Cover image for Keycloak - Identity and Access Management for Modern Applications

Keycloak - Identity and Access Management for Modern Applications

Release Date: 2021/06/01
ISBN: 9781800562493
Topic:
0%
24
Chapters
0-1
Hours read
0k
Total Words
    Start Reading Now    
       Add to Wishlist       
View table of contents

Learn to leverage the advanced capabilities of Keycloak, an open-source identity and access management solution, to enable authentication and authorization in applications

Key Features

  • Get up to speed with Keycloak, OAuth 2.0, and OpenID Connect using practical examples
  • Configure, manage, and extend Keycloak for optimized security
  • Leverage Keycloak features to secure different application types

Book Description

Implementing authentication and authorization for applications can be a daunting experience, often leaving them exposed to security vulnerabilities. Keycloak is an open-source solution for identity management and access management for modern applications.

Keycloak - Identity and Access Management for Modern Applications is a comprehensive introduction to Keycloak, helping you get started with using it and securing your applications. Complete with hands-on tutorials, best practices, and self-assessment questions, this easy-to-follow guide will show you how to secure a sample application and then move on to securing different application types. As you progress, you will understand how to configure and manage Keycloak as well as how to leverage some of its more advanced capabilities. Finally, you'll gain insights into securely using Keycloak in production.

By the end of this book, you will have learned how to install and manage Keycloak as well as how to secure new and existing applications.

What you will learn

  • Understand how to install, configure, and manage Keycloak
  • Secure your new and existing applications with Keycloak
  • Gain a basic understanding of OAuth 2.0 and OpenID Connect
  • Understand how to configure Keycloak to make it ready for production use
  • Discover how to leverage additional features and how to customize Keycloak to fit your needs
  • Get to grips with securing Keycloak servers and protecting applications

Who this book is for

Developers, sysadmins, security engineers, or anyone who wants to leverage Keycloak and its capabilities for application security will find this book useful. Beginner-level knowledge of app development and authentication and authorization is expected.

