Book Image

Keycloak - Identity and Access Management for Modern Applications

By : Stian Thorgersen, Pedro Igor Silva
Book Image

Keycloak - Identity and Access Management for Modern Applications

By: Stian Thorgersen, Pedro Igor Silva

Overview of this book

Implementing authentication and authorization for applications can be a daunting experience, often leaving them exposed to security vulnerabilities. Keycloak is an open-source solution for identity management and access management for modern applications, which can make a world of difference if you learn how to use it. Keycloak, helping you get started with using it and securing your applications. Complete with hands-on tutorials, best practices, and self-assessment questions, this easy-to-follow guide will show you how to secure a sample application and then move on to securing different application types. As you progress, you will understand how to configure and manage Keycloak as well as how to leverage some of its more advanced capabilities. Finally, you'll gain insights into securely using Keycloak in production. By the end of this book, you will have learned how to install and manage Keycloak as well as how to secure new and existing applications.
Table of Contents (21 chapters)
Section 1: Getting Started with Keycloak
Section 2: Securing Applications with Keycloak
Section 3: Configuring and Managing Keycloak
Section 4: Security Considerations

Managing tokens

As you learned from the previous section, tokens are usually bound to sessions. Therefore, the token validity – not necessarily their lifetimes – depends on sessions.

Tokens have their own lifetime and how long they are considered valid depends on how they are validated. By leveraging JSON Web Token (JWT) as a format for tokens, Keycloak enables applications to validate and introspect tokens locally without any additional roundtrip to the server. However, this capability has a consequence where tokens, although within their lifetime, might not be valid anymore if their sessions have expired.

Without taking this into account, you might end up in a situation where tokens are no longer valid but are still accepted by applications because they are within their lifetime, therefore increasing the attack surface if tokens are leaked. As you are going to learn from this chapter, you should always consider a clear strategy for token expiration and revocation...