Section 2: Securing Applications with Keycloak
by
Keycloak - Identity and Access Management for Modern Applications
- Keycloak - Identity and Access Management for Modern Applications
- Contributors
- About the authors
- About the reviewers
- Preface
- Section 1: Getting Started with Keycloak
- Chapter 1: Getting Started with Keycloak
- Technical requirements
- Introducing Keycloak
- Installing and running Keycloak
- Running Keycloak on Docker
- Installing and running Keycloak with OpenJDK
- Discovering the Keycloak admin and account consoles
- Getting started with the Keycloak admin console
- Getting started with the Keycloak account console
- Summary
- Questions
- Chapter 2: Securing Your First Application
- Section 2: Securing Applications with Keycloak
- Chapter 3: Brief Introduction to Standards
- Chapter 4: Authenticating Users with OpenID Connect
- Technical requirements
- Running the OpenID Connect playground
- Understanding the Discovery endpoint
- Authenticating a user
- Understanding the ID token
- Updating the user profile
- Adding a custom property
- Adding roles to the ID token
- Invoking the UserInfo endpoint
- Dealing with users logging out
- Initiating the logout
- Leveraging ID and access token expiration
- Leveraging OIDC Session Management
- Leveraging OIDC Back-Channel Logout
- A note on OIDC Front-Channel Logout
- How should you deal with logout?
- Summary
- Questions
- Further reading
- Chapter 5: Authorizing Access with OAuth 2.0
- Technical requirements
- Running the OAuth 2.0 playground
- Obtaining an access token
- Requiring user consent
- Limiting the access granted to access tokens
- Using the audience to limit token access
- Using roles to limit token access
- Using the scope to limit token access
- Validating access tokens
- Summary
- Questions
- Further reading
- Chapter 6: Securing Different Application Types
- Technical requirements
- Understanding internal and external applications
- Securing web applications
- Securing server-side web applications
- Securing a SPA with a dedicated REST API
- Securing a SPA with an intermediary REST API
- Securing a SPA with an external REST API
- Securing native and mobile applications
- Securing REST APIs and services
- Summary
- Questions
- Further reading
- Chapter 7: Integrating Applications with Keycloak
- Technical requirements
- Choosing an integration architecture
- Choosing an integration option
- Integrating with Golang applications
- Configuring a Golang client
- Integrating with Java applications
- Using Quarkus
- Using Spring Boot
- Using Keycloak adapters
- Integrating with JavaScript applications
- Integrating with Node.js applications
- Creating a Node.js resource server
- Integrating with Python applications
- Creating a Python client
- Creating a Python resource server
- Using a reverse proxy
- Try not to implement your own integration
- Summary
- Questions
- Further reading
- Chapter 8: Authorization Strategies
- Section 3: Configuring and Managing Keycloak
- Chapter 9: Configuring Keycloak for Production
- Technical requirements
- Setting the hostname for Keycloak
- Setting the frontend URL
- Setting the backend URL
- Setting the admin URL
- Enabling TLS
- Configuring a database
- Enabling clustering
- Configuring a reverse proxy
- Distributing the load across nodes
- Forwarding client information
- Keeping session affinity
- Testing your environment
- Testing load balancing and failover
- Testing the frontend and backchannel URLs
- Summary
- Questions
- Further reading
- Chapter 10: Managing Users
- Technical requirements
- Managing local users
- Creating a local user
- Managing user credentials
- Obtaining and validating user information
- Enabling self-registration
- Managing user attributes
- Integrating with LDAP and Active Directory
- Understanding LDAP mappers
- Synchronizing groups
- Synchronizing roles
- Integrating with third-party identity providers
- Creating a OpenID Connect identity provider
- Integrating with social identity providers
- Allowing users to manage their data
- Summary
- Questions
- Further reading
- Chapter 11: Authenticating Users
- Technical requirements
- Understanding authentication flows
- Configuring an authentication flow
- Using passwords
- Changing password policies
- Resetting user passwords
- Using OTPs
- Changing OTP policies
- Allowing users to choose whether they want to use OTP
- Forcing users to authenticate using OTP
- Using Web Authentication (WebAuthn)
- Enabling WebAuthn for an authentication flow
- Registering a security device and authenticating
- Using strong authentication
- Summary
- Questions
- Further reading
- Chapter 12: Managing Tokens and Sessions
- Technical requirements
- Managing sessions
- Managing session lifetimes
- Managing active sessions
- Expiring user sessions prematurely
- Understanding cookies and their relation to sessions
- Managing tokens
- Managing ID tokens' and access tokens' lifetimes
- Managing refresh tokens' lifetimes
- Enabling refreshing token rotation
- Revoking tokens
- Summary
- Questions
- Further reading
- Chapter 13: Extending Keycloak
- Technical requirements
- Understanding Service Provider Interfaces
- Packaging a custom provider
- Installing a custom provider
- Understanding the KeycloakSessionFactory and KeycloakSession components
- Understanding the life cycle of a provider
- Configuring providers
- Changing the look and feel
- Understanding themes
- Creating and deploying a new theme
- Extending templates
- Extending theme-related SPIs
- Customizing authentication flows
- Looking at other customization points
- Summary
- Questions
- Further reading
- Section 4: Security Considerations
- Chapter 14: Securing Keycloak and Applications
- Securing Keycloak
- Encrypting communication to Keycloak
- Configuring the Keycloak hostname
- Rotating the signing keys used by Keycloak
- Regularly updating Keycloak
- Loading secrets into Keycloak from an external vault
- Protecting Keycloak with a firewall and an intrusion prevention system
- Securing the database
- Protecting the database with a firewall
- Enabling authentication and access control for the database
- Encrypting the database
- Securing cluster communication
- Enabling cluster authentication
- Encrypting cluster communication
- Securing user accounts
- Securing applications
- Web application security
- OAuth 2.0 and OpenID Connect best practice
- Keycloak client configurations
- Summary
- Questions
- Further reading
- Assessments
- Other Books You May Enjoy
In this section, you will understand the options available in terms of how to secure different application types, including different strategies for authorization.
This section comprises the following chapters:
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.