Book Image

Keycloak - Identity and Access Management for Modern Applications

By : Stian Thorgersen, Pedro Igor Silva
Book Image

Keycloak - Identity and Access Management for Modern Applications

By: Stian Thorgersen, Pedro Igor Silva

Overview of this book

Implementing authentication and authorization for applications can be a daunting experience, often leaving them exposed to security vulnerabilities. Keycloak is an open-source solution for identity management and access management for modern applications, which can make a world of difference if you learn how to use it. Keycloak, helping you get started with using it and securing your applications. Complete with hands-on tutorials, best practices, and self-assessment questions, this easy-to-follow guide will show you how to secure a sample application and then move on to securing different application types. As you progress, you will understand how to configure and manage Keycloak as well as how to leverage some of its more advanced capabilities. Finally, you'll gain insights into securely using Keycloak in production. By the end of this book, you will have learned how to install and manage Keycloak as well as how to secure new and existing applications.
Table of Contents (21 chapters)
Section 1: Getting Started with Keycloak
Section 2: Securing Applications with Keycloak
Section 3: Configuring and Managing Keycloak
Section 4: Security Considerations

Using OTPs

As an additional layer of security, Keycloak allows you to use a second factor – or evidence – when authenticating users. In addition to providing a password – something users know – users are obligated to provide secondary evidence about their identity – something they have – which can be a code or a security key in their possession.

OTP is probably one of the most common ways to enable 2FA for user accounts. They are relatively easy to use and add an additional layer of security when you're authenticating users.

Although it's a useful method for 2FA, OTP has some disadvantages. It relies on a shared key between the server and users and does not provide the best usability for end users, while still open to common attacks such as phishing or scams. As we are going to see later, Keycloak helps you overcome these limitations by using a security device as a second factor using WebAuthn.


As we will see in the...