverage Keycloak as a centralized authorization server to externalize authorization from your applications. You ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Keycloak - Identity and Access Management for Modern Applications - Second Edition

Publisher Resources

ISBN: 9781800562493Supplemental Content

Keycloak - Identity and Access Management for Modern Applications

by Stian Thorgersen, Pedro Igor Silva

Chapter 8: Authorization Strategies

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like