Table of Contents

  1. Keycloak - Identity and Access Management for Modern Applications
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Code in Action
    6. Download the color images
    7. Conventions used
    8. Get in touch
    9. Reviews
  6. Section 1: Getting Started with Keycloak
  7. Chapter 1: Getting Started with Keycloak
    1. Technical requirements
    2. Introducing Keycloak
    3. Installing and running Keycloak
    4. Running Keycloak on Docker
    5. Installing and running Keycloak with OpenJDK
    6. Discovering the Keycloak admin and account consoles
    7. Getting started with the Keycloak admin console
    8. Getting started with the Keycloak account console
    9. Summary
    10. Questions
  8. Chapter 2: Securing Your First Application
    1. Technical requirements
    2. Understanding the sample application
    3. Running the application
    4. Understanding how to log in to the application
    5. Securely invoking the backend REST API
    6. Summary
    7. Questions
  9. Section 2: Securing Applications with Keycloak
  10. Chapter 3: Brief Introduction to Standards
    1. Authorizing application access with OAuth 2.0
    2. Authenticating users with OpenID Connect
    3. Leveraging JWT for tokens
    4. Understanding why SAML 2.0 is still relevant
    5. Summary
    6. Questions
  11. Chapter 4: Authenticating Users with OpenID Connect
    1. Technical requirements
    2. Running the OpenID Connect playground
    3. Understanding the Discovery endpoint
    4. Authenticating a user
    5. Understanding the ID token
    6. Updating the user profile
    7. Adding a custom property
    8. Adding roles to the ID token
    9. Invoking the UserInfo endpoint
    10. Dealing with users logging out
    11. Initiating the logout
    12. Leveraging ID and access token expiration
    13. Leveraging OIDC Session Management
    14. Leveraging OIDC Back-Channel Logout
    15. A note on OIDC Front-Channel Logout
    16. How should you deal with logout?
    17. Summary
    18. Questions
    19. Further reading
  12. Chapter 5: Authorizing Access with OAuth 2.0
    1. Technical requirements
    2. Running the OAuth 2.0 playground
    3. Obtaining an access token
    4. Requiring user consent
    5. Limiting the access granted to access tokens
    6. Using the audience to limit token access
    7. Using roles to limit token access
    8. Using the scope to limit token access
    9. Validating access tokens
    10. Summary
    11. Questions
    12. Further reading
  13. Chapter 6: Securing Different Application Types
    1. Technical requirements
    2. Understanding internal and external applications
    3. Securing web applications
    4. Securing server-side web applications
    5. Securing a SPA with a dedicated REST API
    6. Securing a SPA with an intermediary REST API
    7. Securing a SPA with an external REST API
    8. Securing native and mobile applications
    9. Securing REST APIs and services
    10. Summary
    11. Questions
    12. Further reading
  14. Chapter 7: Integrating Applications with Keycloak
    1. Technical requirements
    2. Choosing an integration architecture
    3. Choosing an integration option
    4. Integrating with Golang applications
    5. Configuring a Golang client
    6. Integrating with Java applications
    7. Using Quarkus
    8. Using Spring Boot
    9. Using Keycloak adapters
    10. Integrating with JavaScript applications
    11. Integrating with Node.js applications
    12. Creating a Node.js resource server
    13. Integrating with Python applications
    14. Creating a Python client
    15. Creating a Python resource server
    16. Using a reverse proxy
    17. Try not to implement your own integration
    18. Summary
    19. Questions
    20. Further reading
  15. Chapter 8: Authorization Strategies
    1. Understanding authorization
    2. Using RBAC
    3. Using GBAC
    4. Mapping group membership into tokens
    5. Using OAuth2 scopes
    6. Using ABAC
    7. Using Keycloak as a centralized authorization server
    8. Summary
    9. Questions
    10. Further reading
  16. Section 3: Configuring and Managing Keycloak
  17. Chapter 9: Configuring Keycloak for Production
    1. Technical requirements
    2. Setting the hostname for Keycloak
    3. Setting the frontend URL
    4. Setting the backend URL
    5. Setting the admin URL
    6. Enabling TLS
    7. Configuring a database
    8. Enabling clustering
    9. Configuring a reverse proxy
    10. Distributing the load across nodes
    11. Forwarding client information
    12. Keeping session affinity
    13. Testing your environment
    14. Testing load balancing and failover
    15. Testing the frontend and backchannel URLs
    16. Summary
    17. Questions
    18. Further reading
  18. Chapter 10: Managing Users
    1. Technical requirements
    2. Managing local users
    3. Creating a local user
    4. Managing user credentials
    5. Obtaining and validating user information
    6. Enabling self-registration
    7. Managing user attributes
    8. Integrating with LDAP and Active Directory
    9. Understanding LDAP mappers
    10. Synchronizing groups
    11. Synchronizing roles
    12. Integrating with third-party identity providers
    13. Creating a OpenID Connect identity provider
    14. Integrating with social identity providers
    15. Allowing users to manage their data
    16. Summary
    17. Questions
    18. Further reading
  19. Chapter 11: Authenticating Users
    1. Technical requirements
    2. Understanding authentication flows
    3. Configuring an authentication flow
    4. Using passwords
    5. Changing password policies
    6. Resetting user passwords
    7. Using OTPs
    8. Changing OTP policies
    9. Allowing users to choose whether they want to use OTP
    10. Forcing users to authenticate using OTP
    11. Using Web Authentication (WebAuthn)
    12. Enabling WebAuthn for an authentication flow
    13. Registering a security device and authenticating
    14. Using strong authentication
    15. Summary
    16. Questions
    17. Further reading
  20. Chapter 12: Managing Tokens and Sessions
    1. Technical requirements
    2. Managing sessions
    3. Managing session lifetimes
    4. Managing active sessions
    5. Expiring user sessions prematurely
    6. Understanding cookies and their relation to sessions
    7. Managing tokens
    8. Managing ID tokens' and access tokens' lifetimes
    9. Managing refresh tokens' lifetimes
    10. Enabling refreshing token rotation
    11. Revoking tokens
    12. Summary
    13. Questions
    14. Further reading
  21. Chapter 13: Extending Keycloak
    1. Technical requirements
    2. Understanding Service Provider Interfaces
    3. Packaging a custom provider
    4. Installing a custom provider
    5. Understanding the KeycloakSessionFactory and KeycloakSession components
    6. Understanding the life cycle of a provider
    7. Configuring providers
    8. Changing the look and feel
    9. Understanding themes
    10. Creating and deploying a new theme
    11. Extending templates
    12. Extending theme-related SPIs
    13. Customizing authentication flows
    14. Looking at other customization points
    15. Summary
    16. Questions
    17. Further reading
  22. Section 4: Security Considerations
  23. Chapter 14: Securing Keycloak and Applications
    1. Securing Keycloak
    2. Encrypting communication to Keycloak
    3. Configuring the Keycloak hostname
    4. Rotating the signing keys used by Keycloak
    5. Regularly updating Keycloak
    6. Loading secrets into Keycloak from an external vault
    7. Protecting Keycloak with a firewall and an intrusion prevention system
    8. Securing the database
    9. Protecting the database with a firewall
    10. Enabling authentication and access control for the database
    11. Encrypting the database
    12. Securing cluster communication
    13. Enabling cluster authentication
    14. Encrypting cluster communication
    15. Securing user accounts
    16. Securing applications
    17. Web application security
    18. OAuth 2.0 and OpenID Connect best practice
    19. Keycloak client configurations
    20. Summary
    21. Questions
    22. Further reading
  24. Assessments
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Why subscribe?
  25. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Leave a review - let other readers know what you think