Book Image

Keycloak - Identity and Access Management for Modern Applications

By : Stian Thorgersen, Pedro Igor Silva
Book Image

Keycloak - Identity and Access Management for Modern Applications

By: Stian Thorgersen, Pedro Igor Silva

Overview of this book

Implementing authentication and authorization for applications can be a daunting experience, often leaving them exposed to security vulnerabilities. Keycloak is an open-source solution for identity management and access management for modern applications, which can make a world of difference if you learn how to use it. Keycloak, helping you get started with using it and securing your applications. Complete with hands-on tutorials, best practices, and self-assessment questions, this easy-to-follow guide will show you how to secure a sample application and then move on to securing different application types. As you progress, you will understand how to configure and manage Keycloak as well as how to leverage some of its more advanced capabilities. Finally, you'll gain insights into securely using Keycloak in production. By the end of this book, you will have learned how to install and manage Keycloak as well as how to secure new and existing applications.
Table of Contents (21 chapters)
Section 1: Getting Started with Keycloak
Section 2: Securing Applications with Keycloak
Section 3: Configuring and Managing Keycloak
Section 4: Security Considerations

Chapter 8

  1. When you put data into tokens, they actually grow disproportionately in size. One option to help here is to include only the minimum information that your application needs, and for additional information, to use the token introspection endpoint. The drawback is that your application will need an additional request to Keycloak when serving requests.

    You should also consider disabling the Full Scope Allowed setting in your client settings, so that only information relevant to your client is included in tokens.

  2. Realm roles should be used to represent the user's role within an organization. These roles have the same semantics regardless of the clients created in a realm.
  3. On the other hand, the semantics for a client role are specific to the client they belong to.
  4. In this chapter, we created a realm role and a client role using the same name: manager. While the realm role could represent users with the role of manager in an organization, the manager client...